Hi @StevenArzt , FlowDroid reports a FP leak on the following case, in which only mimeType field in the intent should be tainted. But FlowDroid also taints the action field in the intent.
String a = not-a-source();
String b = source(); // <== source
Intent intent = new Intent().setType(b).setAction(a);
sink(intent.getAction()); // <== sink
I register a taint propagation handler to read the incoming and outgoing access paths. I found the problem may happen at the following line
r5 = virtualinvoke r5.<android.content.Intent: android.content.Intent setType(java.lang.String)>($r4)
incoming: $r4(java.lang.String) * <+length>
outgoing: r5(android.content.Intent) <android.content.Intent: java.lang.String mimeType> * <+length>
outgoing: $r4(java.lang.String) * <+length>
outgoing: r5(android.content.Intent) * <+length>
The 1st outgoing is correct according to the summary manual android.content.Intent.xml. But it seems the 3rd outgoing, which taints the intent object is not correct. When the intent object is tainted, the return of intent.getAction() is further tainted, which results in the FP.
This is how I set the taint wrapper
app.setTaintWrapper(new SummaryTaintWrapper(new LazySummaryProvider("summariesManual")));
Do I misconfig something or is it a FlowDroid bug?
Hi @StevenArzt , FlowDroid reports a FP leak on the following case, in which only
mimeTypefield in the intent should be tainted. But FlowDroid also taints theactionfield in the intent.I register a taint propagation handler to read the incoming and outgoing access paths. I found the problem may happen at the following line
The 1st outgoing is correct according to the summary manual android.content.Intent.xml. But it seems the 3rd outgoing, which taints the intent object is not correct. When the intent object is tainted, the return of
intent.getAction()is further tainted, which results in the FP.This is how I set the taint wrapper
Do I misconfig something or is it a FlowDroid bug?