Issue #224 - Changed the detector and added a test case to fit the ch…

…anges requested in #225.
find-sec-bugs · Oct 3, 2016 · 7061d38 · 7061d38
1 parent d49ba19
commit 7061d38
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 8 deletions.
diff --git a/...ndroid/content/LocalBroadcastManager.java → ...ort/v4/content/LocalBroadcastManager.java b/...ndroid/content/LocalBroadcastManager.java → ...ort/v4/content/LocalBroadcastManager.java
@@ -1,4 +1,8 @@
-package android.content;
+package android.support.v4.content;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
 
 public class LocalBroadcastManager {
     public static LocalBroadcastManager getInstance(Context context) { return new LocalBroadcastManager(); }

diff --git a/plugin/src/main/java/com/h3xstream/findsecbugs/android/BroadcastDetector.java b/plugin/src/main/java/com/h3xstream/findsecbugs/android/BroadcastDetector.java
@@ -17,6 +17,7 @@
  */
 package com.h3xstream.findsecbugs.android;
 
+import com.h3xstream.findsecbugs.common.InterfaceUtils;
 import edu.umd.cs.findbugs.BugInstance;
 import edu.umd.cs.findbugs.BugReporter;
 import edu.umd.cs.findbugs.Priorities;
@@ -42,11 +43,16 @@ public void sawOpcode(int seen) {
                     getNameConstantOperand().equals("sendBroadcastAsUser") ||
                     getNameConstantOperand().equals("sendOrderedBroadcast") ||
                     getNameConstantOperand().equals("sendOrderedBroadcastAsUser")
-                )
-                && !getClassConstantOperand().endsWith("LocalBroadcastManager")     // The LocalBroadcastManager object is safe. The broadcast doesn't leave the application scope.
-                ) {
-            bugReporter.reportBug(new BugInstance(this, ANDROID_BROADCAST_TYPE, Priorities.NORMAL_PRIORITY) //
-                    .addClass(this).addMethod(this).addSourceLine(this));
+                )) {
+
+            // The LocalBroadcastManager object is safe. The broadcast doesn't leave the application scope.
+            // We check if the class extends android.support.v4.content.LocalBroadcastManager
+            // We will also check if the class is named "LocalBroadcastManager" in case the version in the namespace changes.
+            if (!InterfaceUtils.isSubtype(getClassConstantOperand(), "android.support.v4.content.LocalBroadcastManager")
+                    && !getClassConstantOperand().endsWith("LocalBroadcastManager")) {
+                bugReporter.reportBug(new BugInstance(this, ANDROID_BROADCAST_TYPE, Priorities.NORMAL_PRIORITY) //
+                        .addClass(this).addMethod(this).addSourceLine(this));
+            }
         }
     }
 }
diff --git a/plugin/src/test/java/testcode/android/BroadcastIntentActivity.java b/plugin/src/test/java/testcode/android/BroadcastIntentActivity.java
@@ -2,7 +2,7 @@
 
 import android.app.Activity;
 import android.content.Intent;
-import android.content.LocalBroadcastManager;
+import android.support.v4.content.LocalBroadcastManager;
 import android.os.Bundle;
 
 public class BroadcastIntentActivity extends Activity {
@@ -30,11 +30,14 @@ protected void onCreate(Bundle b) {
         sendOrderedBroadcast(i,null,null,null,0,null,null);
         sendOrderedBroadcastAsUser(i,null,null,null,null,0,null,null);
 
-        /* This call is safe.
+        /* These calls are safe.
          *
          * https://developer.android.com/reference/android/support/v4/content/LocalBroadcastManager.html
          *      > "You know that the data you are broadcasting won't leave your app, so don't need to worry about leaking private data."
          */
         LocalBroadcastManager.getInstance(this).sendBroadcast(i);
+
+        // This class extends the Android LocalBroadcastManager and is used to test the InterfaceUtils.isSubtype condition.
+        CustomLocalBroadcastManager.getInstance(this).sendBroadcast(i);
     }
 }
diff --git a/plugin/src/test/java/testcode/android/CustomLocalBroadcastManager.java b/plugin/src/test/java/testcode/android/CustomLocalBroadcastManager.java
@@ -0,0 +1,8 @@
+package testcode.android;
+
+import android.support.v4.content.LocalBroadcastManager;
+
+/**
+ * This class is used in the BroadcastDetector to test the Interface.isSubtype([...],  "LocalBroadcastManager") condition.
+ */
+public class CustomLocalBroadcastManager extends LocalBroadcastManager { }