Skip to content

Commit 192f45e

Browse files
d10cd10c
committed
Java: convert FragmentInjection test to .qlref
1 parent 2b19cbc commit 192f45e

File tree

4 files changed

+83
-15
lines changed

4 files changed

+83
-15
lines changed

java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
#select
2+
| MainActivity.java:17:20:17:39 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:17:20:17:39 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
3+
| MainActivity.java:18:23:18:55 | instantiate(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:18:23:18:55 | instantiate(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
4+
| MainActivity.java:19:23:19:61 | instantiate(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:19:23:19:61 | instantiate(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
5+
| MainActivity.java:20:23:20:28 | fClass | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:20:23:20:28 | fClass | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
6+
| MainActivity.java:21:23:21:42 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:21:23:21:42 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
7+
| MainActivity.java:22:23:22:42 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:22:23:22:42 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
8+
| MainActivity.java:23:27:23:32 | fClass | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:23:27:23:32 | fClass | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
9+
| MainActivity.java:24:27:24:46 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:24:27:24:46 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
10+
| MainActivity.java:25:27:25:32 | fClass | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:25:27:25:32 | fClass | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
11+
| MainActivity.java:26:27:26:46 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:26:27:26:46 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value |
12+
edges
13+
| MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:14:34:14:68 | getStringExtra(...) : String | provenance | MaD:10 |
14+
| MainActivity.java:14:34:14:68 | getStringExtra(...) : String | MainActivity.java:16:70:16:74 | fname : String | provenance | |
15+
| MainActivity.java:16:38:16:75 | (...)... : Class | MainActivity.java:17:20:17:25 | fClass : Class | provenance | |
16+
| MainActivity.java:16:56:16:75 | forName(...) : Class | MainActivity.java:16:38:16:75 | (...)... : Class | provenance | |
17+
| MainActivity.java:16:70:16:74 | fname : String | MainActivity.java:16:56:16:75 | forName(...) : Class | provenance | Config |
18+
| MainActivity.java:16:70:16:74 | fname : String | MainActivity.java:18:50:18:54 | fname : String | provenance | |
19+
| MainActivity.java:17:20:17:25 | fClass : Class | MainActivity.java:17:20:17:39 | newInstance(...) | provenance | Config Sink:MaD:1 |
20+
| MainActivity.java:17:20:17:25 | fClass : Class | MainActivity.java:20:23:20:28 | fClass | provenance | Sink:MaD:2 |
21+
| MainActivity.java:17:20:17:25 | fClass : Class | MainActivity.java:21:23:21:28 | fClass : Class | provenance | |
22+
| MainActivity.java:18:50:18:54 | fname : String | MainActivity.java:18:23:18:55 | instantiate(...) | provenance | Config Sink:MaD:4 |
23+
| MainActivity.java:18:50:18:54 | fname : String | MainActivity.java:19:50:19:54 | fname : String | provenance | |
24+
| MainActivity.java:19:50:19:54 | fname : String | MainActivity.java:19:23:19:61 | instantiate(...) | provenance | Config Sink:MaD:3 |
25+
| MainActivity.java:21:23:21:28 | fClass : Class | MainActivity.java:21:23:21:42 | newInstance(...) | provenance | Config Sink:MaD:4 |
26+
| MainActivity.java:21:23:21:28 | fClass : Class | MainActivity.java:22:23:22:28 | fClass : Class | provenance | |
27+
| MainActivity.java:22:23:22:28 | fClass : Class | MainActivity.java:22:23:22:42 | newInstance(...) | provenance | Config Sink:MaD:5 |
28+
| MainActivity.java:22:23:22:28 | fClass : Class | MainActivity.java:23:27:23:32 | fClass | provenance | Sink:MaD:6 |
29+
| MainActivity.java:22:23:22:28 | fClass : Class | MainActivity.java:24:27:24:32 | fClass : Class | provenance | |
30+
| MainActivity.java:24:27:24:32 | fClass : Class | MainActivity.java:24:27:24:46 | newInstance(...) | provenance | Config Sink:MaD:8 |
31+
| MainActivity.java:24:27:24:32 | fClass : Class | MainActivity.java:25:27:25:32 | fClass | provenance | Sink:MaD:7 |
32+
| MainActivity.java:24:27:24:32 | fClass : Class | MainActivity.java:26:27:26:32 | fClass : Class | provenance | |
33+
| MainActivity.java:26:27:26:32 | fClass : Class | MainActivity.java:26:27:26:46 | newInstance(...) | provenance | Config Sink:MaD:9 |
34+
models
35+
| 1 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (Fragment,String); ; Argument[0]; fragment-injection; manual |
36+
| 2 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (int,Class,Bundle,String); ; Argument[1]; fragment-injection; manual |
37+
| 3 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (int,Fragment); ; Argument[1]; fragment-injection; manual |
38+
| 4 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (int,Fragment,String); ; Argument[1]; fragment-injection; manual |
39+
| 5 | Sink: androidx.fragment.app; FragmentTransaction; true; attach; (Fragment); ; Argument[0]; fragment-injection; manual |
40+
| 6 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Class,Bundle); ; Argument[1]; fragment-injection; manual |
41+
| 7 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Class,Bundle,String); ; Argument[1]; fragment-injection; manual |
42+
| 8 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Fragment); ; Argument[1]; fragment-injection; manual |
43+
| 9 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Fragment,String); ; Argument[1]; fragment-injection; manual |
44+
| 10 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
45+
nodes
46+
| MainActivity.java:14:34:14:44 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
47+
| MainActivity.java:14:34:14:68 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
48+
| MainActivity.java:16:38:16:75 | (...)... : Class | semmle.label | (...)... : Class |
49+
| MainActivity.java:16:56:16:75 | forName(...) : Class | semmle.label | forName(...) : Class |
50+
| MainActivity.java:16:70:16:74 | fname : String | semmle.label | fname : String |
51+
| MainActivity.java:17:20:17:25 | fClass : Class | semmle.label | fClass : Class |
52+
| MainActivity.java:17:20:17:39 | newInstance(...) | semmle.label | newInstance(...) |
53+
| MainActivity.java:18:23:18:55 | instantiate(...) | semmle.label | instantiate(...) |
54+
| MainActivity.java:18:50:18:54 | fname : String | semmle.label | fname : String |
55+
| MainActivity.java:19:23:19:61 | instantiate(...) | semmle.label | instantiate(...) |
56+
| MainActivity.java:19:50:19:54 | fname : String | semmle.label | fname : String |
57+
| MainActivity.java:20:23:20:28 | fClass | semmle.label | fClass |
58+
| MainActivity.java:21:23:21:28 | fClass : Class | semmle.label | fClass : Class |
59+
| MainActivity.java:21:23:21:42 | newInstance(...) | semmle.label | newInstance(...) |
60+
| MainActivity.java:22:23:22:28 | fClass : Class | semmle.label | fClass : Class |
61+
| MainActivity.java:22:23:22:42 | newInstance(...) | semmle.label | newInstance(...) |
62+
| MainActivity.java:23:27:23:32 | fClass | semmle.label | fClass |
63+
| MainActivity.java:24:27:24:32 | fClass : Class | semmle.label | fClass : Class |
64+
| MainActivity.java:24:27:24:46 | newInstance(...) | semmle.label | newInstance(...) |
65+
| MainActivity.java:25:27:25:32 | fClass | semmle.label | fClass |
66+
| MainActivity.java:26:27:26:32 | fClass : Class | semmle.label | fClass : Class |
67+
| MainActivity.java:26:27:26:46 | newInstance(...) | semmle.label | newInstance(...) |
68+
subpaths

java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql

Lines changed: 0 additions & 4 deletions
This file was deleted.

java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.qlref

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
query: Security/CWE/CWE-470/FragmentInjection.ql
2+
postprocess:
3+
- utils/test/PrettyPrintModels.ql
4+
- utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-470/MainActivity.java

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,19 +11,19 @@ public class MainActivity extends FragmentActivity {
1111
public void onCreate(Bundle savedInstance) {
1212
try {
1313
super.onCreate(savedInstance);
14-
final String fname = getIntent().getStringExtra("fname");
14+
final String fname = getIntent().getStringExtra("fname"); // $ Source
1515
FragmentTransaction ft = getSupportFragmentManager().beginTransaction();
1616
Class<Fragment> fClass = (Class<Fragment>) Class.forName(fname);
17-
ft.add(fClass.newInstance(), ""); // $ hasTaintFlow
18-
ft.add(0, Fragment.instantiate(this, fname), null); // $ hasTaintFlow
19-
ft.add(0, Fragment.instantiate(this, fname, null)); // $ hasTaintFlow
20-
ft.add(0, fClass, null, ""); // $ hasTaintFlow
21-
ft.add(0, fClass.newInstance(), ""); // $ hasTaintFlow
22-
ft.attach(fClass.newInstance()); // $ hasTaintFlow
23-
ft.replace(0, fClass, null); // $ hasTaintFlow
24-
ft.replace(0, fClass.newInstance()); // $ hasTaintFlow
25-
ft.replace(0, fClass, null, ""); // $ hasTaintFlow
26-
ft.replace(0, fClass.newInstance(), ""); // $ hasTaintFlow
17+
ft.add(fClass.newInstance(), ""); // $ Alert
18+
ft.add(0, Fragment.instantiate(this, fname), null); // $ Alert
19+
ft.add(0, Fragment.instantiate(this, fname, null)); // $ Alert
20+
ft.add(0, fClass, null, ""); // $ Alert
21+
ft.add(0, fClass.newInstance(), ""); // $ Alert
22+
ft.attach(fClass.newInstance()); // $ Alert
23+
ft.replace(0, fClass, null); // $ Alert
24+
ft.replace(0, fClass.newInstance()); // $ Alert
25+
ft.replace(0, fClass, null, ""); // $ Alert
26+
ft.replace(0, fClass.newInstance(), ""); // $ Alert
2727

2828
ft.add(Fragment.class.newInstance(), ""); // Safe
2929
ft.attach(Fragment.class.newInstance()); // Safe

0 commit comments

Comments
 (0)