search

facebook / mariana-trench

A security focused static analysis tool for Android and Java applications.
https://mariana-tren.ch/
MIT License
1.1k stars 139 forks source link

Need help to create new sources / sinks #87

Closed serrapa closed 2 years ago

serrapa commented 2 years ago

Hello everyone, I need some help because I cannot detect a simple data flow (doing it just as an exercise to learn Mariana-trench).

I have this piece of source code:

@Override // android.support.v4.app.FragmentActivity, android.app.Activity
    public void onActivityResult(int i, int i2, Intent intent) {
        super.onActivityResult(i, i2, intent);
        if (i == LOAD_CONTENT_ACTIVITY_REQUEST_CODE && i2 == -1) {
            Boolean valueOf = Boolean.valueOf(intent.getBooleanExtra("use_base_url", false));
            String stringExtra = intent.getStringExtra("base_url");
            String stringExtra2 = intent.getStringExtra("html_content");
            if (valueOf.booleanValue()) {
                this.webview.loadDataWithBaseURL(stringExtra, stringExtra2, "text/html", "UTF-8", stringExtra);
            } else {
                this.webview.loadData(stringExtra2, "text/html", "UTF-8");
            }
        }
    }

What i am trying to do is creating a source as the first parameter of the getStringExtra method and a sink as the loadDataWithBaseURL method. So, I created two file, the following for the source and the other one for the sink:

IntentSourceGenerator.json:

{
    "model_generators": [
        {
            "find": "methods",
            "where": [
                {
                "constraint": "name",
                "pattern": "getStringExtra"
                }
            ],
            "model": {
                "sources": [
                    {
                        "kind": "TestSensitiveUserInput",
                        "port": "Argument(1)"
                    }
                ]
            }
        }]
}

TestWebViewLoadGenerator.json :

{
  "model_generators": [
      {
          "find": "methods",
          "where": [
              {
              "constraint": "name",
              "pattern": "loadDataWithBaseURL"
              }
          ],
          "model": {
              "sinks": [
                  {
                      "kind": "WebViewLoadContent",
                      "port": "Argument(1)"
                  }
              ]
          }
      }]
}

Here the rule added to the rules.json file:

{
    "name": "Test",
    "code": 9,
    "description": "test",
    "sources": [
      "TestSensitiveUserInput"
    ],
    "sinks": [
      "WebViewLoadContent"
    ]
  }

I don't know what I am doing wrong, but I got the following results. Can someone explain me what I should do?

...
...
INFO Running model generator `taint_in_taint_out` (15/21)
INFO Running model generator `taint_in_taint_this` (16/21)
INFO Running model generator `WebViewLoadGenerator` (17/21)
INFO Running model generator `TestWebViewLoadGenerator` (18/21)
INFO Running model generator `BypassableHostCheckSinkGenerator` (19/21)
INFO Method `Ljava/lang/String;.contains:(Ljava/lang/CharSequence;)Z` satisfies all constraints in json model generator BypassableHostCheckSinkGenerator
INFO Method `Ljava/lang/String;.endsWith:(Ljava/lang/String;)Z` satisfies all constraints in json model generator BypassableHostCheckSinkGenerator
INFO Running model generator `ReflectionSinkGenerator` (20/21)
INFO Running model generator `IntentSourceGenerator` (21/21)
INFO Generated 74062 models and 0 field models in 0.84s.
INFO Initializing models...
INFO Initialized 67126 models and 0 field models in 0.09s.
INFO Initializing rules...
INFO Initialized 9 rules in 0.00s.
INFO Removing unused Kinds
WARNING Kind `SQLMutation` is not used in any rule! You may want to add one for it.
WARNING Kind `ArrayAllocation` is not used in any rule! You may want to add one for it.
INFO Removed 2 kinds in 0.02s.
....
....
INFO Analyzed 67126 models in 3.02s. Found 0 issues!
....
nkbai commented 2 years ago 
{
    "model_generators": [
        {
            "find": "methods",
            "where": [
                {
                "constraint": "name",
                "pattern": "getStringExtra"
                }
            ],
            "model": {
                "sources": [
                    {
                        "kind": "TestSensitiveUserInput",
                        "port": "Return"
                    }
                ]
            }
        }]
}

replace "port": "Argument(1)" with "port":"Return", is this ok?

serrapa commented 2 years ago

Hello @nkbai, it worked! Thanks you so much! Now I think I understood what was wrong, I needed to refer the argument returned, not that one passed.