forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFragmentInjection.qll
More file actions
79 lines (70 loc) · 2.7 KB
/
FragmentInjection.qll
File metadata and controls
79 lines (70 loc) · 2.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/** Provides classes and predicates to reason about Android Fragment injection vulnerabilities. */
overlay[local?]
module;
import java
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.frameworks.android.Android
private import semmle.code.java.frameworks.android.Fragment
private import semmle.code.java.Reflection
/** The method `isValidFragment` of the class `android.preference.PreferenceActivity`. */
class IsValidFragmentMethod extends Method {
IsValidFragmentMethod() {
this.getDeclaringType()
.getAnAncestor()
.hasQualifiedName("android.preference", "PreferenceActivity") and
this.hasName("isValidFragment")
}
/**
* Holds if this method makes the Activity it is declared in vulnerable to Fragment injection,
* that is, all code paths in this method return `true` and the Activity is exported.
*/
predicate isUnsafe() {
this.getDeclaringType().(AndroidActivity).isExported() and
forex(ReturnStmt retStmt | retStmt.getEnclosingCallable() = this |
retStmt.getResult().(BooleanLiteral).getBooleanValue() = true
)
}
}
/**
* A sink for Fragment injection vulnerabilities,
* that is, method calls that dynamically add fragments to activities.
*/
abstract class FragmentInjectionSink extends DataFlow::Node { }
/** An additional taint step for flows related to Fragment injection vulnerabilites. */
class FragmentInjectionAdditionalTaintStep extends Unit {
/**
* Holds if the step from `node1` to `node2` should be considered a taint
* step in flows related to Fragment injection vulnerabilites.
*/
abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
}
private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") }
}
/**
* A sanitizer for Fragment injection vulnerabilities.
*/
abstract class FragmentInjectionSanitizer extends DataFlow::Node { }
private class ExternalFragmentInjectionSanitizer extends FragmentInjectionSanitizer {
ExternalFragmentInjectionSanitizer() { barrierNode(this, "fragment-injection") }
}
private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep
{
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(ReflectiveClassIdentifierMethodCall ma |
ma.getArgument(0) = n1.asExpr() and ma = n2.asExpr()
)
or
exists(NewInstance ni |
ni.getQualifier() = n1.asExpr() and
ni = n2.asExpr()
)
or
exists(MethodCall ma |
ma.getMethod() instanceof FragmentInstantiateMethod and
ma.getArgument(1) = n1.asExpr() and
ma = n2.asExpr()
)
}
}