Merge pull request #4336 from aibaars/android-database

Java: add Android database taint and SQL injection sinks

Author: aibaars

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -6,6 +6,7 @@ private import semmle.code.java.dataflow.DefUse
 private import semmle.code.java.security.SecurityTests
 private import semmle.code.java.security.Validation
 private import semmle.code.java.frameworks.android.Intent
+private import semmle.code.java.frameworks.android.SQLite
 private import semmle.code.java.frameworks.Guice
 private import semmle.code.java.frameworks.Protobuf
 private import semmle.code.java.frameworks.spring.SpringController
@@ -392,6 +393,14 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   or
   m.getDeclaringType() instanceof TypeFormatter and
   m.hasName(["format", "out"])
+  or
+  m.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+  // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
+  // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
+  // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
+  // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
+  // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
+  m.hasName(["buildQuery", "buildUnionQuery", "buildUnionSubQuery"])
 }
 
 private class StringReplaceMethod extends Method {
@@ -455,6 +464,17 @@ private predicate taintPreservingArgumentToMethod(Method method) {
   or
   method.getDeclaringType() instanceof TypeFormatter and
   method.hasName("format")
+  or
+  method.getDeclaringType() instanceof TypeDatabaseUtils and
+  // String[] appendSelectionArgs(String[] originalValues, String[] newValues)
+  // String concatenateWhere(String a, String b)
+  method.hasName(["appendSelectionArgs", "concatenateWhere"])
+  or
+  method.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+  // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
+  // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
+  // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
+  method.hasName(["buildQuery", "buildUnionQuery"])
 }
 
 /**
@@ -568,6 +588,27 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
   method.getDeclaringType().hasQualifiedName("java.io", "StringWriter") and
   method.hasName("append") and
   arg = 0
+  or
+  method.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+  (
+    // static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
+    method.hasName("buildQueryString") and arg = [1 .. method.getNumberOfParameters()]
+    or
+    // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
+    // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
+    method.hasName("buildUnionSubQuery") and
+    arg = [0 .. method.getNumberOfParameters()] and
+    arg != 3
+  )
+  or
+  (
+    method.getDeclaringType() instanceof AndroidContentProvider or
+    method.getDeclaringType() instanceof AndroidContentResolver
+  ) and
+  // Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
+  // Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
+  method.hasName("query") and
+  arg = 0
 }
 
 /**
@@ -620,6 +661,12 @@ private predicate taintPreservingArgToArg(Method method, int input, int output)
   method.getNumberOfParameters() > 1 and
   input = method.getNumberOfParameters() - 1 and
   output = 0
+  or
+  method.getDeclaringType() instanceof TypeSQLiteQueryBuilder and
+  // static appendColumns(StringBuilder s, String[] columns)
+  method.hasName("appendColumns") and
+  input = 1 and
+  output = 0
 }
 
 /**
@@ -671,6 +718,14 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
     arg = 0 and
     append.getDeclaringType().hasQualifiedName("java.io", "StringWriter")
   )
+  or
+  method.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+  // setProjectionMap(Map<String, String> columnMap)
+  // setTables(String inTables)
+  // appendWhere(CharSequence inWhere)
+  // appendWhereStandalone(CharSequence inWhere)
+  method.hasName(["setProjectionMap", "setTables", "appendWhere", "appendWhereStandalone"]) and
+  arg = 0
 }
 
 /** A comparison or equality test with a constant. */

java/ql/src/semmle/code/java/frameworks/android/Android.qll

@@ -14,7 +14,8 @@ class AndroidComponent extends Class {
     this.getASupertype*().hasQualifiedName("android.app", "Activity") or
     this.getASupertype*().hasQualifiedName("android.app", "Service") or
     this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver") or
-    this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
+    this.getASupertype*().hasQualifiedName("android.content", "ContentProvider") or
+    this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
   }
 
   /** The XML element corresponding to this Android component. */
@@ -52,3 +53,10 @@ class AndroidContentProvider extends AndroidComponent {
     this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
   }
 }
+
+/** An Android content resolver. */
+class AndroidContentResolver extends AndroidComponent {
+  AndroidContentResolver() {
+    this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
+  }
+}

java/ql/src/semmle/code/java/frameworks/android/SQLite.qll

@@ -1,45 +1,228 @@
 import java
+import Android
 
+/**
+ * The class `android.database.sqlite.SQLiteDatabase`.
+ */
 class TypeSQLiteDatabase extends Class {
   TypeSQLiteDatabase() { hasQualifiedName("android.database.sqlite", "SQLiteDatabase") }
 }
 
+/**
+ * The class `android.database.sqlite.SQLiteQueryBuilder`.
+ */
+class TypeSQLiteQueryBuilder extends Class {
+  TypeSQLiteQueryBuilder() { hasQualifiedName("android.database.sqlite", "SQLiteQueryBuilder") }
+}
+
+/**
+ * The class `android.database.DatabaseUtils`.
+ */
+class TypeDatabaseUtils extends Class {
+  TypeDatabaseUtils() { hasQualifiedName("android.database", "DatabaseUtils") }
+}
+
 abstract class SQLiteRunner extends Method {
   abstract int sqlIndex();
 }
 
-class ExecSqlMethod extends SQLiteRunner {
+private class ExecSqlMethod extends SQLiteRunner {
   ExecSqlMethod() {
     this.getDeclaringType() instanceof TypeSQLiteDatabase and
-    this.getName() = "execSql"
+    // execPerConnectionSQL(String sql, Object[] bindArgs)
+    // execSQL(String sql)
+    // execSQL(String sql, Object[] bindArgs)
+    this.hasName(["execPerConnectionSQL", "execSQL"])
   }
 
   override int sqlIndex() { result = 0 }
 }
 
-class QueryMethod extends SQLiteRunner {
+private class QueryMethod extends SQLiteRunner {
   QueryMethod() {
     this.getDeclaringType() instanceof TypeSQLiteDatabase and
-    this.getName().matches("rawQuery%")
+    this.hasName(["query", "queryWithFactory"])
   }
 
   override int sqlIndex() {
+    // query(boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit)
+    // query(boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit, CancellationSignal cancellationSignal)
+    // query(String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit)
+    // query(String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy)
     this.getName() = "query" and
-    (if this.getParameter(0).getType() instanceof TypeString then result = 2 else result = 3)
+    (
+      if this.getParameter(0).getType() instanceof TypeString
+      then result = [0, 1, 2, 4, 5, 6, 7]
+      else result = [1, 2, 3, 5, 6, 7, 8]
+    )
     or
-    this.getName() = "queryWithFactory" and result = 4
+    // queryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit, CancellationSignal cancellationSignal)
+    // queryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit)
+    this.getName() = "queryWithFactory" and result = [2, 3, 4, 6, 7, 8, 9]
   }
 }
 
-class RawQueryMethod extends SQLiteRunner {
+private class RawQueryMethod extends SQLiteRunner {
   RawQueryMethod() {
     this.getDeclaringType() instanceof TypeSQLiteDatabase and
-    this.getName().matches("rawQuery%")
+    this.hasName(["rawQuery", "rawQueryWithFactory"])
   }
 
   override int sqlIndex() {
+    // rawQuery(String sql, String[] selectionArgs, CancellationSignal cancellationSignal)
+    // rawQuery(String sql, String[] selectionArgs)
     this.getName() = "rawQuery" and result = 0
     or
+    // rawQueryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, String sql, String[] selectionArgs, String editTable, CancellationSignal cancellationSignal)
+    // rawQueryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, String sql, String[] selectionArgs, String editTable)
     this.getName() = "rawQueryWithFactory" and result = 1
   }
 }
+
+private class CompileStatementMethod extends SQLiteRunner {
+  CompileStatementMethod() {
+    this.getDeclaringType() instanceof TypeSQLiteDatabase and
+    // compileStatement(String sql)
+    this.hasName("compileStatement")
+  }
+
+  override int sqlIndex() { result = 0 }
+}
+
+private class DeleteMethod extends SQLiteRunner {
+  DeleteMethod() {
+    this.getDeclaringType() instanceof TypeSQLiteDatabase and
+    // delete(String table, String whereClause, String[] whereArgs)
+    this.hasName("delete")
+  }
+
+  override int sqlIndex() { result = 1 }
+}
+
+private class UpdateMethod extends SQLiteRunner {
+  UpdateMethod() {
+    this.getDeclaringType() instanceof TypeSQLiteDatabase and
+    // update(String table, ContentValues values, String whereClause, String[] whereArgs)
+    // updateWithOnConflict(String table, ContentValues values, String whereClause, String[] whereArgs, int conflictAlgorithm)
+    this.hasName(["update", "updateWithOnConflict"])
+  }
+
+  override int sqlIndex() { result = 2 }
+}
+
+private class ForQueryMethod extends SQLiteRunner {
+  ForQueryMethod() {
+    // (blobFileDescriptor|long|string)ForQuery(SQLiteDatabase db, String query, String[] selectionArgs)
+    this.getDeclaringType() instanceof TypeDatabaseUtils and
+    this.hasName(["blobFileDescriptorForQuery", "longForQuery", "stringForQuery"]) and
+    this.getNumberOfParameters() = 3
+  }
+
+  override int sqlIndex() { result = 1 }
+}
+
+private class CreateDbFromSqlStatementsMethod extends SQLiteRunner {
+  CreateDbFromSqlStatementsMethod() {
+    // createDbFromSqlStatements(Context context, String dbName, int dbVersion, String sqlStatements)
+    this.getDeclaringType() instanceof TypeDatabaseUtils and
+    this.hasName("createDbFromSqlStatements")
+  }
+
+  override int sqlIndex() { result = 3 }
+}
+
+private class QueryNumEntriesMethod extends SQLiteRunner {
+  QueryNumEntriesMethod() {
+    // queryNumEntries(SQLiteDatabase db, String table, String selection)
+    // queryNumEntries(SQLiteDatabase db, String table, String selection, String[] selectionArgs)
+    this.getDeclaringType() instanceof TypeDatabaseUtils and
+    this.hasName("queryNumEntries")
+  }
+
+  override int sqlIndex() { result = 2 }
+}
+
+private class QueryBuilderDeleteMethod extends SQLiteRunner {
+  QueryBuilderDeleteMethod() {
+    // delete(SQLiteDatabase db, String selection, String[] selectionArgs)
+    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+    this.hasName("delete")
+  }
+
+  override int sqlIndex() { result = [-1, 1] }
+}
+
+private class QueryBuilderInsertMethod extends SQLiteRunner {
+  QueryBuilderInsertMethod() {
+    // insert(SQLiteDatabase db, ContentValues values)
+    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+    this.hasName("insert")
+  }
+
+  override int sqlIndex() { result = -1 }
+}
+
+private class QueryBuilderQueryMethod extends SQLiteRunner {
+  QueryBuilderQueryMethod() {
+    // query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder)
+    // query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
+    // query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit, CancellationSignal cancellationSignal)
+    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+    this.hasName("query")
+  }
+
+  override int sqlIndex() { result = [-1, 2, 4, 5, 6, 7] }
+}
+
+private class QueryBuilderUpdateMethod extends SQLiteRunner {
+  QueryBuilderUpdateMethod() {
+    // update(SQLiteDatabase db, ContentValues values, String selection, String[] selectionArgs)
+    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+    this.hasName("update")
+  }
+
+  override int sqlIndex() { result = [-1, 2] }
+}
+
+private class ContentProviderDeleteMethod extends SQLiteRunner {
+  ContentProviderDeleteMethod() {
+    // delete(Uri uri, String selection, String[] selectionArgs)
+    (
+      this.getDeclaringType() instanceof AndroidContentProvider or
+      this.getDeclaringType() instanceof AndroidContentResolver
+    ) and
+    this.hasName("delete") and
+    this.getNumberOfParameters() = 3
+  }
+
+  override int sqlIndex() { result = 1 }
+}
+
+private class ContentProviderQueryMethod extends SQLiteRunner {
+  ContentProviderQueryMethod() {
+    // query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
+    // query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
+    (
+      this.getDeclaringType() instanceof AndroidContentProvider or
+      this.getDeclaringType() instanceof AndroidContentResolver
+    ) and
+    this.hasName("query") and
+    this.getNumberOfParameters() = [5, 6]
+  }
+
+  override int sqlIndex() { result = 2 }
+}
+
+private class ContentProviderUpdateMethod extends SQLiteRunner {
+  ContentProviderUpdateMethod() {
+    // update(Uri uri, ContentValues values, String selection, String[] selectionArgs)
+    (
+      this.getDeclaringType() instanceof AndroidContentProvider or
+      this.getDeclaringType() instanceof AndroidContentResolver
+    ) and
+    this.hasName("update") and
+    this.getNumberOfParameters() = 4
+  }
+
+  override int sqlIndex() { result = 2 }
+}

java/ql/src/semmle/code/java/security/QueryInjection.qll

@@ -34,7 +34,9 @@ private class SqlInjectionSink extends QueryInjectionSink {
     or
     exists(MethodAccess ma, Method m, int index |
       ma.getMethod() = m and
-      ma.getArgument(index) = this.asExpr()
+      if index = -1
+      then this.asExpr() = ma.getQualifier()
+      else ma.getArgument(index) = this.asExpr()
     |
       index = m.(SQLiteRunner).sqlIndex()
       or