Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 449fb24

Browse files
aibaarsaibaars
committed
Java: android add taint and SQL sink for ContentProvider/Resolver
1 parent efd5b6f commit 449fb24

3 files changed

Lines changed: 30 additions & 4 deletions

File tree

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -592,6 +592,15 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
592592
arg = [0 .. method.getNumberOfParameters()] and
593593
arg != 3
594594
)
595+
or
596+
(
597+
method.getDeclaringType() instanceof AndroidContentProvider or
598+
method.getDeclaringType() instanceof AndroidContentResolver
599+
) and
600+
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
601+
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
602+
method.hasName("query") and
603+
arg = 0
595604
}
596605

597606
/**

java/ql/src/semmle/code/java/frameworks/android/Android.qll

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ class AndroidComponent extends Class {
1414
this.getASupertype*().hasQualifiedName("android.app", "Activity") or
1515
this.getASupertype*().hasQualifiedName("android.app", "Service") or
1616
this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver") or
17-
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
17+
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider") or
18+
this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
1819
}
1920

2021
/** The XML element corresponding to this Android component. */
@@ -52,3 +53,10 @@ class AndroidContentProvider extends AndroidComponent {
5253
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
5354
}
5455
}
56+
57+
/** An Android content resolver. */
58+
class AndroidContentResolver extends AndroidComponent {
59+
AndroidContentResolver() {
60+
this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
61+
}
62+
}

java/ql/src/semmle/code/java/frameworks/android/SQLite.qll

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,10 @@ private class QueryBuilderUpdateMethod extends SQLiteRunner {
187187
private class ContentProviderDeleteMethod extends SQLiteRunner {
188188
ContentProviderDeleteMethod() {
189189
// delete(Uri uri, String selection, String[] selectionArgs)
190-
this.getDeclaringType() instanceof AndroidContentProvider and
190+
(
191+
this.getDeclaringType() instanceof AndroidContentProvider or
192+
this.getDeclaringType() instanceof AndroidContentResolver
193+
) and
191194
this.hasName("delete") and
192195
this.getNumberOfParameters() = 3
193196
}
@@ -199,7 +202,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
199202
ContentProviderQueryMethod() {
200203
// query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
201204
// query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
202-
this.getDeclaringType() instanceof AndroidContentProvider and
205+
(
206+
this.getDeclaringType() instanceof AndroidContentProvider or
207+
this.getDeclaringType() instanceof AndroidContentResolver
208+
) and
203209
this.hasName("query") and
204210
this.getNumberOfParameters() = [5, 6]
205211
}
@@ -210,7 +216,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
210216
private class ContentProviderUpdateMethod extends SQLiteRunner {
211217
ContentProviderUpdateMethod() {
212218
// update(Uri uri, ContentValues values, String selection, String[] selectionArgs)
213-
this.getDeclaringType() instanceof AndroidContentProvider and
219+
(
220+
this.getDeclaringType() instanceof AndroidContentProvider or
221+
this.getDeclaringType() instanceof AndroidContentResolver
222+
) and
214223
this.hasName("update") and
215224
this.getNumberOfParameters() = 4
216225
}

0 commit comments

Comments
 (0)