hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add support for Slices

Browse Source
This commit is contained in:
Tony Torralba
2021-10-04 13:20:52 +02:00
parent d43242d09e
commit e58a8587db
3 changed files with 104 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
View File

@@ -2,10 +2,8 @@
import java
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.frameworks.android.Intent
private class PendingIntentModels extends SinkModelCsv {
private class PendingIntentCreationModels extends SinkModelCsv {
override predicate row(string row) {
row =
[
@@ -17,6 +15,16 @@ private class PendingIntentModels extends SinkModelCsv {
}
}
private class PendingIntentSentSinkModels extends SinkModelCsv {
override predicate row(string row) {
row =
[
"androidx.slice;SliceProvider;true;onBindSlice;;;ReturnValue;pending-intent-sent",
"androidx.slice;SliceProvider;true;onCreatePermissionRequest;;;ReturnValue;pending-intent-sent"
]
}
}
// TODO: Remove when https://github.com/github/codeql/pull/6397 gets merged
private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
override predicate row(string row) {

26
java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
View File

@@ -17,16 +17,7 @@ class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
source.asExpr() instanceof ImplicitPendingIntentCreation
}
override predicate isSink(DataFlow::Node sink) {
sink instanceof IntentStartSink and
// startService can't actually start implicit intents since API 21
not exists(MethodAccess ma, Method m |
ma.getMethod() = m and
m.getDeclaringType().getASupertype*() instanceof TypeContext and
m.hasName("startService") and
sink.asExpr() = ma.getArgument(0)
)
}
override predicate isSink(DataFlow::Node sink) { sink instanceof SendPendingIntent }
override predicate isSanitizer(DataFlow::Node sanitizer) {
sanitizer instanceof ExplicitIntentSanitizer
@@ -49,8 +40,19 @@ private class ImplicitPendingIntentCreation extends Expr {
}
}
private class IntentStartSink extends DataFlow::Node {
IntentStartSink() { sinkNode(this, "intent-start") }
private class SendPendingIntent extends DataFlow::Node {
SendPendingIntent() {
sinkNode(this, "intent-start") and
// startService can't actually start implicit intents since API 21
not exists(MethodAccess ma, Method m |
ma.getMethod() = m and
m.getDeclaringType().getASupertype*() instanceof TypeContext and
m.hasName("startService") and
this.asExpr() = ma.getArgument(0)
)
or
sinkNode(this, "pending-intent-sent")
}
}
private class ImplicitPendingIntentConf extends DataFlow2::Configuration {

79
java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
View File

@@ -1,9 +1,21 @@
package com.example.test;
import java.io.FileNotFoundException;
import android.app.Activity;
import android.app.PendingIntent;
import android.content.Context;
import android.content.Intent;
import android.content.res.AssetFileDescriptor;
import android.net.Uri;
import android.os.Bundle;
import android.os.CancellationSignal;
import android.os.RemoteException;
import androidx.core.graphics.drawable.IconCompat;
import androidx.slice.Slice;
import androidx.slice.SliceProvider;
import androidx.slice.builders.ListBuilder;
import androidx.slice.builders.SliceAction;
import androidx.slice.core.SliceHints.ImageMode;
public class ImplicitPendingIntentsTest {
@@ -75,4 +87,71 @@ public class ImplicitPendingIntentsTest {
}
}
static class TestSliceProvider extends SliceProvider {
@Override
public Slice onBindSlice(Uri sliceUri) {
if (sliceUri.getAuthority().equals("1")) {
Intent baseIntent = new Intent();
PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, 0);
SliceAction activityAction = SliceAction.createDeeplink(pi, null, 0, "Test");
ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, null);
listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title")
.setPrimaryAction(activityAction));
return listBuilder.build(); // $hasTaintFlow
} else if (sliceUri.getAuthority().equals("2")) {
Intent baseIntent = new Intent(getContext(), Activity.class); // Sanitizer
PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, 0);
SliceAction activityAction = SliceAction.createDeeplink(pi, null, 0, "Test");
ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, null);
listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title")
.setPrimaryAction(activityAction));
return listBuilder.build(); // Safe
} else {
Intent baseIntent = new Intent();
PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent,
PendingIntent.FLAG_IMMUTABLE); // Sanitizer
SliceAction activityAction = SliceAction.createDeeplink(pi, null, 0, "Test");
ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, null);
listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title")
.setPrimaryAction(activityAction));
return listBuilder.build(); // Safe
}
}
@Override
public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPackage) {
if (sliceUri.getAuthority().equals("1")) {
Intent baseIntent = new Intent();
PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, 0);
return pi; // $hasTaintFlow
} else {
Intent baseIntent = new Intent();
PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent,
PendingIntent.FLAG_IMMUTABLE); // Sanitizer
return pi; // Safe
}
}
// Implementations needed for compilation
@Override
public boolean onCreateSliceProvider() {
return true;
}
@Override
public AssetFileDescriptor openTypedAssetFile(Uri uri, String mimeTypeFilter, Bundle opts,
CancellationSignal signal) throws RemoteException, FileNotFoundException {
return null;
}
@Override
public Bundle call(String authority, String method, String arg, Bundle extras)
throws RemoteException {
return null;
}
}
}