Merge pull request #6724 from atorralba/atorralba/android-contentprovider-sources

Java: Add sources for content providers in Android

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -247,3 +247,20 @@ class ExportedAndroidIntentInput extends RemoteFlowSource, AndroidIntentInput {
 
   override string getSourceType() { result = "Exported Android intent source" }
 }
+
+/** A parameter of an entry-point method declared in a `ContentProvider` class. */
+class AndroidContentProviderInput extends DataFlow::Node {
+  AndroidContentProvider declaringType;
+
+  AndroidContentProviderInput() {
+    sourceNode(this, "contentprovider") and
+    this.getEnclosingCallable().getDeclaringType() = declaringType
+  }
+}
+
+/** A parameter of an entry-point method declared in an exported `ContentProvider` class. */
+class ExportedAndroidContentProviderInput extends RemoteFlowSource, AndroidContentProviderInput {
+  ExportedAndroidContentProviderInput() { declaringType.isExported() }
+
+  override string getSourceType() { result = "Exported Android content provider source" }
+}

java/ql/lib/semmle/code/java/frameworks/android/Android.qll

@@ -72,6 +72,14 @@ class AndroidContentProvider extends ExportableAndroidComponent {
   AndroidContentProvider() {
     this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
   }
+
+  /**
+   * Holds if this content provider requires read and write permissions
+   * in an `AndroidManifest.xml` file.
+   */
+  predicate requiresPermissions() {
+    getAndroidComponentXmlElement().(AndroidProviderXmlElement).requiresPermissions()
+  }
 }
 
 /** An Android content resolver. */
@@ -148,3 +156,39 @@ private class UriModel extends SummaryModelCsv {
       ]
   }
 }
+
+private class ContentProviderSourceModels extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // ContentInterface models are here for backwards compatibility (it was removed in API 28)
+        "android.content;ContentInterface;true;call;(String,String,String,Bundle);;Parameter[0..3];contentprovider",
+        "android.content;ContentProvider;true;call;(String,String,String,Bundle);;Parameter[0..3];contentprovider",
+        "android.content;ContentProvider;true;call;(String,String,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;delete;(Uri,String,String[]);;Parameter[0..2];contentprovider",
+        "android.content;ContentInterface;true;delete;(Uri,Bundle);;Parameter[0..1];contentprovider",
+        "android.content;ContentProvider;true;delete;(Uri,Bundle);;Parameter[0..1];contentprovider",
+        "android.content;ContentInterface;true;getType;(Uri);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;getType;(Uri);;Parameter[0];contentprovider",
+        "android.content;ContentInterface;true;insert;(Uri,ContentValues,Bundle);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;insert;(Uri,ContentValues,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;insert;(Uri,ContentValues);;Parameter[0..1];contentprovider",
+        "android.content;ContentInterface;true;openAssetFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openAssetFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openAssetFile;(Uri,String);;Parameter[0];contentprovider",
+        "android.content;ContentInterface;true;openTypedAssetFile;(Uri,String,Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;openTypedAssetFile;(Uri,String,Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;openTypedAssetFile;(Uri,String,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentInterface;true;openFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openFile;(Uri,String);;Parameter[0];contentprovider",
+        "android.content;ContentInterface;true;query;(Uri,String[],Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;query;(Uri,String[],Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;query;(Uri,String[],String,String[],String);;Parameter[0..4];contentprovider",
+        "android.content;ContentProvider;true;query;(Uri,String[],String,String[],String,CancellationSignal);;Parameter[0..4];contentprovider",
+        "android.content;ContentInterface;true;update;(Uri,ContentValues,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;update;(Uri,ContentValues,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;update;(Uri,ContentValues,String,String[]);;Parameter[0..3];contentprovider"
+      ]
+  }
+}

java/ql/lib/semmle/code/xml/AndroidManifest.qll

@@ -79,6 +79,47 @@ class AndroidReceiverXmlElement extends AndroidComponentXmlElement {
  */
 class AndroidProviderXmlElement extends AndroidComponentXmlElement {
   AndroidProviderXmlElement() { this.getName() = "provider" }
+
+  /**
+   * Holds if this provider element has explicitly set a value for either its
+   * `android:permission` attribute or its `android:readPermission` and `android:writePermission`
+   * attributes.
+   */
+  predicate requiresPermissions() {
+    this.getAnAttribute().(AndroidPermissionXmlAttribute).isFull()
+    or
+    this.getAnAttribute().(AndroidPermissionXmlAttribute).isWrite() and
+    this.getAnAttribute().(AndroidPermissionXmlAttribute).isRead()
+  }
+}
+
+/**
+ * The attribute `android:perrmission`, `android:readPermission`, or `android:writePermission`.
+ */
+class AndroidPermissionXmlAttribute extends XMLAttribute {
+  AndroidPermissionXmlAttribute() {
+    this.getNamespace().getPrefix() = "android" and
+    this.getName() = ["permission", "readPermission", "writePermission"]
+  }
+
+  /** Holds if this is an `android:permission` attribute. */
+  predicate isFull() { this.getName() = "permission" }
+
+  /** Holds if this is an `android:readPermission` attribute. */
+  predicate isRead() { this.getName() = "readPermission" }
+
+  /** Holds if this is an `android:writePermission` attribute. */
+  predicate isWrite() { this.getName() = "writePermission" }
+}
+
+/**
+ * The `<path-permission`> element of a `<provider>` in an Android manifest file.
+ */
+class AndroidPathPermissionXmlElement extends XMLElement {
+  AndroidPathPermissionXmlElement() {
+    this.getParent() instanceof AndroidProviderXmlElement and
+    this.hasName("path-permission")
+  }
 }
 
 /**