search

bytedance / appshark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
Apache License 2.0
1.49k stars 165 forks source link

不同入口的污点该如何传播 #38

Closed cxxsheng closed 1 year ago

cxxsheng commented 1 year ago 
public class MainActivity extends AppCompatActivity {
    Intent intent;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        intent = getIntent();
    }

    @Override
    protected void onSaveInstanceState(@NonNull Bundle outState) {
        super.onSaveInstanceState(outState);
        outState.putString("key",intent.getStringExtra("test"));
    }
}

以上是我的样例,我希望getIntent是source,outstate是sink,我的规则如下,但是好像并不能生效。

{
    "IntentBabyVersion": {
      "enable": true,
      "SliceMode": true,
      "traceDepth": 10,
      "desc": {
        "name": "reparcel",
        "category": "reparcel",
        "detail": "Intent reparcel, but a very basic version",
        "wiki": "",
        "possibility": "2",
        "model": "high"
      },
      "entry": {},
      "source": {
        "Return": [
            "<android.app.Activity: android.content.Intent getIntent()>"
                ]
      },
      "sink": {
        "<*: * onSaveInstanceState*(*)>": {
          "LibraryOnly": true,
          "TaintParamType": [
            "android.os.Bundle"
          ],
          "TaintCheck": [
            "p*"
          ]
        }
      }
    }
  }
nkbai commented 1 year ago

please try to set p1 of putString as the sink.

cxxsheng commented 1 year ago 
{
    "IntentTestTEst": {
      "enable": true,
      "SliceMode": true,
      "traceDepth": 6,
      "desc": {
        "name": "reparcel",
        "category": "reparcel",
        "detail": "Intent reparcel, but a very basic version",
        "wiki": "",
        "possibility": "2",
        "model": "high"
      },
      "entry": {},
      "source": {
        "Return": [
            "<android.app.Activity: android.content.Intent getIntent()>"
        ]
      },
      "sink": {
        "<*: void putString*(*)>": {
          "LibraryOnly": true,
          "TaintParamType": [
            "java.lang.String"
          ],
          "TaintCheck": [
            "p*"
          ]
        }
      }
    }
  }

app-debug.apk.txt

cxxsheng commented 1 year ago

Solved in the newest commit.