Open hxtch opened 9 months ago
大佬们,请帮忙解决一个问题
扫描的代码如下,source点设置为queryIntentActivities,sink点设置为startActivity, "source": { "Return": [ "<: queryIntentActivities()>" ] }, "sink": { "<: startActivit(*)>": { "TaintParamType": [ "android.content.Intent" ], "TaintCheck": [ "p0" ] } } 如下的传播链条是连起来的,可以扫描出来 Intent intent = new Intent(); intent.setClassName("com.test.app", "com.test.activity"); List queryIntentActivities = this.getPackageManager().queryIntentActivities(intent, 65536); for(ResolveInfo i : queryIntentActivities) { intent.setPackage(String.valueOf(i.describeContents())); startActivity(intent); }
但是将setPackage中的参数设置为列表对象的属性时,传播链条出现了断裂,无法扫描出来 List queryIntentActivities = this.getPackageManager().queryIntentActivities(intent, 65536); for(ResolveInfo i : queryIntentActivities) { intent.setPackage(i.resolvePackageName)); startActivity(intent); } 似乎是污点仅仅传播到了ResolveInfo对象方法的返回值,而没有传播到ResolveInfo对象的属性,请大佬帮忙看看,应该怎样解决这个断裂问题
有完整的apk么?可能是再处理iterator的时候出问题了
nkbai
commented
9 months ago nkbai
commented
9 months ago
大佬们,请帮忙解决一个问题
扫描的代码如下,source点设置为queryIntentActivities,sink点设置为startActivity, "source": { "Return": [ "<: queryIntentActivities()>" ] }, "sink": { "<: startActivit(*)>": { "TaintParamType": [ "android.content.Intent" ], "TaintCheck": [ "p0" ] } } 如下的传播链条是连起来的,可以扫描出来 Intent intent = new Intent(); intent.setClassName("com.test.app", "com.test.activity"); List queryIntentActivities = this.getPackageManager().queryIntentActivities(intent, 65536);
for(ResolveInfo i : queryIntentActivities) {
intent.setPackage(String.valueOf(i.describeContents()));
startActivity(intent);
}
但是将setPackage中的参数设置为列表对象的属性时,传播链条出现了断裂,无法扫描出来 List queryIntentActivities = this.getPackageManager().queryIntentActivities(intent, 65536);
for(ResolveInfo i : queryIntentActivities) {
intent.setPackage(i.resolvePackageName));
startActivity(intent);
}
似乎是污点仅仅传播到了ResolveInfo对象方法的返回值,而没有传播到ResolveInfo对象的属性,请大佬帮忙看看,应该怎样解决这个断裂问题