-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSourcesAndSinks.txt
More file actions
110 lines (99 loc) · 8.1 KB
/
SourcesAndSinks.txt
File metadata and controls
110 lines (99 loc) · 8.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Android高风险漏洞检测规则
# Android APK组件,外部可控数据源点
<android.app.Activity: android.content.Intent getIntent()> -> _SOURCE_
<android.content.Intent: android.net.Uri getData()> -> _SOURCE_
<android.content.Intent: java.lang.String getDataString()> -> _SOURCE_
<android.content.Intent: android.os.Bundle getExtras()> -> _SOURCE_
<android.net.Uri: java.util.Map getQueryParameterNames()> -> _SOURCE_
<android.net.Uri: java.lang.String getQueryParameter(java.lang.String)> -> _SOURCE_
# Intent重定向
<android.app.Activity: void setResult(int,android.content.Intent)> -> _SINK_
# LaunchAnyWhere漏洞
<android.content.Context: void startActivity(android.content.Intent)> -> _SINK_
<android.content.Context: void startActivity(android.content.Intent,android.os.Bundle)> -> _SINK_
<android.content.Context: void startActivities(android.content.Intent[])> -> _SINK_
<android.content.Context: void startActivities(android.content.Intent[],android.os.Bundle)> -> _SINK_
<android.content.Context: android.content.ComponentName startService(android.content.Intent)> -> _SINK_
<android.content.Context: boolean bindService(android.content.Intent,android.content.ServiceConnection,int)> -> _SINK_
<android.app.Activity: void startActivityForResult(android.content.Intent,int)> -> _SINK_
<android.app.Activity: void startActivityForResult(android.content.Intent,int,android.os.Bundle)> -> _SINK_
# WebView漏洞
<android.webkit.WebView: void loadUrl(java.lang.String)> -> _SINK_
<android.webkit.WebView: void loadUrl(java.lang.String,android.os.Bundle)> -> _SINK_
<android.webkit.WebView: void loadData(java.lang.String,java.lang.String,java.lang.String)> -> _SINK_
<android.webkit.WebView: void loadDataWithBaseURL(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)> -> _SINK_
<android.webkit.WebView: void addJavascriptInterface(java.lang.Object,java.lang.String)> -> _SINK_
<android.webkit.WebSettings: void setJavaScriptEnabled(boolean)> -> _SINK_
<android.webkit.WebSettings: void setAllowFileAccess(boolean)> -> _SINK_
<android.webkit.WebSettings: void setAllowContentAccess(boolean)> -> _SINK_
<android.webkit.WebSettings: void setAllowFileAccessFromFileURLs(boolean)> -> _SINK_
<android.webkit.WebSettings: void setAllowUniversalAccessFromFileURLs(boolean)> -> _SINK_
# Provider漏洞
<android.net.Uri: java.lang.String getLastPathSegment()> -> _SOURCE_
<android.os.ParcelFileDescriptor: android.os.ParcelFileDescriptor open(java.io.File,int)> -> _SINK_
<android.content.ContentProvider: android.os.ParcelFileDescriptor openFile(android.net.Uri,java.lang.String)> -> _SINK_
<android.content.ContentResolver: android.net.Uri insert(android.net.Uri,android.content.ContentValues)> -> _SINK_
<android.content.ContentResolver: int delete(android.net.Uri,java.lang.String,java.lang.String[])> -> _SINK_
<android.content.ContentResolver: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])> -> _SINK_
# 文件读写漏洞
<java.io.File: boolean delete()> -> _SINK_
<java.io.File: boolean createNewFile()> -> _SINK_
<java.io.File: boolean mkdir()> -> _SINK_
<java.io.File: boolean mkdirs()> -> _SINK_
<java.io.File: boolean renameTo(java.io.File)> -> _SINK_
<java.nio.file.Files: java.nio.file.Path write(java.nio.file.Path,byte[],java.nio.file.OpenOption[])> -> _SINK_
<java.nio.file.Files: boolean deleteIfExists(java.nio.file.Path)> -> _SINK_
<java.nio.file.Files: java.nio.file.Path move(java.nio.file.Path,java.nio.file.Path,java.nio.file.CopyOption[])> -> _SINK_
<java.io.FileWriter: void <init>(java.io.File)> -> _SINK_
<java.io.FileWriter: void <init>(java.io.File,boolean)> -> _SINK_
<java.io.FileWriter: void <init>(java.lang.String)> -> _SINK_
<java.io.FileWriter: void <init>(java.lang.String,boolean)> -> _SINK_
<java.io.FileOutputStream: void <init>(java.io.File)> -> _SINK_
<java.io.FileOutputStream: void <init>(java.io.File,int)> -> _SINK_
<java.io.FileOutputStream: void <init>(java.lang.String)> -> _SINK_
<java.io.FileOutputStream: void <init>(java.lang.String,int)> -> _SINK_
<java.io.BufferedWriter: void <init>(java.io.Writer)> -> _SINK_
<java.io.BufferedWriter: void <init>(java.io.Writer,int)> -> _SINK_
<java.io.PrintWriter: void <init>(java.io.File)> -> _SINK_
<java.io.PrintWriter: void <init>(java.io.File,java.lang.String)> -> _SINK_
<java.io.PrintWriter: void <init>(java.lang.String)> -> _SINK_
<java.io.PrintWriter: void <init>(java.lang.String,java.lang.String)> -> _SINK_
<oversecured.ovaa.utils.FileUtils: java.io.File copyToCache(android.content.Context,android.net.Uri)> -> _SINK_
# 广播漏洞(比如BroadcastAnyWhere)
<android.content.Context: void sendBroadcast(android.content.Intent)> -> _SINK_
<android.content.Context: void sendBroadcast(android.content.Intent,java.lang.String)> -> _SINK_
<android.content.Context: void sendOrderedBroadcast(android.content.Intent,java.lang.String)> -> _SINK_
<android.app.Activity: void sendBroadcast(android.content.Intent)> -> _SINK_
<android.app.Activity: void sendBroadcast(android.content.Intent,java.lang.String)> -> _SINK_
<android.app.Activity: void sendOrderedBroadcast(android.content.Intent,java.lang.String)> -> _SINK_
# 沙箱文件篡改漏洞
<android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putString(java.lang.String,java.lang.String)> -> _SINK_
<android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putInt(java.lang.String,int)> -> _SINK_
<android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putLong(java.lang.String,long)> -> _SINK_
<android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putFloat(java.lang.String,float)> -> _SINK_
<android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putBoolean(java.lang.String,boolean)> -> _SINK_
# Settings Provider篡改漏洞
<android.provider.Settings$System: boolean putString(android.content.ContentResolver,java.lang.String,java.lang.String)> -> _SINK_
<android.provider.Settings$System: boolean putInt(android.content.ContentResolver,java.lang.String,int)> -> _SINK_
<android.provider.Settings$System: boolean putLong(android.content.ContentResolver,java.lang.String,long)> -> _SINK_
<android.provider.Settings$System: boolean putFloat(android.content.ContentResolver,java.lang.String,float)> -> _SINK_
<android.provider.Settings$Global: boolean putString(android.content.ContentResolver,java.lang.String,java.lang.String)> -> _SINK_
<android.provider.Settings$Global: boolean putInt(android.content.ContentResolver,java.lang.String,int)> -> _SINK_
<android.provider.Settings$Global: boolean putLong(android.content.ContentResolver,java.lang.String,long)> -> _SINK_
<android.provider.Settings$Global: boolean putFloat(android.content.ContentResolver,java.lang.String,float)> -> _SINK_
<android.provider.Settings$Secure: boolean putString(android.content.ContentResolver,java.lang.String,java.lang.String)> -> _SINK_
<android.provider.Settings$Secure: boolean putInt(android.content.ContentResolver,java.lang.String,int)> -> _SINK_
<android.provider.Settings$Secure: boolean putLong(android.content.ContentResolver,java.lang.String,long)> -> _SINK_
<android.provider.Settings$Secure: boolean putFloat(android.content.ContentResolver,java.lang.String,float)> -> _SINK_
# 反射导致RCE漏洞
<java.lang.Class: java.lang.reflect.Method getMethod(java.lang.String,java.lang.Class[])> -> _SINK_
<java.lang.Class: java.lang.reflect.Method getDeclaredMethod(java.lang.String,java.lang.Class[])> -> _SINK_
<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])> -> _SINK_
<java.lang.Class: java.lang.Object newInstance()> -> _SINK_
# 命令执行漏洞
<java.lang.Runtime: java.lang.Process exec(java.lang.String)> -> _SINK_
<java.lang.Runtime: java.lang.Process exec(java.lang.String[])> -> _SINK_
<java.lang.Runtime: java.lang.Process exec(java.lang.String,java.lang.String[])> -> _SINK_
<java.lang.Runtime: java.lang.Process exec(java.lang.String[],java.lang.String[])> -> _SINK_
<java.lang.Runtime: java.lang.Process exec(java.lang.String[],java.lang.String[],java.io.File)> -> _SINK_
<java.lang.ProcessBuilder: java.lang.Process start()> -> _SINK_