Skip to content

Commit 29f82fc

Browse files
joefarebrotherjoefarebrother
committed
Use ArrayElementOf in Android sinks
1 parent f4a59cc commit 29f82fc

File tree

2 files changed

+29
-16
lines changed
  • java/ql
    • src/semmle/code/java/frameworks/android
    • test/library-tests/frameworks/android/taint-database

2 files changed

+29
-16
lines changed

java/ql/src/semmle/code/java/frameworks/android/SQLite.qll

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -40,17 +40,27 @@ private class SQLiteSinkCsv extends SinkModelCsv {
4040
// queryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit, CancellationSignal cancellationSignal)
4141
// queryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit)
4242
// Each String / String[] arg except for selectionArgs is a sink
43-
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[0..2];sql",
43+
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[0];sql",
44+
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;ArrayElement of Argument[1];sql",
45+
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[2];sql",
4446
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[4..7];sql",
4547
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String);;Argument[0..2];sql",
4648
"android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String);;Argument[4..6];sql",
47-
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[1..3];sql",
49+
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[1];sql",
50+
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;ArrayElement of Argument[2];sql",
51+
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[3];sql",
4852
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[5..8];sql",
49-
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[1..3];sql",
53+
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[1];sql",
54+
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;ArrayElement of Argument[2];sql",
55+
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[3];sql",
5056
"android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[5..8];sql",
51-
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[2..4];sql",
57+
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[2];sql",
58+
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;ArrayElement of Argument[3];sql",
59+
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[4];sql",
5260
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[6..9];sql",
53-
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[2..4];sql",
61+
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[2];sql",
62+
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;ArrayElement of Argument[3];sql",
63+
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[4];sql",
5464
"android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[6..9];sql",
5565
"android.database.sqlite;SQLiteDatabase;false;rawQuery;(String,String[]);;Argument[0];sql",
5666
"android.database.sqlite;SQLiteDatabase;false;rawQuery;(String,String[],CancellationSignal);;Argument[0];sql",
@@ -77,13 +87,16 @@ private class SQLiteSinkCsv extends SinkModelCsv {
7787
// query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
7888
// query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit, CancellationSignal cancellationSignal)
7989
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[-1];sql",
80-
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[1..2];sql",
90+
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;ArrayElement of Argument[1];sql",
91+
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[2];sql",
8192
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[4..6];sql",
8293
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[-1];sql",
83-
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[1..2];sql",
94+
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;ArrayElement of Argument[1];sql",
95+
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[2];sql",
8496
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[4..7];sql",
8597
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[-1];sql",
86-
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[1..2];sql",
98+
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;ArrayElement of Argument[1];sql",
99+
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[2];sql",
87100
"android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[4..7];sql",
88101
"android.content;ContentProvider;true;delete;(Uri,String,String[]);;Argument[1];sql",
89102
"android.content;ContentProvider;true;update;(Uri,ContentValues,String,String[]);;Argument[2];sql",

java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ public static void insert(MySQLiteQueryBuilder target) {
8585
public static void query(SQLiteDatabase target) {
8686
boolean distinct = taint();
8787
String table = taint(); // $hasTaintFlowSink
88-
String[] columns = {taint()}; // $hasTaintFlowSink
88+
String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink
8989
String selection = taint(); // $hasTaintFlowSink
9090
String[] selectionArgs = {taint()};
9191
String groupBy = taint(); // $hasTaintFlowSink
@@ -98,7 +98,7 @@ public static void query(SQLiteDatabase target) {
9898
public static void query2(SQLiteDatabase target) {
9999
boolean distinct = taint();
100100
String table = taint(); // $hasTaintFlowSink
101-
String[] columns = {taint()}; // $hasTaintFlowSink
101+
String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink
102102
String selection = taint(); // $hasTaintFlowSink
103103
String[] selectionArgs = {taint()};
104104
String groupBy = taint(); // $hasTaintFlowSink
@@ -123,7 +123,7 @@ public static void query3(SQLiteDatabase target) {
123123

124124
public static void query4(SQLiteDatabase target) {
125125
String table = taint(); // $hasTaintFlowSink
126-
String[] columns = {taint()}; // $hasTaintFlowSink
126+
String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink
127127
String selection = taint(); // $hasTaintFlowSink
128128
String[] selectionArgs = {taint()};
129129
String groupBy = taint(); // $hasTaintFlowSink
@@ -136,7 +136,7 @@ public static void query4(SQLiteDatabase target) {
136136
public static void query(MySQLiteQueryBuilder target) {
137137
target = taint(); // $hasTaintFlowSink
138138
SQLiteDatabase db = taint();
139-
String[] projectionIn = {taint()}; // $hasTaintFlowSink
139+
String[] projectionIn = {taint()}; // $ MISSING: hasTaintFlowSink
140140
String selection = taint(); // $hasTaintFlowSink
141141
String[] selectionArgs = {taint()};
142142
String groupBy = taint(); // $hasTaintFlowSink
@@ -148,7 +148,7 @@ public static void query(MySQLiteQueryBuilder target) {
148148
public static void query2(MySQLiteQueryBuilder target) {
149149
target = taint(); // $hasTaintFlowSink
150150
SQLiteDatabase db = taint();
151-
String[] projectionIn = {taint()}; // $hasTaintFlowSink
151+
String[] projectionIn = {taint()}; // $ MISSING: hasTaintFlowSink
152152
String selection = taint(); // $hasTaintFlowSink
153153
String[] selectionArgs = {taint()};
154154
String groupBy = taint(); // $hasTaintFlowSink
@@ -161,7 +161,7 @@ public static void query2(MySQLiteQueryBuilder target) {
161161
public static void query3(MySQLiteQueryBuilder target) {
162162
target = taint(); // $hasTaintFlowSink
163163
SQLiteDatabase db = taint();
164-
String[] projectionIn = {taint()}; // $hasTaintFlowSink
164+
String[] projectionIn = {taint()}; // $ MISSING: hasTaintFlowSink
165165
String selection = taint(); // $hasTaintFlowSink
166166
String[] selectionArgs = {taint()};
167167
String groupBy = taint(); // $hasTaintFlowSink
@@ -214,7 +214,7 @@ public static void queryWithFactory(SQLiteDatabase target) {
214214
SQLiteDatabase.CursorFactory cursorFactory = taint();
215215
boolean distinct = taint();
216216
String table = taint(); // $hasTaintFlowSink
217-
String[] columns = {taint()}; // $hasTaintFlowSink
217+
String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink
218218
String selection = taint(); // $hasTaintFlowSink
219219
String[] selectionArgs = {taint()};
220220
String groupBy = taint(); // $hasTaintFlowSink
@@ -229,7 +229,7 @@ public static void queryWithFactory2(SQLiteDatabase target) {
229229
SQLiteDatabase.CursorFactory cursorFactory = taint();
230230
boolean distinct = taint();
231231
String table = taint(); // $hasTaintFlowSink
232-
String[] columns = {taint()}; // $hasTaintFlowSink
232+
String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink
233233
String selection = taint(); // $hasTaintFlowSink
234234
String[] selectionArgs = {taint()};
235235
String groupBy = taint(); // $hasTaintFlowSink

0 commit comments

Comments
 (0)