Query on writing custom sinks
Closed this issue · 4 comments
Hi there, I am currently trying to detect this flow in a program, where getIntent is the source, and endsWith is the sink.
Intent intent = getIntent();
Uri uri;
if((uri = intent.getData()) != null){
boolean check = uri.getHost().endsWith("sink");
finish();
}
The rules for source are from the default, whereas the sink definition is as below:
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Ljava/lang/String;"
}
},
{
"constraint": "any_of",
"inners": [
{
"constraint": "name",
"pattern": "contains"
},
{
"constraint": "name",
"pattern": "endsWith"
}
]
}
],
"model": {
"for_all_parameters": [
{
"variable": "x",
"sinks": [
{
"kind": "BypassableHostCheck",
"port": "Argument(x)"
}
]
}]
}, "verbosity" : 1
}
]
}
I am able to find methods that have endsWith as its name, but unable to track the flow. Any advice would be greatly appreciated, thanks!
getIntent().getData().getHost() is sink , not string "sink".
Argument(0) is a reference to a string object, in this case "getIntent().getData().getHost()"
BypassableHostCheck.json change to ->
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Ljava/lang/String;"
}
},
{
"constraint": "any_of",
"inners": [
{
"constraint": "name",
"pattern": "contains"
},
{
"constraint": "name",
"pattern": "endsWith"
}
]
}
],
"model": {
"sinks": [
{
"kind": "BypassableHostCheck",
"port": "Argument(0)"
}
]
},
"verbosity": 1
}
]
}
the rules.json like ->
[
{
"name": "BypassableHostCheck",
"code": 7,
"description": "BypassableHostCheck",
"sources": [
"FragmentUserInput",
"ActivityUserInput",
"ProviderUserInput",
"ReceiverUserInput",
"ServiceUserInput"
],
"sinks": [
"BypassableHostCheck"
]
}
]
@gitWK86 thanks! the change to Argument(0) worked, but just a bit confused as to why the for all parameters did not work in this case
for all parameters
Argument(0) here represents the string object itself,which is not params.
I guess for all parameters represents the parameters of the contains function.
e.g, "abc".contains(argument1)
I guess "abc" is Argument(0), for all parameters may only represent argument1
Sounds about right! Thanks, will keep that in mind moving forward :D