Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 061c2a7

Browse files
aibaarsaibaars
committed
Java: tests for android database flow steps
1 parent a13e845 commit 061c2a7

3 files changed

Lines changed: 259 additions & 0 deletions

File tree

java/ql/test/library-tests/frameworks/android/taint-database/FlowSteps.java

Lines changed: 181 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,181 @@
1+
import java.util.Map;
2+
import java.util.Set;
3+
4+
import android.content.ContentProvider;
5+
import android.content.ContentResolver;
6+
import android.database.Cursor;
7+
import android.database.DatabaseUtils;
8+
import android.database.sqlite.SQLiteQueryBuilder;
9+
import android.net.Uri;
10+
import android.os.CancellationSignal;
11+
12+
public class FlowSteps {
13+
public static <T> T taint() {
14+
return null;
15+
}
16+
17+
private static abstract class MyContentProvider extends ContentProvider {
18+
// Dummy class to test for sub classes
19+
}
20+
21+
private static abstract class MyContentResolver extends ContentResolver {
22+
// Dummy class to test for sub classes
23+
}
24+
25+
private static abstract class MySQLiteQueryBuilder extends SQLiteQueryBuilder {
26+
// Dummy class to test for sub classes
27+
}
28+
29+
public static String[] appendSelectionArgs() {
30+
String[] originalValues = taint();
31+
String[] newValues = taint();
32+
return DatabaseUtils.appendSelectionArgs(originalValues, newValues);
33+
}
34+
35+
public static String concatenateWhere() {
36+
String a = taint();
37+
String b = taint();
38+
return DatabaseUtils.concatenateWhere(a, b);
39+
}
40+
41+
public static String buildQueryString(MySQLiteQueryBuilder target) {
42+
target = taint();
43+
boolean distinct = taint();
44+
String tables = taint();
45+
String[] columns = taint();
46+
String where = taint();
47+
String groupBy = taint();
48+
String having = taint();
49+
String orderBy = taint();
50+
String limit = taint();
51+
return SQLiteQueryBuilder.buildQueryString(distinct, tables, columns, where, groupBy, having, orderBy, limit);
52+
}
53+
54+
public static String buildQuery(MySQLiteQueryBuilder target) {
55+
target = taint();
56+
String[] projectionIn = taint();
57+
String selection = taint();
58+
String groupBy = taint();
59+
String having = taint();
60+
String sortOrder = taint();
61+
String limit = taint();
62+
return target.buildQuery(projectionIn, selection, groupBy, having, sortOrder, limit);
63+
}
64+
65+
public static String buildQuery2(MySQLiteQueryBuilder target) {
66+
target = taint();
67+
String[] projectionIn = taint();
68+
String selection = taint();
69+
String[] selectionArgs = taint();
70+
String groupBy = taint();
71+
String having = taint();
72+
String sortOrder = taint();
73+
String limit = taint();
74+
return target.buildQuery(projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
75+
}
76+
77+
public static String buildUnionQuery(MySQLiteQueryBuilder target) {
78+
target = taint();
79+
String[] subQueries = taint();
80+
String sortOrder = taint();
81+
String limit = taint();
82+
return target.buildUnionQuery(subQueries, sortOrder, limit);
83+
}
84+
85+
public static String buildUnionSubQuery2(MySQLiteQueryBuilder target) {
86+
target = taint();
87+
String typeDiscriminatorColumn = taint();
88+
String[] unionColumns = taint();
89+
Set<String> columnsPresentInTable = taint();
90+
int computedColumnsOffset = taint();
91+
String typeDiscriminatorValue = taint();
92+
String selection = taint();
93+
String[] selectionArgs = taint();
94+
String groupBy = taint();
95+
String having = taint();
96+
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable,
97+
computedColumnsOffset, typeDiscriminatorValue, selection, selectionArgs, groupBy, having);
98+
}
99+
100+
public static void buildUnionSubQuery3(MySQLiteQueryBuilder target) {
101+
target = taint();
102+
String typeDiscriminatorColumn = taint();
103+
String[] unionColumns = taint();
104+
Set<String> columnsPresentInTable = taint();
105+
int computedColumnsOffset = taint();
106+
String typeDiscriminatorValue = taint();
107+
String selection = taint();
108+
String groupBy = taint();
109+
String having = taint();
110+
target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable, computedColumnsOffset,
111+
typeDiscriminatorValue, selection, groupBy, having);
112+
}
113+
114+
public static Cursor query(MyContentResolver target) {
115+
Uri uri = taint();
116+
String[] projection = taint();
117+
String selection = taint();
118+
String[] selectionArgs = taint();
119+
String sortOrder = taint();
120+
CancellationSignal cancellationSignal = taint();
121+
return target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
122+
}
123+
124+
public static Cursor query(MyContentProvider target) {
125+
Uri uri = taint();
126+
String[] projection = taint();
127+
String selection = taint();
128+
String[] selectionArgs = taint();
129+
String sortOrder = taint();
130+
CancellationSignal cancellationSignal = taint();
131+
return target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
132+
}
133+
134+
public static Cursor query2(MyContentResolver target) {
135+
Uri uri = taint();
136+
String[] projection = taint();
137+
String selection = taint();
138+
String[] selectionArgs = taint();
139+
String sortOrder = taint();
140+
return target.query(uri, projection, selection, selectionArgs, sortOrder);
141+
}
142+
143+
public static Cursor query2(MyContentProvider target) {
144+
Uri uri = taint();
145+
String[] projection = taint();
146+
String selection = taint();
147+
String[] selectionArgs = taint();
148+
String sortOrder = taint();
149+
return target.query(uri, projection, selection, selectionArgs, sortOrder);
150+
}
151+
152+
public static void appendColumns() {
153+
StringBuilder s = taint();
154+
String[] columns = taint();
155+
SQLiteQueryBuilder.appendColumns(s, columns);
156+
}
157+
158+
public static void setProjectionMap(MySQLiteQueryBuilder target) {
159+
target = taint();
160+
Map<String, String> columnMap = taint();
161+
target.setProjectionMap(columnMap);
162+
}
163+
164+
public static void setTables(MySQLiteQueryBuilder target) {
165+
target = taint();
166+
String inTables = taint();
167+
target.setTables(inTables);
168+
}
169+
170+
public static void appendWhere(MySQLiteQueryBuilder target) {
171+
target = taint();
172+
CharSequence inWhere = taint();
173+
target.appendWhere(inWhere);
174+
}
175+
176+
public static void appendWhereStandalone(MySQLiteQueryBuilder target) {
177+
target = taint();
178+
CharSequence inWhere = taint();
179+
target.appendWhereStandalone(inWhere);
180+
}
181+
}

java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.expected

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
| FlowSteps.java:32:44:32:57 | originalValues | FlowSteps.java:32:10:32:69 | appendSelectionArgs(...) |
2+
| FlowSteps.java:32:60:32:68 | newValues | FlowSteps.java:32:10:32:69 | appendSelectionArgs(...) |
3+
| FlowSteps.java:38:41:38:41 | a | FlowSteps.java:38:10:38:45 | concatenateWhere(...) |
4+
| FlowSteps.java:38:44:38:44 | b | FlowSteps.java:38:10:38:45 | concatenateWhere(...) |
5+
| FlowSteps.java:51:56:51:61 | tables | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
6+
| FlowSteps.java:51:64:51:70 | columns | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
7+
| FlowSteps.java:51:73:51:77 | where | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
8+
| FlowSteps.java:51:80:51:86 | groupBy | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
9+
| FlowSteps.java:51:89:51:94 | having | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
10+
| FlowSteps.java:51:97:51:103 | orderBy | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
11+
| FlowSteps.java:51:106:51:110 | limit | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
12+
| FlowSteps.java:62:10:62:15 | target | FlowSteps.java:62:10:62:86 | buildQuery(...) |
13+
| FlowSteps.java:62:28:62:39 | projectionIn | FlowSteps.java:62:10:62:86 | buildQuery(...) |
14+
| FlowSteps.java:62:42:62:50 | selection | FlowSteps.java:62:10:62:86 | buildQuery(...) |
15+
| FlowSteps.java:62:53:62:59 | groupBy | FlowSteps.java:62:10:62:86 | buildQuery(...) |
16+
| FlowSteps.java:62:62:62:67 | having | FlowSteps.java:62:10:62:86 | buildQuery(...) |
17+
| FlowSteps.java:62:70:62:78 | sortOrder | FlowSteps.java:62:10:62:86 | buildQuery(...) |
18+
| FlowSteps.java:62:81:62:85 | limit | FlowSteps.java:62:10:62:86 | buildQuery(...) |
19+
| FlowSteps.java:74:10:74:15 | target | FlowSteps.java:74:10:74:101 | buildQuery(...) |
20+
| FlowSteps.java:74:28:74:39 | projectionIn | FlowSteps.java:74:10:74:101 | buildQuery(...) |
21+
| FlowSteps.java:74:42:74:50 | selection | FlowSteps.java:74:10:74:101 | buildQuery(...) |
22+
| FlowSteps.java:74:53:74:65 | selectionArgs | FlowSteps.java:74:10:74:101 | buildQuery(...) |
23+
| FlowSteps.java:74:68:74:74 | groupBy | FlowSteps.java:74:10:74:101 | buildQuery(...) |
24+
| FlowSteps.java:74:77:74:82 | having | FlowSteps.java:74:10:74:101 | buildQuery(...) |
25+
| FlowSteps.java:74:85:74:93 | sortOrder | FlowSteps.java:74:10:74:101 | buildQuery(...) |
26+
| FlowSteps.java:74:96:74:100 | limit | FlowSteps.java:74:10:74:101 | buildQuery(...) |
27+
| FlowSteps.java:82:10:82:15 | target | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
28+
| FlowSteps.java:82:33:82:42 | subQueries | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
29+
| FlowSteps.java:82:45:82:53 | sortOrder | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
30+
| FlowSteps.java:82:56:82:60 | limit | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
31+
| FlowSteps.java:96:10:96:15 | target | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
32+
| FlowSteps.java:96:36:96:58 | typeDiscriminatorColumn | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
33+
| FlowSteps.java:96:61:96:72 | unionColumns | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
34+
| FlowSteps.java:96:75:96:95 | columnsPresentInTable | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
35+
| FlowSteps.java:97:28:97:49 | typeDiscriminatorValue | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
36+
| FlowSteps.java:97:52:97:60 | selection | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
37+
| FlowSteps.java:97:63:97:75 | selectionArgs | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
38+
| FlowSteps.java:97:78:97:84 | groupBy | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
39+
| FlowSteps.java:97:87:97:92 | having | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
40+
| FlowSteps.java:110:3:110:8 | target | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
41+
| FlowSteps.java:110:29:110:51 | typeDiscriminatorColumn | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
42+
| FlowSteps.java:110:54:110:65 | unionColumns | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
43+
| FlowSteps.java:110:68:110:88 | columnsPresentInTable | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
44+
| FlowSteps.java:111:5:111:26 | typeDiscriminatorValue | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
45+
| FlowSteps.java:111:29:111:37 | selection | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
46+
| FlowSteps.java:111:40:111:46 | groupBy | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
47+
| FlowSteps.java:111:49:111:54 | having | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
48+
| FlowSteps.java:121:23:121:25 | uri | FlowSteps.java:121:10:121:95 | query(...) |
49+
| FlowSteps.java:131:23:131:25 | uri | FlowSteps.java:131:10:131:95 | query(...) |
50+
| FlowSteps.java:140:23:140:25 | uri | FlowSteps.java:140:10:140:75 | query(...) |
51+
| FlowSteps.java:149:23:149:25 | uri | FlowSteps.java:149:10:149:75 | query(...) |
52+
| FlowSteps.java:155:39:155:45 | columns | FlowSteps.java:155:36:155:36 | s [post update] |
53+
| FlowSteps.java:161:27:161:35 | columnMap | FlowSteps.java:161:3:161:8 | target [post update] |
54+
| FlowSteps.java:167:20:167:27 | inTables | FlowSteps.java:167:3:167:8 | target [post update] |
55+
| FlowSteps.java:173:22:173:28 | inWhere | FlowSteps.java:173:3:173:8 | target [post update] |
56+
| FlowSteps.java:179:32:179:38 | inWhere | FlowSteps.java:179:3:179:8 | target [post update] |

java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
import semmle.code.java.dataflow.DataFlow
2+
import semmle.code.java.dataflow.TaintTracking
3+
import semmle.code.java.dataflow.FlowSources
4+
import semmle.code.java.security.QueryInjection
5+
6+
class Conf extends TaintTracking::Configuration {
7+
Conf() { this = "qltest:dataflow:android::flow" }
8+
9+
override predicate isSource(DataFlow::Node source) {
10+
exists(VarAccess va, MethodAccess ma |
11+
source.asExpr() = va and
12+
va.getVariable().getAnAssignedValue() = ma and
13+
ma.getMethod().hasName("taint")
14+
)
15+
}
16+
17+
override predicate isSink(DataFlow::Node sink) { not isSource(sink) }
18+
}
19+
20+
from DataFlow::Node source, DataFlow::Node sink, Conf config
21+
where config.hasFlow(source, sink) and sink.getLocation().getFile().getBaseName() = "FlowSteps.java"
22+
select source, sink

0 commit comments

Comments
 (0)