Open
Description
Hi @StevenArzt , FlowDroid reports a FP leak on the following case, in which only mimeType field in the intent should be tainted. But FlowDroid also taints the action field in the intent.
String a = not-a-source();
String b = source(); // <== source
Intent intent = new Intent().setType(b).setAction(a);
sink(intent.getAction()); // <== sink
I register a taint propagation handler to read the incoming and outgoing access paths. I found the problem may happen at the following line
r5 = virtualinvoke r5.<android.content.Intent: android.content.Intent setType(java.lang.String)>($r4)
incoming: $r4(java.lang.String) * <+length>
outgoing: r5(android.content.Intent) <android.content.Intent: java.lang.String mimeType> * <+length>
outgoing: $r4(java.lang.String) * <+length>
outgoing: r5(android.content.Intent) * <+length>
The 1st outgoing is correct according to the summary manual android.content.Intent.xml. But it seems the 3rd outgoing, which taints the intent object is not correct. When the intent object is tainted, the return of intent.getAction() is further tainted, which results in the FP.
This is how I set the taint wrapper
app.setTaintWrapper(new SummaryTaintWrapper(new LazySummaryProvider("summariesManual")));
Do I misconfig something or is it a FlowDroid bug?
Metadata
Metadata
Assignees
Labels
No labels