Java: Convert android XML get* methods to CSV based flow source

tamasvajk · tamasvajk · commit 8ba820cae1ae · 2021-03-09T11:42:13.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -139,7 +139,30 @@ private predicate sourceModelCsv(string row) {
       "javax.servlet.http;Cookie;false;getComment;();;ReturnValue;remote",
       // ApacheHttp*
       "org.apache.http;HttpMessage;false;getParams;();;ReturnValue;remote",
-      "org.apache.http;HttpEntity;false;getContent;();;ReturnValue;remote"
+      "org.apache.http;HttpEntity;false;getContent;();;ReturnValue;remote",
+      // In the setting of Android we assume that XML has been transmitted over
+      // the network, so may be tainted.
+      // XmlPullGetMethod
+      "org.xmlpull.v1;XmlPullParser;false;getName;();;ReturnValue;remote",
+      "org.xmlpull.v1;XmlPullParser;false;getNamespace;();;ReturnValue;remote",
+      "org.xmlpull.v1;XmlPullParser;false;getText;();;ReturnValue;remote",
+      // XmlAttrSetGetMethod
+      "android.util;AttributeSet;false;getAttributeBooleanValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeCount;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeFloatValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeIntValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeListValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeName;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeNameResource;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeNamespace;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeResourceValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeUnsignedIntValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getClassAttribute;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getIdAttribute;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getIdAttributeResourceValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getPositionDescription;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getStyleAttribute;;;ReturnValue;remote"
     ]
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -216,10 +216,6 @@ private class RemoteTaintedMethod extends Method {
   RemoteTaintedMethod() {
     this instanceof PlayRequestGetMethod or
     this instanceof SpringRestTemplateResponseEntityMethod or
-    // In the setting of Android we assume that XML has been transmitted over
-    // the network, so may be tainted.
-    this instanceof XmlPullGetMethod or
-    this instanceof XmlAttrSetGetMethod or
     // The current URL in a browser may be untrusted or uncontrolled.
     this instanceof WebViewGetUrlMethod
   }
