Merge pull request #10479 from jcogs33/android-service-sources

jcogs33 · web-flow · commit 56e3334c6db9 · 2022-09-27T12:40:18.000-04:00
Java: add Android service sources
diff --git a/java/ql/lib/change-notes/2022-09-23-android-service-sources.md b/java/ql/lib/change-notes/2022-09-23-android-service-sources.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added external flow sources for the intents received in exported Android services.
diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -250,6 +250,12 @@ class AndroidIntentInput extends DataFlow::Node {
       this.asParameter() = m.getParameter(1) and
       receiverType = m.getDeclaringType()
     )
+    or
+    exists(Method m, AndroidServiceIntentMethod sI |
+      m.overrides*(sI) and
+      this.asParameter() = m.getParameter(0) and
+      receiverType = m.getDeclaringType()
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll b/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
@@ -22,6 +22,13 @@ class TypeActivity extends Class {
   TypeActivity() { this.hasQualifiedName("android.app", "Activity") }
 }
 
+/**
+ * The class `android.app.Service`.
+ */
+class TypeService extends Class {
+  TypeService() { this.hasQualifiedName("android.app", "Service") }
+}
+
 /**
  * The class `android.content.Context`.
  */
@@ -57,6 +64,17 @@ class AndroidReceiveIntentMethod extends Method {
   }
 }
 
+/**
+ * The method `Service.onStart`, `onStartCommand`,
+ * `onBind`, `onRebind`, `onUnbind`, or `onTaskRemoved`.
+ */
+class AndroidServiceIntentMethod extends Method {
+  AndroidServiceIntentMethod() {
+    this.hasName(["onStart", "onStartCommand", "onBind", "onRebind", "onUnbind", "onTaskRemoved"]) and
+    this.getDeclaringType() instanceof TypeService
+  }
+}
+
 /**
  * The method `Context.startActivity` or `startActivities`.
  */
diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/FileService.java b/java/ql/test/experimental/query-tests/security/CWE-200/FileService.java
@@ -1,5 +1,5 @@
 import java.io.FileOutputStream;
-
+import android.os.IBinder;
 import android.app.Service;
 import android.content.Intent;
 import android.net.Uri;
@@ -52,13 +52,18 @@ protected String doInBackground(Object[] params) {
         @Override
         protected void onPostExecute(String result) {
         }
-    
+
         @Override
         protected void onPreExecute() {
         }
 
         @Override
         protected void onProgressUpdate(Void... values) {
-        }    
+        }
+    }
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        return null;
     }
 }
diff --git a/java/ql/test/library-tests/dataflow/taintsources/AndroidManifest.xml b/java/ql/test/library-tests/dataflow/taintsources/AndroidManifest.xml
@@ -18,7 +18,7 @@
 
         <!-- This name is resolved to com.example.myapp.MainActivity
              based upon the package attribute -->
-        <activity android:name=".IntentSources">
+        <activity android:name=".IntentSourcesActivity">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
                 <category android:name="android.intent.category.LAUNCHER" />
@@ -28,6 +28,18 @@
         <activity
             android:name=".DisplayMessageActivity"
             android:parentActivityName=".MainActivity" />
+
+        <service android:name=".IntentSourcesService">
+            <intent-filter>
+                <action android:name="android.intent.action.START_BACKGROUND"/>
+            </intent-filter>
+        </service>
+
+        <receiver android:name=".IntentSourcesReceiver">
+            <intent-filter>
+                <action android:name="android.intent.action.PACKAGE_INSTALL"/>
+            </intent-filter>
+        </receiver>
     </application>
 </manifest>
 
diff --git a/java/ql/test/library-tests/dataflow/taintsources/IntentSourcesActivity.java b/java/ql/test/library-tests/dataflow/taintsources/IntentSourcesActivity.java
@@ -2,7 +2,7 @@
 
 import android.app.Activity;
 
-public class IntentSources extends Activity {
+public class IntentSourcesActivity extends Activity {
 
 	private static void sink(Object o) {}
 
@@ -26,14 +26,13 @@ public void test3() throws java.io.IOException {
 		sink(trouble); // $hasRemoteTaintFlow
 
 	}
-
 }
 
 class OtherClass {
 
 	private static void sink(Object o) {}
 
-	public void test(IntentSources is) throws java.io.IOException {
+	public void test(IntentSourcesActivity is) throws java.io.IOException {
 		String trouble = is.getIntent().getStringExtra("key");
 		sink(trouble); // $hasRemoteTaintFlow
 	}
diff --git a/java/ql/test/library-tests/dataflow/taintsources/IntentSourcesReceiver.java b/java/ql/test/library-tests/dataflow/taintsources/IntentSourcesReceiver.java
@@ -0,0 +1,22 @@
+package com.example.myapp;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+
+public class IntentSourcesReceiver extends BroadcastReceiver {
+
+	private static void sink(Object o) {}
+
+	@Override
+	public void onReceive(Context context, Intent intent) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+	}
+}
diff --git a/java/ql/test/library-tests/dataflow/taintsources/IntentSourcesService.java b/java/ql/test/library-tests/dataflow/taintsources/IntentSourcesService.java
@@ -0,0 +1,87 @@
+package com.example.myapp;
+
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.os.IBinder;
+
+public class IntentSourcesService extends Service {
+
+	private static void sink(Object o) {}
+
+	@Override
+	public void onStart(Intent intent, int startId) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+	}
+
+	@Override
+	public int onStartCommand(Intent intent, int flags, int startId) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		return -1;
+	}
+
+	@Override
+	public IBinder onBind(Intent intent) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		return null;
+	}
+
+	@Override
+	public boolean onUnbind(Intent intent) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		return false;
+	}
+
+	@Override
+	public void onRebind(Intent intent) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+	}
+
+	@Override
+	public void onTaskRemoved(Intent intent) {
+		{
+			String trouble = intent.getStringExtra("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+		{
+			String trouble = intent.getExtras().getString("data");
+			sink(trouble); // $ hasRemoteTaintFlow
+		}
+	}
+
+}
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/app/Service.java b/java/ql/test/stubs/google-android-9.0.0/android/app/Service.java

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added external flow sources for the intents received in exported Android services.
Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,12 @@ class AndroidIntentInput extends DataFlow::Node {`
`250`	`250`	`this.asParameter() = m.getParameter(1) and`
`251`	`251`	`receiverType = m.getDeclaringType()`
`252`	`252`	`)`
	`253`	`+ or`
	`254`	`+ exists(Method m, AndroidServiceIntentMethod sI \|`
	`255`	`+ m.overrides*(sI) and`
	`256`	`+ this.asParameter() = m.getParameter(0) and`
	`257`	`+ receiverType = m.getDeclaringType()`
	`258`	`+ )`
`253`	`259`	`}`
`254`	`260`	`}`
`255`	`261`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`	`import android.app.Activity;`
`4`	`4`
`5`		`-public class IntentSources extends Activity {`
	`5`	`+public class IntentSourcesActivity extends Activity {`
`6`	`6`
`7`	`7`	`private static void sink(Object o) {}`
`8`	`8`
`@@ -26,14 +26,13 @@ public void test3() throws java.io.IOException {`
`26`	`26`	`sink(trouble); // $hasRemoteTaintFlow`
`27`	`27`
`28`	`28`	`}`
`29`		`-`
`30`	`29`	`}`
`31`	`30`
`32`	`31`	`class OtherClass {`
`33`	`32`
`34`	`33`	`private static void sink(Object o) {}`
`35`	`34`
`36`		`- public void test(IntentSources is) throws java.io.IOException {`
	`35`	`+ public void test(IntentSourcesActivity is) throws java.io.IOException {`
`37`	`36`	`String trouble = is.getIntent().getStringExtra("key");`
`38`	`37`	`sink(trouble); // $hasRemoteTaintFlow`
`39`	`38`	`}`