Merge pull request #6567 from luchua-bc/java/sensitive_android_file_leak

Java: CWE-200 - Query to detect exposure of sensitive information from android file intent

Author: smowton

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -103,3 +103,19 @@ private class NumberTaintPreservingCallable extends TaintPreservingCallable {
 
   override predicate returnsTaintFrom(int arg) { arg = argument }
 }
+
+/**
+ * A `Content` that should be implicitly regarded as tainted whenever an object with such `Content`
+ * is itself tainted.
+ *
+ * For example, if we had a type `class Container { Contained field; }`, then by default a tainted
+ * `Container` and a `Container` with a tainted `Contained` stored in its `field` are distinct.
+ *
+ * If `any(DataFlow::FieldContent fc | fc.getField().hasQualifiedName("Container", "field"))` was
+ * included in this type however, then a tainted `Container` would imply that its `field` is also
+ * tainted (but not vice versa).
+ *
+ * Note that `TaintTracking::Configuration` applies this behaviour by default to array, collection,
+ * map-key and map-value content, so that e.g. a tainted `Map` is assumed to have tainted keys and values.
+ */
+abstract class TaintInheritingContent extends DataFlow::Content { }

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -83,7 +83,11 @@ private module Cached {
       not sink.getTypeBound() instanceof PrimitiveType and
       not sink.getTypeBound() instanceof BoxedType and
       not sink.getTypeBound() instanceof NumberType and
-      containerContent(f)
+      (
+        containerContent(f)
+        or
+        f instanceof TaintInheritingContent
+      )
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)

java/ql/lib/semmle/code/java/frameworks/android/Intent.qll

@@ -1,4 +1,5 @@
 import java
+private import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.dataflow.ExternalFlow
 
@@ -35,23 +36,12 @@ class ContextStartActivityMethod extends Method {
   }
 }
 
-class IntentGetExtraMethod extends Method, TaintPreservingCallable {
-  IntentGetExtraMethod() {
-    (getName().regexpMatch("get\\w+Extra") or hasName("getExtras")) and
-    getDeclaringType() instanceof TypeIntent
-  }
-
-  override predicate returnsTaintFrom(int arg) { arg = -1 }
-}
-
-/** A getter on `android.os.BaseBundle` or `android.os.Bundle`. */
-class BundleGetterMethod extends Method, TaintPreservingCallable {
-  BundleGetterMethod() {
-    getDeclaringType().hasQualifiedName("android.os", ["BaseBundle", "Bundle"]) and
-    getName().matches("get%")
-  }
-
-  override predicate returnsTaintFrom(int arg) { arg = -1 }
+/**
+ * Specifies that if an `Intent` is tainted, then so are its synthetic fields.
+ */
+private class IntentFieldsInheritTaint extends DataFlow::SyntheticFieldContent,
+  TaintInheritingContent {
+  IntentFieldsInheritTaint() { this.getField().matches("android.content.Intent.%") }
 }
 
 private class IntentBundleFlowSteps extends SummaryModelCsv {
@@ -142,31 +132,45 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.os;Bundle;true;putStringArrayList;;;Argument[1];MapValue of Argument[-1];value",
         "android.os;Bundle;true;readFromParcel;;;Argument[0];MapKey of Argument[-1];taint",
         "android.os;Bundle;true;readFromParcel;;;Argument[0];MapValue of Argument[-1];taint",
-        // currently only the Extras part of the intent is fully modelled
-        "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value",
-        "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value",
+        // currently only the Extras part of the intent and the data field are fully modelled
         "android.content;Intent;false;Intent;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;false;Intent;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.content;Intent;true;getExtras;();;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;Intent;(String,Uri);;Argument[1];SyntheticField[android.content.Intent.data] of Argument[-1];value",
+        "android.content;Intent;false;Intent;(String,Uri,Context,Class);;Argument[1];SyntheticField[android.content.Intent.data] of Argument[-1];value",
+        "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;createChooser;;;Argument[0..2];MapValue of SyntheticField[android.content.Intent.extras] of ReturnValue;value",
         "android.content;Intent;true;getBundleExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getByteArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharSequenceArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharSequenceArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getCharSequenceExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;getData;;;SyntheticField[android.content.Intent.data] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;getDataString;;;SyntheticField[android.content.Intent.data] of Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;getExtras;();;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;getIntent;;;Argument[0];SyntheticField[android.content.Intent.data] of ReturnValue;taint",
+        "android.content;Intent;false;getIntentOld;;;Argument[0];SyntheticField[android.content.Intent.data] of ReturnValue;taint",
         "android.content;Intent;true;getParcelableArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getParcelableArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getParcelableExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getSerializableExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getStringArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getStringArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
         "android.content;Intent;true;getStringExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
+        "android.content;Intent;false;parseUri;;;Argument[0];SyntheticField[android.content.Intent.data] of ReturnValue;taint",
         "android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[1];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;putExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putExtra;;;Argument[1];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putExtra;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;putExtras;(Bundle);;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
+        "android.content;Intent;true;putExtras;(Bundle);;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
+        "android.content;Intent;true;putExtras;(Bundle);;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;putExtras;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
+        "android.content;Intent;true;putExtras;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
+        "android.content;Intent;true;putExtras;(Intent);;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;putIntegerArrayListExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putIntegerArrayListExtra;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;putParcelableArrayListExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
@@ -175,12 +179,6 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.content;Intent;true;putStringArrayListExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putStringArrayListExtra;;;Argument[1];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;putStringArrayListExtra;;;Argument[-1];ReturnValue;value",
-        "android.content;Intent;true;putExtras;(Bundle);;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.content;Intent;true;putExtras;(Bundle);;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.content;Intent;true;putExtras;(Bundle);;Argument[-1];ReturnValue;value",
-        "android.content;Intent;true;putExtras;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.content;Intent;true;putExtras;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.content;Intent;true;putExtras;(Intent);;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;replaceExtras;(Bundle);;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;replaceExtras;(Bundle);;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
         "android.content;Intent;true;replaceExtras;(Bundle);;Argument[-1];ReturnValue;value",
@@ -192,9 +190,13 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
         "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setData;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setData;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setDataAndNormalize;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndNormalize;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndType;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[-1];ReturnValue;value",
+        "android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
         "android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setIdentifier;;;Argument[-1];ReturnValue;value",
         "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;value",

java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSink.qll

@@ -0,0 +1,60 @@
+/** Provides Android sink models related to file creation. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.frameworks.android.Android
+import semmle.code.java.frameworks.android.Intent
+
+/** A sink representing methods creating a file in Android. */
+class AndroidFileSink extends DataFlow::Node {
+  AndroidFileSink() { sinkNode(this, "create-file") }
+}
+
+/**
+ * The Android class `android.os.AsyncTask` for running tasks off the UI thread to achieve
+ * better user experience.
+ */
+class AsyncTask extends RefType {
+  AsyncTask() { this.hasQualifiedName("android.os", "AsyncTask") }
+}
+
+/** The `execute` or `executeOnExecutor` method of Android's `AsyncTask` class. */
+class ExecuteAsyncTaskMethod extends Method {
+  int paramIndex;
+
+  ExecuteAsyncTaskMethod() {
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof AsyncTask and
+    (
+      this.getName() = "execute" and paramIndex = 0
+      or
+      this.getName() = "executeOnExecutor" and paramIndex = 1
+    )
+  }
+
+  int getParamIndex() { result = paramIndex }
+}
+
+/** The `doInBackground` method of Android's `AsyncTask` class. */
+class AsyncTaskRunInBackgroundMethod extends Method {
+  AsyncTaskRunInBackgroundMethod() {
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof AsyncTask and
+    this.getName() = "doInBackground"
+  }
+}
+
+/** The service start method of Android's `Context` class. */
+class ContextStartServiceMethod extends Method {
+  ContextStartServiceMethod() {
+    this.getName() = ["startService", "startForegroundService"] and
+    this.getDeclaringType().getASupertype*() instanceof TypeContext
+  }
+}
+
+/** The `onStartCommand` method of Android's `Service` class. */
+class ServiceOnStartCommandMethod extends Method {
+  ServiceOnStartCommandMethod() {
+    this.hasName("onStartCommand") and
+    this.getDeclaringType() instanceof AndroidService
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll

@@ -0,0 +1,81 @@
+/** Provides summary models relating to file content inputs of Android. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.frameworks.android.Android
+
+/** The `startActivityForResult` method of Android's `Activity` class. */
+class StartActivityForResultMethod extends Method {
+  StartActivityForResultMethod() {
+    this.getDeclaringType().getASupertype*() instanceof AndroidActivity and
+    this.getName() = "startActivityForResult"
+  }
+}
+
+/** An instance of `android.content.Intent` constructed passing `GET_CONTENT` to the constructor. */
+class GetContentIntent extends ClassInstanceExpr {
+  GetContentIntent() {
+    this.getConstructedType() instanceof TypeIntent and
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() =
+      "android.intent.action.GET_CONTENT"
+    or
+    exists(Field f |
+      this.getArgument(0) = f.getAnAccess() and
+      f.hasName("ACTION_GET_CONTENT") and
+      f.getDeclaringType() instanceof TypeIntent
+    )
+  }
+}
+
+/** Taint configuration that identifies `GET_CONTENT` `Intent` instances passed to `startActivityForResult`. */
+class GetContentIntentConfig extends TaintTracking2::Configuration {
+  GetContentIntentConfig() { this = "GetContentIntentConfig" }
+
+  override predicate isSource(DataFlow2::Node src) {
+    exists(GetContentIntent gi | src.asExpr() = gi)
+  }
+
+  override predicate isSink(DataFlow2::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof StartActivityForResultMethod and sink.asExpr() = ma.getArgument(0)
+    )
+  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content content) {
+    super.allowImplicitRead(node, content)
+    or
+    // Allow the wrapped intent created by Intent.getChooser to be consumed
+    // by at the sink:
+    isSink(node) and
+    (
+      content.(DataFlow::SyntheticFieldContent).getField() = "android.content.Intent.extras"
+      or
+      content instanceof DataFlow::MapValueContent
+    )
+  }
+}
+
+/** A `GET_CONTENT` `Intent` instances that is passed to `startActivityForResult`. */
+class AndroidFileIntentInput extends DataFlow::Node {
+  MethodAccess ma;
+
+  AndroidFileIntentInput() {
+    this.asExpr() = ma.getArgument(0) and
+    ma.getMethod() instanceof StartActivityForResultMethod and
+    exists(GetContentIntentConfig cc, GetContentIntent gi |
+      cc.hasFlow(DataFlow::exprNode(gi), DataFlow::exprNode(ma.getArgument(0)))
+    )
+  }
+
+  /** The request code passed to `startActivityForResult`, which is to be matched in `onActivityResult()`. */
+  int getRequestCode() { result = ma.getArgument(1).(CompileTimeConstantExpr).getIntValue() }
+}
+
+/** The `onActivityForResult` method of Android `Activity` */
+class OnActivityForResultMethod extends Method {
+  OnActivityForResultMethod() {
+    this.getDeclaringType().getASupertype*() instanceof AndroidActivity and
+    this.getName() = "onActivityResult"
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-200/LoadFileFromAppActivity.java

@@ -0,0 +1,31 @@
+public class LoadFileFromAppActivity extends Activity {
+    public static final int REQUEST_CODE__SELECT_CONTENT_FROM_APPS = 99;
+
+    @Override
+    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+        if (requestCode == LoadFileFromAppActivity.REQUEST_CODE__SELECT_CONTENT_FROM_APPS &&
+                resultCode == RESULT_OK) {
+            
+            {
+                // BAD: Load file without validation
+                loadOfContentFromApps(data, resultCode);
+            }
+
+            {
+                // GOOD: load file with validation
+                if (!data.getData().getPath().startsWith("/data/data")) {
+                    loadOfContentFromApps(data, resultCode);
+                }    
+            }
+        }
+    }
+
+    private void loadOfContentFromApps(Intent contentIntent, int resultCode) {
+        Uri streamsToUpload = contentIntent.getData();
+        try {
+            RandomAccessFile file = new RandomAccessFile(streamsToUpload.getPath(), "r");
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+    }
+}