Adapt to use the new shared Intent models

smowton · smowton · commit 4be2347a30c2 · 2021-10-06T16:15:18.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll b/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
@@ -142,25 +142,33 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.os;Bundle;true;putStringArrayList;;;Argument[1];MapValue of Argument[-1];value",
         "android.os;Bundle;true;readFromParcel;;;Argument[0];MapKey of Argument[-1];taint",
         "android.os;Bundle;true;readFromParcel;;;Argument[0];MapValue of Argument[-1];taint",
-        // currently only the Extras part of the intent is fully modelled
+        // currently only the Extras part of the intent and the data field are fully modelled
         "android.content;Intent;false;Intent;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;false;Intent;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
+        "android.content;Intent;false;Intent;(String,Uri);;Argument[1];MapValue of SyntheticField[android.content.Intent.data] of Argument[-1];value",
+        "android.content;Intent;false;Intent;(String,Uri,Context,Class);;Argument[1];MapValue of SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;createChooser;;;Argument[0..2];MapValue of SyntheticField[android.content.Intent.extras] of ReturnValue;value",
         "android.content;Intent;true;getBundleExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getByteArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharSequenceArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharSequenceArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharSequenceExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;getData;;;SyntheticField[android.content.Intent.data] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;getDataString;;;SyntheticField[android.content.Intent.data] of Argument[-1];ReturnValue;taint",
         "android.content;Intent;true;getExtras;();;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;getIntent;();;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];taint",
+        "android.content;Intent;false;getIntentOld;();;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];taint",
         "android.content;Intent;true;getParcelableArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getParcelableArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getParcelableExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getSerializableExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getStringArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getStringArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getStringExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;parseUri;();;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];taint",
         "android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[1];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[-1];ReturnValue;value",
@@ -192,9 +200,13 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setData;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setData;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setDataAndNormalize;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndNormalize;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndType;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setIdentifier;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;value",
diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll
@@ -28,45 +28,6 @@ class GetContentIntent extends ClassInstanceExpr {
   }
 }
 
-/** Android intent data model in the new CSV format. */
-private class AndroidIntentDataModel extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;createChooser;;;Argument[0];ReturnValue;taint",
-        "android.content;Intent;true;getData;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;getDataString;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;getExtras;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;getIntent;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;get" +
-          [
-            "ParcelableArray", "ParcelableArrayList", "Parcelable", "Serializable", "StringArray",
-            "StringArrayList", "String"
-          ] + "Extra;;;Argument[-1..1];ReturnValue;taint",
-        "android.content;Intent;true;put" +
-          [
-            "", "CharSequenceArrayList", "IntegerArrayList", "ParcelableArrayList",
-            "StringArrayList"
-          ] + "Extra;;;Argument[1];Argument[-1];taint",
-        "android.content;Intent;true;putExtras;;;Argument[1];Argument[-1];taint",
-        "android.content;Intent;true;setData;;;Argument[0];ReturnValue;taint",
-        "android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;setType;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getEncodedPath;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getEncodedQuery;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getLastPathSegment;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getPath;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getQuery;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getQueryParameter;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getQueryParameters;;;Argument[-1];ReturnValue;taint"
-      ]
-  }
-}
-
 /** Taint configuration for getting content intent. */
 class GetContentIntentConfig extends TaintTracking2::Configuration {
   GetContentIntentConfig() { this = "GetContentIntentConfig" }
@@ -80,6 +41,19 @@ class GetContentIntentConfig extends TaintTracking2::Configuration {
       ma.getMethod() instanceof StartActivityForResultMethod and sink.asExpr() = ma.getArgument(0)
     )
   }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content content) {
+    super.allowImplicitRead(node, content)
+    or
+    // Allow the wrapped intent created by Intent.getChooser to be consumed
+    // by at the sink:
+    isSink(node) and
+    (
+      content.(DataFlow::SyntheticFieldContent).getField() = "android.content.Intent.extras"
+      or
+      content instanceof DataFlow::MapValueContent
+    )
+  }
 }
 
 /** Android `Intent` input to request file loading. */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql b/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
@@ -14,6 +14,8 @@ import semmle.code.java.controlflow.Guards
 import AndroidFileIntentSink
 import AndroidFileIntentSource
 import DataFlow::PathGraph
+// For readStep, to implement `isAdditionalTaintStep`
+private import semmle.code.java.dataflow.internal.DataFlowPrivate
 
 private class StartsWithSanitizer extends DataFlow::BarrierGuard {
   StartsWithSanitizer() { this.(MethodAccess).getMethod().hasName("startsWith") }
@@ -64,13 +66,19 @@ class AndroidFileLeakConfig extends TaintTracking::Configuration {
     )
     or
     exists(MethodAccess csma, ServiceOnStartCommandMethod ssm, ClassInstanceExpr ce |
+      // An intent passed to startService will later be passed to the onStartCommand event of the corresponding service
       csma.getMethod() instanceof ContextStartServiceMethod and
       ce.getConstructedType() instanceof TypeIntent and // Intent intent = new Intent(context, FileUploader.class);
       ce.getArgument(1).(TypeLiteral).getReferencedType() = ssm.getDeclaringType() and
       DataFlow::localExprFlow(ce, csma.getArgument(0)) and // context.startService(intent);
       prev.asExpr() = csma.getArgument(0) and
       succ.asParameter() = ssm.getParameter(0) // public int onStartCommand(Intent intent, int flags, int startId) {...} in FileUploader
     )
+    or
+    // When a whole Intent is tainted (e.g., due to this Configuration's source), treat its fields as tainted
+    readStep(prev,
+      any(DataFlow::SyntheticFieldContent c | c.getField().matches("android.content.Intent.%")),
+      succ)
   }
 
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected b/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected
@@ -1,34 +1,46 @@
 edges
 | FileService.java:20:31:20:43 | intent : Intent | FileService.java:21:28:21:33 | intent : Intent |
 | FileService.java:20:31:20:43 | intent : Intent | FileService.java:25:42:25:50 | localPath : String |
-| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String |
-| FileService.java:21:28:21:64 | getStringExtra(...) : String | FileService.java:25:42:25:50 | localPath : String |
+| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : Object |
+| FileService.java:21:28:21:64 | getStringExtra(...) : Object | FileService.java:25:42:25:50 | localPath : Object |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] |
+| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
+| FileService.java:25:42:25:50 | localPath : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object |
+| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object |
 | FileService.java:25:42:25:50 | localPath : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String |
 | FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String |
+| FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:35:17:35:25 | sourceUri : Object |
 | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:35:17:35:25 | sourceUri : String |
+| FileService.java:34:20:36:13 | {...} [[]] : Object | FileService.java:34:20:36:13 | new Object[] [[]] : Object |
 | FileService.java:34:20:36:13 | {...} [[]] : String | FileService.java:34:20:36:13 | new Object[] [[]] : String |
+| FileService.java:35:17:35:25 | sourceUri : Object | FileService.java:34:20:36:13 | {...} [[]] : Object |
 | FileService.java:35:17:35:25 | sourceUri : String | FileService.java:34:20:36:13 | {...} [[]] : String |
 | FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : Object |
 | FileService.java:44:33:44:52 | (...)... : Object | FileService.java:45:53:45:59 | ...[...] |
 | LeakFileActivity2.java:15:13:15:18 | intent : Intent | LeakFileActivity2.java:16:26:16:31 | intent : Intent |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent |
 | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent |
 | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent |
-| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri |
-| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri |
-| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) |
+| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Object |
+| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object |
+| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | LeakFileActivity.java:21:58:21:82 | getPath(...) |
 nodes
 | FileService.java:20:31:20:43 | intent : Intent | semmle.label | intent : Intent |
 | FileService.java:21:28:21:33 | intent : Intent | semmle.label | intent : Intent |
-| FileService.java:21:28:21:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
+| FileService.java:21:28:21:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | semmle.label | makeParamsToExecute(...) : Object[] |
+| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object | semmle.label | makeParamsToExecute(...) [[]] : Object |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String | semmle.label | makeParamsToExecute(...) [[]] : String |
+| FileService.java:25:42:25:50 | localPath : Object | semmle.label | localPath : Object |
 | FileService.java:25:42:25:50 | localPath : String | semmle.label | localPath : String |
+| FileService.java:32:13:32:28 | sourceUri : Object | semmle.label | sourceUri : Object |
 | FileService.java:32:13:32:28 | sourceUri : String | semmle.label | sourceUri : String |
+| FileService.java:34:20:36:13 | new Object[] [[]] : Object | semmle.label | new Object[] [[]] : Object |
 | FileService.java:34:20:36:13 | new Object[] [[]] : String | semmle.label | new Object[] [[]] : String |
+| FileService.java:34:20:36:13 | {...} [[]] : Object | semmle.label | {...} [[]] : Object |
 | FileService.java:34:20:36:13 | {...} [[]] : String | semmle.label | {...} [[]] : String |
+| FileService.java:35:17:35:25 | sourceUri : Object | semmle.label | sourceUri : Object |
 | FileService.java:35:17:35:25 | sourceUri : String | semmle.label | sourceUri : String |
 | FileService.java:40:41:40:55 | params : Object[] | semmle.label | params : Object[] |
 | FileService.java:44:33:44:52 | (...)... : Object | semmle.label | (...)... : Object |
@@ -38,10 +50,11 @@ nodes
 | LeakFileActivity.java:14:35:14:38 | data : Intent | semmle.label | data : Intent |
 | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | semmle.label | contentIntent : Intent |
 | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | semmle.label | contentIntent : Intent |
-| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | semmle.label | getData(...) : Uri |
-| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | semmle.label | streamsToUpload : Uri |
+| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | semmle.label | getData(...) : Object |
+| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | semmle.label | streamsToUpload : Object |
 | LeakFileActivity.java:21:58:21:82 | getPath(...) | semmle.label | getPath(...) |
 subpaths
+| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:34:20:36:13 | new Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object |
 | FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:34:20:36:13 | new Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String |
 #select
 | FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input |
