Add more models; fix tests

Author: joefarebrother

java/ql/lib/semmle/code/java/frameworks/android/Intent.qll

@@ -79,6 +79,15 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.os;BaseBundle;true;putString;;;Argument[1];MapValue of Argument[-1];value",
         "android.os;BaseBundle;true;putStringArray;;;Argument[0];MapKey of Argument[-1];value",
         "android.os;BaseBundle;true;putStringArray;;;Argument[1];MapValue of Argument[-1];value",
+        "android.os;Bundle;false;Bundle;(Bundle);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "android.os;Bundle;false;Bundle;(Bundle);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "android.os;Bundle;false;Bundle;(PersistableBundle);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "android.os;Bundle;false;Bundle;(PersistableBundle);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "android.os;Bundle;true;clone;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "android.os;Bundle;true;clone;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        // model for Bundle.deepCopy is not fully precise, as some map values aren't copied by value
+        "android.os;Bundle;true;deepCopy;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "android.os;Bundle;true;deepCopy;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
         "android.os;Bundle;true;getBinder;(String);;MapValue of Argument[-1];ReturnValue;value",
         "android.os;Bundle;true;getBundle;(String);;MapValue of Argument[-1];ReturnValue;value",
         "android.os;Bundle;true;getByteArray;(String);;MapValue of Argument[-1];ReturnValue;value",
@@ -133,6 +142,11 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.os;Bundle;true;putStringArrayList;;;Argument[1];MapValue of Argument[-1];value",
         "android.os;Bundle;true;readFromParcel;;;Argument[0];MapKey of Argument[-1];taint",
         "android.os;Bundle;true;readFromParcel;;;Argument[0];MapValue of Argument[-1];taint",
+        // currently only the Extras part of the intent is fully modelled
+        "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;Intent;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
+        "android.content;Intent;false;Intent;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;getExtras;();;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getBundleExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getByteArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
@@ -172,7 +186,20 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.content;Intent;true;replaceExtras;(Bundle);;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;replaceExtras;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;replaceExtras;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.content;Intent;true;replaceExtras;(Intent);;Argument[-1];ReturnValue;value"
+        "android.content;Intent;true;replaceExtras;(Intent);;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setAction;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setClass;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setData;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndNormalize;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setIdentifier;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setType;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setTypeAndNormalize;;;Argument[-1];ReturnValue;value"
       ]
   }
 }

java/ql/test/library-tests/dataflow/taintsources/remote.expected

@@ -14,6 +14,8 @@
 | IntentSources.java:16:20:16:30 | getIntent(...) | IntentSources.java:16:20:16:52 | getStringExtra(...) |
 | IntentSources.java:16:20:16:30 | getIntent(...) | IntentSources.java:17:29:17:35 | trouble |
 | IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/content/Intent.java:1358:19:1358:27 | parameter this |
+| IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/os/BaseBundle.java:600:19:600:27 | [summary] read: <map.value> of argument -1 in getString |
+| IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/os/BaseBundle.java:600:19:600:27 | [summary] to write: return (return) in getString |
 | IntentSources.java:23:20:23:30 | getIntent(...) | ../../../stubs/google-android-9.0.0/android/os/BaseBundle.java:600:19:600:27 | parameter this |
 | IntentSources.java:23:20:23:30 | getIntent(...) | IntentSources.java:23:20:23:30 | getIntent(...) |
 | IntentSources.java:23:20:23:30 | getIntent(...) | IntentSources.java:23:20:23:42 | getExtras(...) |

java/ql/test/library-tests/frameworks/android/intent/Test.java

@@ -1,5 +1,6 @@
 package generatedtest;
 
+import android.content.Context;
 import android.content.Intent;
 import android.os.BaseBundle;
 import android.os.Bundle;
@@ -27,6 +28,34 @@ void sink(Object o) { }
 
 	public void test() throws Exception {
 
+		{
+			// "android.content;Intent;false;Intent;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value"
+			Intent out = null;
+			Intent in = (Intent)newWithIntent_extrasDefault(newWithMapKeyDefault(source()));
+			out = new Intent(in);
+			sink(getMapKeyDefault(getIntent_extrasDefault(out))); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;false;Intent;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value"
+			Intent out = null;
+			Intent in = (Intent)newWithIntent_extrasDefault(newWithMapValueDefault(source()));
+			out = new Intent(in);
+			sink(getMapValueDefault(getIntent_extrasDefault(out))); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.addCategory(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.addFlags(0);
+			sink(out); // $ hasValueFlow
+		}
 		{
 			// "android.content;Intent;true;getBundleExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value"
 			Bundle out = null;
@@ -790,6 +819,104 @@ public void test() throws Exception {
 			out.replaceExtras(in);
 			sink(getMapValueDefault(getIntent_extrasDefault(out))); // $ hasValueFlow
 		}
+		{
+			// "android.content;Intent;true;setAction;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setClass;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setClass(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setClassName((String)null, (String)null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setClassName((Context)null, (String)null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setComponent(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setData;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setData(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setDataAndNormalize;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setDataAndNormalize(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setDataAndType(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setDataAndTypeAndNormalize(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setFlags(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setIdentifier;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setIdentifier(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setPackage(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setType;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setType(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.content;Intent;true;setTypeAndNormalize;;;Argument[-1];ReturnValue;value"
+			Intent out = null;
+			Intent in = (Intent)source();
+			out = in.setTypeAndNormalize(null);
+			sink(out); // $ hasValueFlow
+		}
 		{
 			// "android.os;BaseBundle;true;get;(String);;MapValue of Argument[-1];ReturnValue;value"
 			Object out = null;
@@ -931,6 +1058,62 @@ public void test() throws Exception {
 			out.putStringArray(null, in);
 			sink(getMapValueDefault(out)); // $ hasValueFlow
 		}
+		{
+			// "android.os;Bundle;false;Bundle;(Bundle);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			Bundle out = null;
+			Bundle in = (Bundle)newWithMapKeyDefault(source());
+			out = new Bundle(in);
+			sink(getMapKeyDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;false;Bundle;(Bundle);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			Bundle out = null;
+			Bundle in = (Bundle)newWithMapValueDefault(source());
+			out = new Bundle(in);
+			sink(getMapValueDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;false;Bundle;(PersistableBundle);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			Bundle out = null;
+			PersistableBundle in = (PersistableBundle)newWithMapKeyDefault(source());
+			out = new Bundle(in);
+			sink(getMapKeyDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;false;Bundle;(PersistableBundle);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			Bundle out = null;
+			PersistableBundle in = (PersistableBundle)newWithMapValueDefault(source());
+			out = new Bundle(in);
+			sink(getMapValueDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;true;clone;();;MapKey of Argument[-1];MapKey of ReturnValue;value"
+			Object out = null;
+			Bundle in = (Bundle)newWithMapKeyDefault(source());
+			out = in.clone();
+			sink(getMapKeyDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;true;clone;();;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			Object out = null;
+			Bundle in = (Bundle)newWithMapValueDefault(source());
+			out = in.clone();
+			sink(getMapValueDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;true;deepCopy;();;MapKey of Argument[-1];MapKey of ReturnValue;value"
+			Bundle out = null;
+			Bundle in = (Bundle)newWithMapKeyDefault(source());
+			out = in.deepCopy();
+			sink(getMapKeyDefault(out)); // $ hasValueFlow
+		}
+		{
+			// "android.os;Bundle;true;deepCopy;();;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			Bundle out = null;
+			Bundle in = (Bundle)newWithMapValueDefault(source());
+			out = in.deepCopy();
+			sink(getMapValueDefault(out)); // $ hasValueFlow
+		}
 		{
 			// "android.os;Bundle;true;getBinder;(String);;MapValue of Argument[-1];ReturnValue;value"
 			IBinder out = null;

java/ql/test/library-tests/frameworks/android/intent/models.csv

@@ -18,6 +18,14 @@ android.os;BaseBundle;true;putString;;;Argument[0];MapKey of Argument[-1];value
 android.os;BaseBundle;true;putString;;;Argument[1];MapValue of Argument[-1];value
 android.os;BaseBundle;true;putStringArray;;;Argument[0];MapKey of Argument[-1];value
 android.os;BaseBundle;true;putStringArray;;;Argument[1];MapValue of Argument[-1];value
+android.os;Bundle;false;Bundle;(Bundle);;MapKey of Argument[0];MapKey of Argument[-1];value
+android.os;Bundle;false;Bundle;(Bundle);;MapValue of Argument[0];MapValue of Argument[-1];value
+android.os;Bundle;false;Bundle;(PersistableBundle);;MapKey of Argument[0];MapKey of Argument[-1];value
+android.os;Bundle;false;Bundle;(PersistableBundle);;MapValue of Argument[0];MapValue of Argument[-1];value
+android.os;Bundle;true;clone;();;MapKey of Argument[-1];MapKey of ReturnValue;value
+android.os;Bundle;true;clone;();;MapValue of Argument[-1];MapValue of ReturnValue;value
+android.os;Bundle;true;deepCopy;();;MapKey of Argument[-1];MapKey of ReturnValue;value
+android.os;Bundle;true;deepCopy;();;MapValue of Argument[-1];MapValue of ReturnValue;value
 android.os;Bundle;true;getBinder;(String);;MapValue of Argument[-1];ReturnValue;value
 android.os;Bundle;true;getBundle;(String);;MapValue of Argument[-1];ReturnValue;value
 android.os;Bundle;true;getByteArray;(String);;MapValue of Argument[-1];ReturnValue;value
@@ -72,6 +80,10 @@ android.os;Bundle;true;putStringArrayList;;;Argument[0];MapKey of Argument[-1];v
 android.os;Bundle;true;putStringArrayList;;;Argument[1];MapValue of Argument[-1];value
 android.os;Bundle;true;readFromParcel;;;Argument[0];MapKey of Argument[-1];taint
 android.os;Bundle;true;readFromParcel;;;Argument[0];MapValue of Argument[-1];taint
+android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value
+android.content;Intent;false;Intent;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value
+android.content;Intent;false;Intent;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value
 android.content;Intent;true;getExtras;();;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value
 android.content;Intent;true;getBundleExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value
 android.content;Intent;true;getByteArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value
@@ -111,4 +123,17 @@ android.content;Intent;true;replaceExtras;(Bundle);;MapValue of Argument[0];MapV
 android.content;Intent;true;replaceExtras;(Bundle);;Argument[-1];ReturnValue;value
 android.content;Intent;true;replaceExtras;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value
 android.content;Intent;true;replaceExtras;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value
-android.content;Intent;true;replaceExtras;(Intent);;Argument[-1];ReturnValue;value
+android.content;Intent;true;replaceExtras;(Intent);;Argument[-1];ReturnValue;value
+android.content;Intent;true;setAction;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setClass;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setData;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setDataAndNormalize;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setIdentifier;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setType;;;Argument[-1];ReturnValue;value
+android.content;Intent;true;setTypeAndNormalize;;;Argument[-1];ReturnValue;value