Merge pull request #9129 from atorralba/atorralba/get-underlying-expr

atorralba · web-flow · commit e179126abb11 · 2022-07-27T11:42:28.000+02:00
Java: Add Expr::getUnderlyingExpr predicate
diff --git a/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md b/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
diff --git a/java/ql/lib/semmle/code/java/Expr.qll b/java/ql/lib/semmle/code/java/Expr.qll
@@ -100,6 +100,18 @@ class Expr extends ExprParent, @expr {
 
   /** Holds if this expression is parenthesized. */
   predicate isParenthesized() { isParenthesized(this, _) }
+
+  /**
+   * Gets the underlying expression looking through casts and not-nulls, if any.
+   * Otherwise just gets this expression.
+   */
+  Expr getUnderlyingExpr() {
+    if this instanceof CastingExpr or this instanceof NotNullExpr
+    then
+      result = this.(CastingExpr).getExpr().getUnderlyingExpr() or
+      result = this.(NotNullExpr).getExpr().getUnderlyingExpr()
+    else result = this
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll
@@ -51,7 +51,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {
   exists(MethodAccess m |
     m.getMethod() instanceof PutSharedPreferenceMethod and
     input = m.getArgument(1) and
-    editor.asExpr() = m.getQualifier()
+    editor.asExpr() = m.getQualifier().getUnderlyingExpr()
   )
 }
 
@@ -61,7 +61,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {
  */
 private predicate sharedPreferencesStore(DataFlow::Node editor, MethodAccess m) {
   m.getMethod() instanceof StoreSharedPreferenceMethod and
-  editor.asExpr() = m.getQualifier()
+  editor.asExpr() = m.getQualifier().getUnderlyingExpr()
 }
 
 /** Flow from `SharedPreferences.Editor` to either a setter or a store method. */
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
@@ -75,15 +75,18 @@ private predicate webViewLoadUrl(Argument urlArg, WebViewRef webview) {
     loadUrl.getArgument(0) = urlArg and
     loadUrl.getMethod() instanceof WebViewLoadUrlMethod
   |
+    webview.getAnAccess() = DataFlow::exprNode(loadUrl.getQualifier().getUnderlyingExpr())
+    or
     webview.getAnAccess() = DataFlow::getInstanceArgument(loadUrl)
     or
     // `webview` is received as a parameter of an event method in a custom `WebViewClient`,
     // so we need to find `WebViews` that use that specific `WebViewClient`.
     exists(WebViewClientEventMethod eventMethod, MethodAccess setWebClient |
       setWebClient.getMethod() instanceof WebViewSetWebViewClientMethod and
       setWebClient.getArgument(0).getType() = eventMethod.getDeclaringType() and
-      loadUrl.getQualifier() = eventMethod.getWebViewParameter().getAnAccess()
+      loadUrl.getQualifier().getUnderlyingExpr() = eventMethod.getWebViewParameter().getAnAccess()
     |
+      webview.getAnAccess() = DataFlow::exprNode(setWebClient.getQualifier().getUnderlyingExpr()) or
       webview.getAnAccess() = DataFlow::getInstanceArgument(setWebClient)
     )
   )
diff --git a/java/ql/test/query-tests/security/CWE-312/CleartextStorageSharedPrefsTestKt.kt b/java/ql/test/query-tests/security/CWE-312/CleartextStorageSharedPrefsTestKt.kt
@@ -0,0 +1,11 @@
+import android.app.Activity
+import android.content.Context
+import android.content.SharedPreferences
+
+class CleartextStorageSharedPrefsTestKt : Activity() {
+    fun testSetSharedPrefs1(context: Context, name: String, password: String) {
+		val sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
+		sharedPrefs.edit().putString("name", name).apply(); // Safe
+		sharedPrefs.edit().putString("password", password).apply(); // $ hasCleartextStorageSharedPrefs
+	}
+}
diff --git a/java/ql/test/query-tests/security/CWE-312/options b/java/ql/test/query-tests/security/CWE-312/options
@@ -1 +1,2 @@
 // semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
+// codeql-extractor-kotlin-options: ${testdir}/../../../stubs/google-android-9.0.0
diff --git a/java/ql/test/query-tests/security/CWE-749/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-749/AndroidManifest.xml
@@ -44,6 +44,7 @@
 
         <activity android:name=".UnsafeActivity3" android:exported="true" />
         <activity android:name=".UnsafeActivity4" android:exported="true" />
+        <activity android:name=".UnsafeActivityKt" android:exported="true" />
 
         <receiver android:name=".UnsafeAndroidBroadcastReceiver" android:exported="true" />        
     </application>
diff --git a/java/ql/test/query-tests/security/CWE-749/UnsafeActivityKt.kt b/java/ql/test/query-tests/security/CWE-749/UnsafeActivityKt.kt
@@ -0,0 +1,20 @@
+package com.example.app
+
+import android.app.Activity
+import android.os.Bundle
+import android.webkit.WebSettings
+import android.webkit.WebView
+import android.webkit.WebViewClient
+
+class UnsafeActivityKt : Activity() {
+    override fun onCreate(savedInstanceState : Bundle) {
+
+		val wv = findViewById<WebView>(-1)
+		// Implicit not-nulls happening here
+		wv.settings.setJavaScriptEnabled(true)
+		wv.settings.setAllowFileAccessFromFileURLs(true)
+
+		val thisUrl : String = intent.extras.getString("url")
+		wv.loadUrl(thisUrl) // $ hasUnsafeAndroidAccess
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-749/options b/java/ql/test/query-tests/security/CWE-749/options
@@ -1 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/android
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
+//codeql-extractor-kotlin-options: ${testdir}/../../../stubs/google-android-9.0.0

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: feature
 +---
 +* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {`
`51`	`51`	`exists(MethodAccess m \|`
`52`	`52`	`m.getMethod() instanceof PutSharedPreferenceMethod and`
`53`	`53`	`input = m.getArgument(1) and`
`54`		`- editor.asExpr() = m.getQualifier()`
	`54`	`+ editor.asExpr() = m.getQualifier().getUnderlyingExpr()`
`55`	`55`	`)`
`56`	`56`	`}`
`57`	`57`
`@@ -61,7 +61,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {`
`61`	`61`	`*/`
`62`	`62`	`private predicate sharedPreferencesStore(DataFlow::Node editor, MethodAccess m) {`
`63`	`63`	`m.getMethod() instanceof StoreSharedPreferenceMethod and`
`64`		`- editor.asExpr() = m.getQualifier()`
	`64`	`+ editor.asExpr() = m.getQualifier().getUnderlyingExpr()`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	/** Flow from `SharedPreferences.Editor` to either a setter or a store method. */
Original file line number	Diff line number	Diff line change
`@@ -75,15 +75,18 @@ private predicate webViewLoadUrl(Argument urlArg, WebViewRef webview) {`
`75`	`75`	`loadUrl.getArgument(0) = urlArg and`
`76`	`76`	`loadUrl.getMethod() instanceof WebViewLoadUrlMethod`
`77`	`77`	`\|`
	`78`	`+ webview.getAnAccess() = DataFlow::exprNode(loadUrl.getQualifier().getUnderlyingExpr())`
	`79`	`+ or`
`78`	`80`	`webview.getAnAccess() = DataFlow::getInstanceArgument(loadUrl)`
`79`	`81`	`or`
`80`	`82`	// `webview` is received as a parameter of an event method in a custom `WebViewClient`,
`81`	`83`	// so we need to find `WebViews` that use that specific `WebViewClient`.
`82`	`84`	`exists(WebViewClientEventMethod eventMethod, MethodAccess setWebClient \|`
`83`	`85`	`setWebClient.getMethod() instanceof WebViewSetWebViewClientMethod and`
`84`	`86`	`setWebClient.getArgument(0).getType() = eventMethod.getDeclaringType() and`
`85`		`- loadUrl.getQualifier() = eventMethod.getWebViewParameter().getAnAccess()`
	`87`	`+ loadUrl.getQualifier().getUnderlyingExpr() = eventMethod.getWebViewParameter().getAnAccess()`
`86`	`88`	`\|`
	`89`	`+ webview.getAnAccess() = DataFlow::exprNode(setWebClient.getQualifier().getUnderlyingExpr()) or`
`87`	`90`	`webview.getAnAccess() = DataFlow::getInstanceArgument(setWebClient)`
`88`	`91`	`)`
`89`	`92`	`)`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0`
	`2`	`+// codeql-extractor-kotlin-options: ${testdir}/../../../stubs/google-android-9.0.0`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/android`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0`
	`2`	`+//codeql-extractor-kotlin-options: ${testdir}/../../../stubs/google-android-9.0.0`