1515import java
1616import semmle.code.java.dataflow.DataFlow
1717import semmle.code.java.dataflow.TaintTracking
18+
19+ ControlFlowNode getControlFlowNodeSuccessor ( ControlFlowNode node )
20+ {
21+ result = node .getASuccessor ( )
22+ }
1823
19- predicate doesPackageContextLeadToInvokeMethod (
20- DataFlow:: Node sinkPackageContext , MethodAccess maInvoke
21-
22- )
24+ MethodAccess getClassLoaderReachableMethodAccess ( DataFlow:: Node node )
2325{
2426 exists (
25- MethodAccess maGetClassLoader ,
26- MethodAccess maLoadClass ,
27- MethodAccess maGetMethod |
27+ MethodAccess maGetClassLoader , ControlFlowNode cfnGetClassLoader , ControlFlowNode cfnSuccessor |
2828 maGetClassLoader .getCallee ( ) .getName ( ) = "getClassLoader" and
29- maGetClassLoader .getQualifier ( ) = sinkPackageContext .asExpr ( ) and
30- maLoadClass .getCallee ( ) .getName ( ) = "loadClass" and
31- maLoadClass .getQualifier ( ) = maGetClassLoader and
32- // check for arbitray code execution
33- maGetMethod .getCallee ( ) .getName ( ) = "getMethod" and
34- maGetMethod .getQualifier ( ) = maLoadClass and
35- maInvoke .getCallee ( ) .getName ( ) = "invoke" and
36- maInvoke .getQualifier ( ) = maGetMethod
29+ maGetClassLoader .getQualifier ( ) = node .asExpr ( ) and
30+ maGetClassLoader .getControlFlowNode ( ) = cfnGetClassLoader and
31+ //cfnGetClassLoader.getASuccessor+() = cfnSuccessor and
32+ getControlFlowNodeSuccessor + ( cfnGetClassLoader ) = cfnSuccessor and
33+ cfnSuccessor instanceof MethodAccess and
34+ result = cfnSuccessor .( MethodAccess )
3735 )
3836}
3937
38+ MethodAccess getDangerousReachableMethodAccess ( MethodAccess ma )
39+ {
40+ ( ma .getCallee ( ) .hasName ( "getMethod" ) or
41+ ma .getCallee ( ) .hasName ( "getDeclaredMethod" ) ) and
42+ ( (
43+ exists ( MethodAccess maInvoke |
44+ //ma.getControlFlowNode().getASuccessor*() = maInvoke and
45+ getControlFlowNodeSuccessor + ( ma .getControlFlowNode ( ) ) = maInvoke and
46+ maInvoke .getCallee ( ) .hasName ( "invoke" ) and
47+ result = maInvoke
48+ )
49+ ) or
50+ (
51+ exists ( AssignExpr ae , VarAccess va1 , VarAccess va2 , MethodAccess maInvoke |
52+ ae .getSource ( ) = ma and
53+ ae .getDest ( ) = va1 and
54+ maInvoke .getQualifier ( ) = va2 and
55+ va1 .getVariable ( ) = va2 .getVariable ( ) and
56+ result = maInvoke
57+ )
58+ ) )
59+ }
60+
4061predicate isSignaturesChecked ( MethodAccess maCreatePackageContext )
4162{
4263 exists (
@@ -49,22 +70,26 @@ predicate isSignaturesChecked(MethodAccess maCreatePackageContext)
4970 DataFlow:: exprNode ( maCreatePackageContext .getArgument ( 0 ) ) )
5071 )
5172}
52-
73+
5374from
5475 MethodAccess maCreatePackageContext ,
5576 LocalVariableDeclExpr lvdePackageContext ,
5677 DataFlow:: Node sinkPackageContext ,
57- MethodAccess maInvoke
78+ MethodAccess maGetMethod ,
79+ MethodAccess maInvoke
5880where
59- maCreatePackageContext .getCallee ( ) .getDeclaringType ( ) .getQualifiedName ( ) = "android.content.ContextWrapper" and
81+ ( maCreatePackageContext .getCallee ( ) .getDeclaringType ( ) .getQualifiedName ( ) = "android.content.ContextWrapper" or
82+ maCreatePackageContext .getCallee ( ) .getDeclaringType ( ) .getQualifiedName ( ) = "android.content.Context" ) and
6083 maCreatePackageContext .getCallee ( ) .getName ( ) = "createPackageContext" and
6184 not isSignaturesChecked ( maCreatePackageContext ) and
6285 lvdePackageContext .getEnclosingStmt ( ) = maCreatePackageContext .getEnclosingStmt ( ) and
6386 TaintTracking:: localTaint ( DataFlow:: exprNode ( lvdePackageContext .getAnAccess ( ) ) , sinkPackageContext ) and
64- doesPackageContextLeadToInvokeMethod ( sinkPackageContext , maInvoke )
87+ getClassLoaderReachableMethodAccess ( sinkPackageContext ) = maGetMethod and
88+ getDangerousReachableMethodAccess ( maGetMethod ) = maInvoke
6589select
6690 lvdePackageContext ,
6791 sinkPackageContext ,
92+ maGetMethod ,
6893 maInvoke ,
6994 "Potential arbitary code execution due to class loading without package signature checking."
70-
95+
0 commit comments