facebook/mariana-trench

Query on writing custom sinks

Closed this issue · 4 comments

Hi there, I am currently trying to detect this flow in a program, where getIntent is the source, and endsWith is the sink.

Intent intent = getIntent();
Uri uri;
if((uri = intent.getData()) != null){
    boolean check = uri.getHost().endsWith("sink");
    finish();
}

The rules for source are from the default, whereas the sink definition is as below:

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Ljava/lang/String;"
          }
        },
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "name",
              "pattern": "contains"
            },
            {
              "constraint": "name",
              "pattern": "endsWith"
            }
          ]
        }
      ],
      "model": {
        "for_all_parameters": [
          {
            "variable": "x",
            "sinks": [
              {
                "kind": "BypassableHostCheck",
                "port": "Argument(x)"
              }
              ]
          }]
        }, "verbosity" : 1
    }
  ]
}

I am able to find methods that have endsWith as its name, but unable to track the flow. Any advice would be greatly appreciated, thanks!

@chuayupeng

getIntent().getData().getHost() is sink , not string "sink".

Argument(0) is a reference to a string object, in this case "getIntent().getData().getHost()"

BypassableHostCheck.json change to ->

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Ljava/lang/String;"
          }
        },
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "name",
              "pattern": "contains"
            },
            {
              "constraint": "name",
              "pattern": "endsWith"
            }
          ]
        }
      ],
      "model": {
        "sinks": [
          {
            "kind": "BypassableHostCheck",
            "port": "Argument(0)"
          }
        ]
      },
      "verbosity": 1
    }
  ]
}

the rules.json like ->

[
  {
    "name": "BypassableHostCheck",
    "code": 7,
    "description": "BypassableHostCheck",
    "sources": [
      "FragmentUserInput",
      "ActivityUserInput",
      "ProviderUserInput",
      "ReceiverUserInput",
      "ServiceUserInput"
    ],
    "sinks": [
      "BypassableHostCheck"
    ]
  }
]

@gitWK86 thanks! the change to Argument(0) worked, but just a bit confused as to why the for all parameters did not work in this case

for all parameters

Argument(0) here represents the string object itself,which is not params.

I guess for all parameters represents the parameters of the contains function.

e.g, "abc".contains(argument1)
I guess "abc" is Argument(0), for all parameters may only represent argument1

Sounds about right! Thanks, will keep that in mind moving forward :D