Merge pull request github#6685 from smowton/smowton/admin/android-uri-model

Java: Add models for android.net.Uri[.Builder]

Author: smowton

java/change-notes/2021-09-13-android-uri.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added taint-propagating models for Android's Uri class and its nested Builder class. This means that new data-flow alerts may be raised where those classes are involved.

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -110,6 +110,7 @@ private module Frameworks {
   private import semmle.code.java.security.MvelInjection
   private import semmle.code.java.security.OgnlInjection
   private import semmle.code.java.security.XPath
+  private import semmle.code.java.frameworks.android.Android
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Jdbc
   private import semmle.code.java.frameworks.SpringJdbc

java/ql/lib/semmle/code/java/frameworks/android/Android.qll

@@ -3,6 +3,7 @@
  */
 
 import java
+import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.xml.AndroidManifest
 
 /**
@@ -79,3 +80,71 @@ class AndroidContentResolver extends AndroidComponent {
     this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
   }
 }
+
+private class UriModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "android.net;Uri;true;buildUpon;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;false;decode;;;Argument[0];ReturnValue;taint",
+        "android.net;Uri;false;encode;;;Argument[0];ReturnValue;taint",
+        "android.net;Uri;false;fromFile;;;Argument[0];ReturnValue;taint",
+        "android.net;Uri;false;fromParts;;;Argument[0..2];ReturnValue;taint",
+        "android.net;Uri;true;getAuthority;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getEncodedAuthority;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getEncodedFragment;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getEncodedPath;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getEncodedQuery;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getEncodedSchemeSpecificPart;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getEncodedUserInfo;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getFragment;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getHost;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getLastPathSegment;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getQuery;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getQueryParameter;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getQueryParameterNames;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getScheme;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getSchemeSpecificPart;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;getUserInfo;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;true;normalizeScheme;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;false;parse;;;Argument[0];ReturnValue;taint",
+        "android.net;Uri;true;toString;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri;false;withAppendedPath;;;Argument[0..1];ReturnValue;taint",
+        "android.net;Uri;false;writeToParcel;;;Argument[1];Argument[0];taint",
+        "android.net;Uri$Builder;false;appendEncodedPath;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;appendEncodedPath;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;appendPath;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;appendPath;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;appendQueryParameter;;;Argument[0..1];Argument[-1];taint",
+        "android.net;Uri$Builder;false;appendQueryParameter;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;authority;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;authority;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;build;;;Argument[-1];ReturnValue;taint",
+        "android.net;Uri$Builder;false;clearQuery;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;encodedAuthority;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;encodedAuthority;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;encodedFragment;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;encodedFragment;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;encodedOpaquePart;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;encodedOpaquePart;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;encodedPath;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;encodedPath;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;encodedQuery;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;encodedQuery;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;fragment;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;fragment;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;opaquePart;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;opaquePart;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;path;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;path;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;query;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;query;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;scheme;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri$Builder;false;scheme;;;Argument[-1];ReturnValue;value",
+        "android.net;Uri$Builder;false;toString;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}