Merge pull request github#6724 from atorralba/atorralba/android-contentprovider-sources

Java: Add sources for content providers in Android

Author: atorralba

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -247,3 +247,20 @@ class ExportedAndroidIntentInput extends RemoteFlowSource, AndroidIntentInput {
 
   override string getSourceType() { result = "Exported Android intent source" }
 }
+
+/** A parameter of an entry-point method declared in a `ContentProvider` class. */
+class AndroidContentProviderInput extends DataFlow::Node {
+  AndroidContentProvider declaringType;
+
+  AndroidContentProviderInput() {
+    sourceNode(this, "contentprovider") and
+    this.getEnclosingCallable().getDeclaringType() = declaringType
+  }
+}
+
+/** A parameter of an entry-point method declared in an exported `ContentProvider` class. */
+class ExportedAndroidContentProviderInput extends RemoteFlowSource, AndroidContentProviderInput {
+  ExportedAndroidContentProviderInput() { declaringType.isExported() }
+
+  override string getSourceType() { result = "Exported Android content provider source" }
+}

java/ql/lib/semmle/code/java/frameworks/android/Android.qll

@@ -72,6 +72,14 @@ class AndroidContentProvider extends ExportableAndroidComponent {
   AndroidContentProvider() {
     this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
   }
+
+  /**
+   * Holds if this content provider requires read and write permissions
+   * in an `AndroidManifest.xml` file.
+   */
+  predicate requiresPermissions() {
+    getAndroidComponentXmlElement().(AndroidProviderXmlElement).requiresPermissions()
+  }
 }
 
 /** An Android content resolver. */
@@ -148,3 +156,39 @@ private class UriModel extends SummaryModelCsv {
       ]
   }
 }
+
+private class ContentProviderSourceModels extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // ContentInterface models are here for backwards compatibility (it was removed in API 28)
+        "android.content;ContentInterface;true;call;(String,String,String,Bundle);;Parameter[0..3];contentprovider",
+        "android.content;ContentProvider;true;call;(String,String,String,Bundle);;Parameter[0..3];contentprovider",
+        "android.content;ContentProvider;true;call;(String,String,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;delete;(Uri,String,String[]);;Parameter[0..2];contentprovider",
+        "android.content;ContentInterface;true;delete;(Uri,Bundle);;Parameter[0..1];contentprovider",
+        "android.content;ContentProvider;true;delete;(Uri,Bundle);;Parameter[0..1];contentprovider",
+        "android.content;ContentInterface;true;getType;(Uri);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;getType;(Uri);;Parameter[0];contentprovider",
+        "android.content;ContentInterface;true;insert;(Uri,ContentValues,Bundle);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;insert;(Uri,ContentValues,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;insert;(Uri,ContentValues);;Parameter[0..1];contentprovider",
+        "android.content;ContentInterface;true;openAssetFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openAssetFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openAssetFile;(Uri,String);;Parameter[0];contentprovider",
+        "android.content;ContentInterface;true;openTypedAssetFile;(Uri,String,Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;openTypedAssetFile;(Uri,String,Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;openTypedAssetFile;(Uri,String,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentInterface;true;openFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openFile;(Uri,String,CancellationSignal);;Parameter[0];contentprovider",
+        "android.content;ContentProvider;true;openFile;(Uri,String);;Parameter[0];contentprovider",
+        "android.content;ContentInterface;true;query;(Uri,String[],Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;query;(Uri,String[],Bundle,CancellationSignal);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;query;(Uri,String[],String,String[],String);;Parameter[0..4];contentprovider",
+        "android.content;ContentProvider;true;query;(Uri,String[],String,String[],String,CancellationSignal);;Parameter[0..4];contentprovider",
+        "android.content;ContentInterface;true;update;(Uri,ContentValues,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;update;(Uri,ContentValues,Bundle);;Parameter[0..2];contentprovider",
+        "android.content;ContentProvider;true;update;(Uri,ContentValues,String,String[]);;Parameter[0..3];contentprovider"
+      ]
+  }
+}

java/ql/lib/semmle/code/xml/AndroidManifest.qll

@@ -79,6 +79,47 @@ class AndroidReceiverXmlElement extends AndroidComponentXmlElement {
  */
 class AndroidProviderXmlElement extends AndroidComponentXmlElement {
   AndroidProviderXmlElement() { this.getName() = "provider" }
+
+  /**
+   * Holds if this provider element has explicitly set a value for either its
+   * `android:permission` attribute or its `android:readPermission` and `android:writePermission`
+   * attributes.
+   */
+  predicate requiresPermissions() {
+    this.getAnAttribute().(AndroidPermissionXmlAttribute).isFull()
+    or
+    this.getAnAttribute().(AndroidPermissionXmlAttribute).isWrite() and
+    this.getAnAttribute().(AndroidPermissionXmlAttribute).isRead()
+  }
+}
+
+/**
+ * The attribute `android:perrmission`, `android:readPermission`, or `android:writePermission`.
+ */
+class AndroidPermissionXmlAttribute extends XMLAttribute {
+  AndroidPermissionXmlAttribute() {
+    this.getNamespace().getPrefix() = "android" and
+    this.getName() = ["permission", "readPermission", "writePermission"]
+  }
+
+  /** Holds if this is an `android:permission` attribute. */
+  predicate isFull() { this.getName() = "permission" }
+
+  /** Holds if this is an `android:readPermission` attribute. */
+  predicate isRead() { this.getName() = "readPermission" }
+
+  /** Holds if this is an `android:writePermission` attribute. */
+  predicate isWrite() { this.getName() = "writePermission" }
+}
+
+/**
+ * The `<path-permission`> element of a `<provider>` in an Android manifest file.
+ */
+class AndroidPathPermissionXmlElement extends XMLElement {
+  AndroidPathPermissionXmlElement() {
+    this.getParent() instanceof AndroidProviderXmlElement and
+    this.hasName("path-permission")
+  }
 }
 
 /**

java/ql/test/library-tests/frameworks/android/content-provider/AndroidManifest.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    package="com.example.app">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:label="@string/app_name"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+
+        <activity
+            android:name=".MainActivity"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <provider
+            android:name=".Test"
+            android:authority="com.example.myapp.Test"
+            android:exported="true" />
+
+        <provider
+            android:name=".Safe"
+            android:authority="com.example.myapp.Safe"
+            android:exported="false" />
+    </application>
+</manifest>

java/ql/test/library-tests/frameworks/android/content-provider/Safe.java

@@ -0,0 +1,174 @@
+package com.example.app;
+
+import java.io.FileNotFoundException;
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.content.res.AssetFileDescriptor;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.CancellationSignal;
+import android.os.ParcelFileDescriptor;
+import android.os.RemoteException;
+
+// This Content Provider isn't exported, so there shouldn't be any flow
+public class Safe extends ContentProvider {
+
+	void sink(Object o) {}
+
+	@Override
+	public Bundle call(String authority, String method, String arg, Bundle extras) {
+		sink(authority);
+		sink(method);
+		sink(arg);
+		sink(extras.get("some_key"));
+		return null;
+	}
+
+	public Bundle call(String method, String arg, Bundle extras) {
+		sink(method);
+		sink(arg);
+		sink(extras.get("some_key"));
+		return null;
+	}
+
+	@Override
+	public int delete(Uri uri, String selection, String[] selectionArgs) {
+		sink(uri);
+		sink(selection);
+		sink(selectionArgs);
+		return 0;
+	}
+
+	@Override
+	public int delete(Uri uri, Bundle extras) {
+		sink(uri);
+		sink(extras.get("some_key"));
+		return 0;
+	}
+
+	@Override
+	public String getType(Uri uri) {
+		sink(uri);
+		return null;
+	}
+
+	@Override
+	public Uri insert(Uri uri, ContentValues values, Bundle extras) {
+		sink(uri);
+		sink(values);
+		sink(extras.get("some_key"));
+		return null;
+	}
+
+	@Override
+	public Uri insert(Uri uri, ContentValues values) {
+		sink(uri);
+		sink(values);
+		return null;
+	}
+
+	@Override
+	public AssetFileDescriptor openAssetFile(Uri uri, String mode, CancellationSignal signal) {
+		sink(uri);
+		sink(mode);
+		sink(signal);
+		return null;
+	}
+
+	@Override
+	public AssetFileDescriptor openAssetFile(Uri uri, String mode) {
+		sink(uri);
+		sink(mode);
+		return null;
+	}
+
+	@Override
+	public AssetFileDescriptor openTypedAssetFile(Uri uri, String mimeTypeFilter, Bundle opts,
+			CancellationSignal signal) throws RemoteException, FileNotFoundException {
+		sink(uri);
+		sink(mimeTypeFilter);
+		sink(opts.get("some_key"));
+		sink(signal);
+		return null;
+	}
+
+	@Override
+	public AssetFileDescriptor openTypedAssetFile(Uri uri, String mimeTypeFilter, Bundle opts)
+			throws FileNotFoundException {
+		sink(uri);
+		sink(mimeTypeFilter);
+		sink(opts.get("some_key"));
+		return null;
+	}
+
+	@Override
+	public ParcelFileDescriptor openFile(Uri uri, String mode, CancellationSignal signal) {
+		sink(uri);
+		sink(mode);
+		sink(signal);
+		return null;
+	}
+
+	@Override
+	public ParcelFileDescriptor openFile(Uri uri, String mode) {
+		sink(uri);
+		sink(mode);
+		return null;
+	}
+
+	@Override
+	public Cursor query(Uri uri, String[] projection, Bundle queryArgs,
+			CancellationSignal cancellationSignal) {
+		sink(uri);
+		sink(projection);
+		sink(queryArgs.get("some_key"));
+		sink(cancellationSignal);
+		return null;
+	}
+
+	@Override
+	public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs,
+			String sortOrder) {
+		sink(uri);
+		sink(projection);
+		sink(selection);
+		sink(selectionArgs);
+		return null;
+	}
+
+	@Override
+	public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs,
+			String sortOrder, CancellationSignal cancellationSignal) {
+		sink(uri);
+		sink(projection);
+		sink(selection);
+		sink(selectionArgs);
+		sink(sortOrder);
+		sink(cancellationSignal);
+		return null;
+	}
+
+	@Override
+	public int update(Uri uri, ContentValues values, Bundle extras) {
+		sink(uri);
+		sink(values);
+		sink(extras.get("some_key"));
+		return 0;
+	}
+
+	@Override
+	public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+		sink(uri);
+		sink(values);
+		sink(selection);
+		sink(selectionArgs);
+		return 0;
+	}
+
+
+	@Override
+	public boolean onCreate() {
+		return false;
+	}
+}