Switch to TaintPreservingCallable and add test cases

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

@@ -58,27 +58,6 @@ class FetchResourceMethodAccess extends MethodAccess {
   }
 }
 
-/**
- * Method access to external inputs of `android.content.Intent` object
- */
-class IntentGetExtraMethodAccess extends MethodAccess {
-  IntentGetExtraMethodAccess() {
-    this.getMethod().getName().regexpMatch("get\\w+Extra") and
-    this.getMethod().getDeclaringType() instanceof TypeIntent
-    or
-    this.getMethod().getName().regexpMatch("get\\w+") and
-    this.getQualifier().(MethodAccess).getMethod().hasName("getExtras") and
-    this.getQualifier().(MethodAccess).getMethod().getDeclaringType() instanceof TypeIntent
-  }
-}
-
-/**
- * Source of fetching URLs from intent extras
- */
-class UntrustedResourceSource extends DataFlow::ExprNode {
-  UntrustedResourceSource() { this.asExpr() instanceof IntentGetExtraMethodAccess }
-}
-
 /**
  * Holds if `ma` loads URL `sink`
  */
@@ -127,7 +106,7 @@ class UrlResourceSink extends DataFlow::ExprNode {
 class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
   FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedResourceSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
     sink instanceof UrlResourceSink and

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -305,15 +305,29 @@ class ReverseDNSMethod extends Method {
   }
 }
 
-/** Exported Android `Intent` that may have come from a hostile application. */
-class AndroidIntentInput extends RemoteFlowSource {
+/** Android `Intent` that may have come from a hostile application. */
+class AndroidIntentInput extends DataFlow::Node {
   AndroidIntentInput() {
-    exists(AndroidComponent exportedType |
-      exportedType.isExported() |
+    exists(MethodAccess ma, AndroidGetIntentMethod m |
+      ma.getMethod().overrides*(m) and
+      this.asExpr() = ma
+    )
+    or
+    exists(Method m, AndroidReceiveIntentMethod rI |
+      m.overrides*(rI) and
+      this.asParameter() = m.getParameter(1)
+    )
+  }
+}
+
+/** Exported Android `Intent` that may have come from a hostile application. */
+class ExportedAndroidIntentInput extends RemoteFlowSource {
+  ExportedAndroidIntentInput() {
+    exists(ExportableAndroidComponent exportedType | exportedType.isExported() |
       exists(MethodAccess ma, AndroidGetIntentMethod m |
         ma.getMethod().overrides*(m) and
         this.asExpr() = ma and
-        exportedType = ma.getReceiverType()
+        exportedType = ma.getEnclosingCallable().getDeclaringType()
       )
       or
       exists(Method m, AndroidReceiveIntentMethod rI |

java/ql/src/semmle/code/java/frameworks/android/Android.qll

@@ -30,10 +30,10 @@ class AndroidComponent extends Class {
   predicate hasIntentFilter() { exists(getAndroidComponentXmlElement().getAnIntentFilterElement()) }
 }
 
-/** An Android activity. */
-class AndroidActivity extends AndroidComponent {
-  AndroidActivity() { this.getASupertype*().hasQualifiedName("android.app", "Activity") }
-
+/**
+ * An Android component that is explicitly or implicitly exported.
+ */
+class ExportableAndroidComponent extends AndroidComponent {
   /** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
   override predicate isExported() {
     getAndroidComponentXmlElement().isExported()
@@ -42,34 +42,25 @@ class AndroidActivity extends AndroidComponent {
   }
 }
 
+/** An Android activity. */
+class AndroidActivity extends ExportableAndroidComponent {
+  AndroidActivity() { this.getASupertype*().hasQualifiedName("android.app", "Activity") }
+}
+
 /** An Android service. */
-class AndroidService extends AndroidComponent {
+class AndroidService extends ExportableAndroidComponent {
   AndroidService() { this.getASupertype*().hasQualifiedName("android.app", "Service") }
-
-  /** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
-  override predicate isExported() {
-    getAndroidComponentXmlElement().isExported()
-    or
-    not getAndroidComponentXmlElement().isNotExported() and hasIntentFilter()
-  }
 }
 
 /** An Android broadcast receiver. */
-class AndroidBroadcastReceiver extends AndroidComponent {
+class AndroidBroadcastReceiver extends ExportableAndroidComponent {
   AndroidBroadcastReceiver() {
     this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver")
   }
-
-  /** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
-  override predicate isExported() {
-    getAndroidComponentXmlElement().isExported()
-    or
-    not getAndroidComponentXmlElement().isNotExported() and hasIntentFilter()
-  }
 }
 
 /** An Android content provider. */
-class AndroidContentProvider extends AndroidComponent {
+class AndroidContentProvider extends ExportableAndroidComponent {
   AndroidContentProvider() {
     this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
   }

java/ql/test/experimental/query-tests/security/CWE-749/AndroidManifest.xml

@@ -0,0 +1,51 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <application
+        android:icon="@drawable/ic_launcher"
+        android:label="@string/app_name"
+        android:theme="@style/AppTheme" >
+        <activity
+            android:name=".UnsafeAndroidAccess"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".UnsafeActivity1" android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW"/>
+            </intent-filter>
+        </activity>
+        
+        <activity android:name=".UnsafeActivity2">
+            <intent-filter>
+            <action android:name="android.intent.action.VIEW"/>
+            </intent-filter>
+        </activity>
+        
+        <activity android:name=".SafeActivity1" android:exported="false">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW"/>
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".SafeActivity2" android:exported="false" />
+
+        <activity android:name=".SafeActivity3" />
+
+        <activity android:name=".UnsafeActivity3" android:exported="true" />
+        <activity android:name=".UnsafeActivity4" android:exported="true" />
+
+        <receiver android:name=".UnsafeAndroidBroadcastReceiver" android:exported="true" />        
+    </application>
+
+</manifest>

java/ql/test/experimental/query-tests/security/CWE-749/IntentUtils.java

@@ -0,0 +1,24 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+/** A utility program for getting intent extra information from Android activity */
+public class IntentUtils {
+	/** Get intent extra */
+	public static String getIntentUrl(Activity a) {
+		String thisUrl = a.getIntent().getStringExtra("url");
+		return thisUrl;
+	}
+
+	/** Get bundle extra */
+	public static String getBundleUrl(Activity a) {
+		String thisUrl = a.getIntent().getExtras().getString("url");
+		return thisUrl;
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity1.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class SafeActivity1 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity2.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class SafeActivity2 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity3.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class SafeActivity3 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity1.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class UnsafeActivity1 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity2.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class UnsafeActivity2 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}