APK Security Guard MCP Suite

Overview Schema Related Servers Score Discussions

SourcesAndSinks.txt•41.6 kB

<javax.servlet.ServletRequest: java.lang.String getParameter(java.lang.String)> -> _SOURCE_ <javax.persistence.EntityManager: javax.persistence.TypedQuery createQuery(java.lang.String,java.lang.Class)> -> _SINK_ <javax.servlet.http.HttpServletResponse: void sendRedirect(java.lang.String)> -> _SINK_ <java.io.File: boolean delete()> -> _SINK_ <org.apache.xalan.xsltc.runtime.BasisLibrary: java.lang.String replace(java.lang.String,java.lang.String,java.lang.String[])> -> _SINK_ <org.springframework.mock.web.portlet.MockPortletRequest: void setParameters(java.util.Map)> -> _SINK_ <org.apache.axis2.description.AxisService: void printWSDLError(java.io.OutputStream)> -> _SINK_ <org.springframework.mock.web.portlet.MockPortletRequest: void setParameter(java.lang.String,java.lang.String)> -> _SINK_ <org.apache.commons.lang3.text.StrSubstitutor: java.lang.String replace(char[])> -> _SINK_ <org.apache.xmlrpc.webserver.XmlRpcServletServer: void setResponseHeader(org.apache.xmlrpc.common.ServerStreamConnection,java.lang.String,java.lang.String)> -> _SINK_ <net.sourceforge.pebble.domain.Comment: void setAuthenticated(boolean)> -> _SINK_ <java.lang.String: java.lang.String replaceFirst(java.lang.String,java.lang.String)> -> _SINK_ <org.springframework.web.socket.server.support.WebSocketHttpRequestHandler: void handleRequest(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)> -> _SINK_ <org.apache.xmlrpc.server.ReflectiveXmlRpcHandler: java.lang.Object execute(org.apache.xmlrpc.XmlRpcRequest)> -> _SINK_ <com.mysql.jdbc.Statement: java.sql.ResultSet executeQuery(java.lang.String)> -> _SINK_ <org.springframework.test.context.transaction.TransactionalTestExecutionListener: void runAfterTransactionMethods(org.springframework.test.context.TestContext)> -> _SINK_ <org.springframework.web.servlet.tags.UrlTag: java.lang.String createUrl()> -> _SINK_ <org.apache.xmlrpc.webserver.XmlRpcServlet: void log(java.lang.String)> -> _SINK_ <org.apache.stratos.cli.StratosApplication: int run(java.lang.String[])> -> _SINK_ <org.owasp.webgoat.session.ParameterParser: void update(javax.servlet.ServletRequest)> -> _SINK_ <org.apache.commons.lang3.text.StrSubstitutor: java.lang.String replace(java.lang.CharSequence)> -> _SINK_ <org.apache.xmlrpc.webserver.XmlRpcServletServer: void execute(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)> -> _SINK_ <org.apache.xmlrpc.webserver.ServletOutputStreamImpl: void write(byte[],int,int)> -> _SINK_ <org.apache.xmlrpc.webserver.ConnectionServer: void writeResponse(org.apache.xmlrpc.common.XmlRpcStreamRequestConfig,java.io.OutputStream,java.lang.Object)> -> _SINK_ <org.apache.xmlrpc.webserver.Connection: void writeResponseHeader(org.apache.xmlrpc.webserver.RequestData,int)> -> _SINK_ <org.apache.bcel.util.JavaWrapper: void runMain(java.lang.String,java.lang.String[])> -> _SINK_ <org.springframework.format.datetime.joda.PeriodFormatter: java.lang.Object parse(java.lang.String,java.util.Locale)> -> _SINK_ <org.apache.xerces.impl.xs.models.XSDFACM: void dumpTree(org.apache.xerces.impl.dtd.models.CMNode,int)> -> _SINK_ <org.springframework.jdbc.core.JdbcTemplate: java.lang.Object query(java.lang.String,org.springframework.jdbc.core.ResultSetExtractor)> -> _SINK_ <org.owasp.webgoat.session.DatabaseUtilities: java.sql.Connection getHsqldbConnection(java.lang.String,org.owasp.webgoat.session.WebgoatContext)> -> _SINK_ <org.springframework.jdbc.core.JdbcTemplate: void execute(java.lang.String)> -> _SINK_ <org.springframework.mock.web.MockBodyContent: void println(java.lang.String)> -> _SINK_ <org.owasp.webgoat.HammerHead: void log(javax.servlet.http.HttpServletRequest,java.lang.String)> -> _SINK_ <org.apache.xmlrpc.server.XmlRpcServerWorker: java.lang.Object execute(org.apache.xmlrpc.XmlRpcRequest)> -> _SINK_ <org.owasp.webgoat.session.LessonSession: void setAuthenticated(boolean)> -> _SINK_ <org.springframework.orm.hibernate3.support.ClobStringType: int[] sqlTypes()> -> _SINK_ <org.owasp.webgoat.session.WebSession: void update(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,java.lang.String)> -> _SINK_ <org.hibernate.validator.internal.util.ConcurrentReferenceHashMap: boolean replace(java.lang.Object,java.lang.Object,java.lang.Object)> -> _SINK_ <org.apache.xmlrpc.webserver.WebServer: void setParanoid(boolean)> -> _SINK_ <com.novell.ldap.rfc2251.RfcFilter: void addSubstring(int,byte[])> -> _SINK_ <org.springframework.web.socket.sockjs.transport.session.WebSocketServerSockJsSession: void handleMessage(org.springframework.web.socket.TextMessage,org.springframework.web.socket.WebSocketSession)> -> _SINK_ <org.xmldb.api.base.XMLDBException: void printStackTrace(java.io.PrintWriter)> -> _SINK_ <org.springframework.web.socket.adapter.standard.StandardWebSocketSession: void sendTextMessage(org.springframework.web.socket.TextMessage)> -> _SINK_ <org.apache.xerces.impl.xpath.regex.REUtil: void dumpString(java.lang.String)> -> _SINK_ <org.apache.xalan.xsltc.compiler.util.Util: java.lang.String replace(java.lang.String,java.lang.String,java.lang.String[])> -> _SINK_ <org.apache.http.impl.conn.DefaultClientConnection: void sendRequestHeader(org.apache.http.HttpRequest)> -> _SINK_ <org.apache.commons.validator.util.ValidatorUtils: java.lang.String replace(java.lang.String,java.lang.String,java.lang.String)> -> _SINK_ <com.google.json.JsonSanitizer: void replace(int,int,java.lang.String)> -> _SINK_ <org.owasp.esapi.reference.validation.StringValidationRule: void addBlacklistPattern(java.util.regex.Pattern)> -> _SINK_ <org.apache.commons.lang3.text.StrSubstitutor: java.lang.String replace(java.lang.CharSequence,int,int)> -> _SINK_ <java.lang.String: java.lang.String replace(java.lang.CharSequence,java.lang.CharSequence)> -> _SINK_ <org.hibernate.validator.internal.util.ConcurrentReferenceHashMap: java.lang.Object replace(java.lang.Object,java.lang.Object)> -> _SINK_ <org.springframework.security.util.FieldUtils: void setProtectedFieldValue(java.lang.String,java.lang.Object,java.lang.Object)> -> _SINK_ <org.springframework.mock.web.MockBodyContent: void println(char[])> -> _SINK_ <org.springframework.test.context.junit4.SpringJUnit4ClassRunner: void runChild(org.junit.runners.model.FrameworkMethod,org.junit.runner.notification.RunNotifier)> -> _SINK_ <org.springframework.web.socket.handler.ConcurrentWebSocketSessionDecorator: void sendMessage(org.springframework.web.socket.WebSocketMessage)> -> _SINK_ <org.springframework.orm.hibernate3.TypeDefinitionBean: void setParameters(java.util.Properties)> -> _SINK_ <org.springframework.format.datetime.joda.DateTimeParser: org.joda.time.DateTime parse(java.lang.String,java.util.Locale)> -> _SINK_ %<java.lang.String: java.lang.String replaceAll(java.lang.String,java.lang.String)> -> _SINK_ <org.apache.commons.io.HexDump: void dump(byte[],long,java.io.OutputStream,int)> -> _SINK_ <org.springframework.mock.web.MockJspWriter: void println(java.lang.String)> -> _SINK_ <org.apache.xalan.templates.ElemTemplateElement: org.w3c.dom.Node replaceChild(org.w3c.dom.Node,org.w3c.dom.Node)> -> _SINK_ <org.springframework.web.socket.config.HandlersBeanDefinitionParser: org.springframework.beans.factory.config.BeanDefinition parse(org.w3c.dom.Element,org.springframework.beans.factory.xml.ParserContext)> -> _SINK_ <com.github.scribejava.core.oauth.OAuth20Service: com.github.scribejava.core.model.OAuth2AccessToken sendAccessTokenRequestSync(com.github.scribejava.core.model.OAuthRequest)> -> _SINK_ <com.github.scribejava.core.oauth.OAuth20Service: java.util.concurrent.Future sendAccessTokenRequestAsync(com.github.scribejava.core.model.OAuthRequestAsync,com.github.scribejava.core.model.OAuthAsyncRequestCallback)> -> _SINK_ <org.apache.xmlrpc.client.XmlRpcClient: java.lang.Object execute(java.lang.String,java.lang.Object[])> -> _SINK_ <java.lang.Runtime: java.lang.Process exec(java.lang.String)> -> _SINK_ <org.apache.xpath.jaxp.XPathImpl: javax.xml.xpath.XPathExpression compile(java.lang.String)> -> _SINK_ <org.jsoup.parser.Parser: org.jsoup.nodes.Document parse(java.lang.String,java.lang.String)> -> _SINK_ <org.jsoup.nodes.Node: org.jsoup.nodes.Node before(java.lang.String)> -> _SINK_ <org.jsoup.nodes.Node: org.jsoup.nodes.Node after(java.lang.String)> -> _SINK_ <javax.servlet.http.HttpServletResponseWrapper: void sendRedirect(java.lang.String)> -> _SINK_ <org.springframework.security.config.http.CsrfBeanDefinitionParser: org.springframework.beans.factory.config.BeanDefinition getCsrfLogoutHandler)> -> _SOURCE_ <org.springframework.security.config.authentication.CachingUserDetailsService: org.springframework.security.core.userdetails.UserDetails loadUserByUsername(java.lang.String)> -> _SOURCE_ <org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper: org.springframework.security.core.userdetails.UserDetails loadUserDetails(org.springframework.security.core.Authentication)> -> _SOURCE_ <java.io.File: java.io.File getAbsoluteFile()> -> _SOURCE_ <org.apache.commons.jxpath.ri.parser.XPathParser: java.lang.String unescape(java.lang.String)> -> _SOURCE_ <org.springframework.security.config.http.FormLoginBeanDefinitionParser: java.lang.String getLoginPage)> -> _SOURCE_ <org.apache.xmlrpc.webserver.HttpServletRequestImpl: java.lang.String getRealPath(java.lang.String)> -> _SOURCE_ <com.google.auth.oauth2.UserCredentials: java.lang.String getClientSecret)> -> _SOURCE_ <org.springframework.web.servlet.tags.UrlTag: java.lang.String createQueryString(java.util.List,java.util.Set,boolean)> -> _SOURCE_ <org.springframework.messaging.simp.stomp.StompDecoder: java.lang.String unescape(java.lang.String)> -> _SOURCE_ <org.springframework.web.servlet.tags.UrlTag: java.lang.String createUrl)> -> _SOURCE_ <java.io.File: java.io.File getCanonicalFile()> -> _SOURCE_ <org.apache.commons.jxpath.ri.JXPathContextReferenceImpl: java.lang.Object getValue(java.lang.String)> -> _SOURCE_ <org.apache.xmlrpc.webserver.RequestData: java.lang.String getMethod)> -> _SOURCE_ <com.google.auth.oauth2.DefaultCredentialsProvider: com.google.auth.oauth2.GoogleCredentials getDefaultCredentials(com.google.api.client.http.HttpTransport)> -> _SOURCE_ <org.jsoup.nodes.Entities: java.lang.String unescape(java.lang.String)> -> _SOURCE_ <org.springframework.util.DefaultPropertiesPersister: java.lang.String unescape(java.lang.String)> -> _SOURCE_ <org.owasp.webgoat.plugins.Plugin: void loadFiles(java.nio.file.Path)> -> _SOURCE_ <org.apache.xmlrpc.webserver.HttpServletResponseImpl: java.lang.String getHeader(java.lang.String)> -> _SOURCE_ <com.google.auth.oauth2.UserAuthorizer: com.google.auth.oauth2.UserCredentials getCredentialsFromCode(java.lang.String,java.net.URI)> -> _SOURCE_ <org.dmfs.oauth2.client.http.requests.ResourceOwnerPasswordTokenRequest: org.dmfs.httpclient.HttpRequestEntity requestEntity)> -> _SOURCE_ <org.owasp.webgoat.util.HtmlEncoder: java.lang.String decode(java.lang.String)> -> _SOURCE_ <javax.naming.ldap.Rdn: java.lang.Object unescapeValue(java.lang.String)> -> _SOURCE_ <org.apache.xmlrpc.webserver.XmlRpcServletServer: org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl getConfig(javax.servlet.http.HttpServletRequest)> -> _SOURCE_ <org.apache.xmlrpc.webserver.HttpServletRequestImpl: void parsePostData(java.util.Map,java.io.InputStream,java.lang.String)> -> _SOURCE_ <org.springframework.security.concurrent.DelegatingSecurityContextExecutorService: java.util.concurrent.ExecutorService getDelegate)> -> _SOURCE_ <org.springframework.security.config.annotation.web.builders.HttpSecurity: org.springframework.security.config.'annotation'.web.configurers.HeadersConfigurer headers)> -> _SOURCE_ <org.springframework.web.servlet.tags.EscapeBodyTag: java.lang.String readBodyContent)> -> _SOURCE_ <org.springframework.web.util.UrlPathHelper: java.lang.String decodeRequestString(javax.servlet.http.HttpServletRequest,java.lang.String)> -> _SOURCE_ <org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder: org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder requestAttr(java.lang.String,java.lang.Object)> -> _SOURCE_ <com.google.auth.oauth2.UserAuthorizer: com.google.auth.oauth2.UserCredentials getCredentials(java.lang.String)> -> _SOURCE_ <org.springframework.web.socket.sockjs.transport.handler.JsonpReceivingTransportHandler: java.lang.String[] readMessages(org.springframework.http.server.ServerHttpRequest)> -> _SOURCE_ <com.google.auth.oauth2.DefaultCredentialsProvider: com.google.auth.oauth2.GoogleCredentials getDefaultCredentialsUnsynchronized(com.google.api.client.http.HttpTransport)> -> _SOURCE_ <org.springframework.security.config.http.FormLoginBeanDefinitionParser: java.lang.String getLoginProcessingUrl)> -> _SOURCE_ <org.apache.xmlrpc.webserver.HttpServletRequestImpl: java.lang.String readLine(byte[])> -> _SOURCE_ <org.springframework.security.config.http.LogoutBeanDefinitionParser: org.springframework.beans.factory.config.BeanDefinition getLogoutRequestMatcher(java.lang.String)> -> _SOURCE_ <org.springframework.security.config.annotation.web.configurers.LogoutConfigurer: java.util.List getLogoutHandlers)> -> _SOURCE_ <org.apache.xmlrpc.webserver.RequestData: java.lang.String getHttpVersion)> -> _SOURCE_ <com.novell.ldap.rfc2251.RfcFilter: byte[] unescapeString(java.lang.String)> -> _SOURCE_ <org.springframework.web.socket.config.HandlersBeanDefinitionParser: org.springframework.beans.factory.config.BeanDefinition parse(org.w3c.dom.Element,org.springframework.beans.factory.xml.ParserContext)> -> _SOURCE_ <com.google.auth.oauth2.DefaultCredentialsProvider: java.io.File getWellKnownCredentialsFile()> -> _SOURCE_ <org.apache.xmlrpc.webserver.HttpServletRequestImpl: void parseParameters)> -> _SOURCE_ <org.jsoup.parser.Parser: org.jsoup.nodes.Document parse(java.lang.String,java.lang.String)> -> _SOURCE_ <javax.servlet.ServletRequestWrapper: java.lang.String getParameter(java.lang.String)> -> _SOURCE_ <org.apache.http.HttpResponse: org.apache.http.HttpEntity getEntity()> -> _SOURCE_ <org.apache.http.util.EntityUtils: java.lang.String toString(org.apache.http.HttpEntity)> -> _SOURCE_ <org.apache.http.HttpResponse: org.apache.http.StatusLine getStatusLine()> -> _SOURCE_ <android.location.Location: double getLatitude()> -> _SOURCE_ <android.location.Location: double getLongitude()> -> _SOURCE_ <android.location.LocationManager: android.location.Location getLastKnownLocation(java.lang.String)> -> _SOURCE_ <android.telephony.TelephonyManager: java.lang.String getDeviceId()> android.permission.READ_PHONE_STATE -> _SOURCE_ <android.telephony.TelephonyManager: java.lang.String getSubscriberId()> android.permission.READ_PHONE_STATE -> _SOURCE_ <android.telephony.TelephonyManager: java.lang.String getSimSerialNumber()> android.permission.READ_PHONE_STATE -> _SOURCE_ <android.telephony.TelephonyManager: java.lang.String getLine1Number()> android.permission.READ_PHONE_STATE -> _SOURCE_ <java.net.URLConnection: void connect()> -> _SINK_ <java.net.URLConnection: java.io.InputStream getInputStream()> -> _BOTH_ <java.net.URLConnection: java.io.OutputStream getOutputStream()> -> _SINK_ <java.net.URL: java.io.InputStream openStream()> -> _BOTH_ <java.net.URL: java.lang.Object getContent()> -> _BOTH_ <java.net.URL: java.lang.Object getContent(java.lang.Class[])> -> _BOTH_ <java.net.URL: void set(java.lang.String,java.lang.String,int,java.lang.String,java.lang.String)> -> _SINK_ <java.net.URL: void set(java.lang.String,java.lang.String,int,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)> -> _SINK_ <org.apache.http.HttpResponse: org.apache.http.HttpEntity getEntity()> -> _SOURCE_ % Covered by the EasyTaintWrapper given that the HttpEntity is tainted %<org.apache.http.util.EntityUtils: java.lang.String toString(org.apache.http.HttpEntity)> -> _SOURCE_ %<org.apache.http.util.EntityUtils: java.lang.String toString(org.apache.http.HttpEntity,java.lang.String)> -> _SOURCE_ %<org.apache.http.util.EntityUtils: byte[] toByteArray(org.apache.http.HttpEntity)> -> _SOURCE_ %<org.apache.http.util.EntityUtils: java.lang.String getContentCharSet(org.apache.http.HttpEntity)> -> _SOURCE_ % add Activity.getIntent() as source instead of the next methods to avoid duplicate results. %<android.content.Intent: java.lang.String getAction()> -> _SOURCE_ %<android.content.Intent: boolean[] getBooleanArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: boolean getBooleanExtra(java.lang.String, boolean)> -> _SOURCE_ %<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: byte[] getByteArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: byte getByteExtra(java.lang.String, byte)> -> _SOURCE_ %<android.content.Intent: java.util.Set getCategories()> -> _SOURCE_ %<android.content.Intent: char[] getCharArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: char getCharExtra(java.lang.String, char)> -> _SOURCE_ %<android.content.Intent: java.lang.CharSequence[] getCharSequenceArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.util.ArrayList getCharSequenceArrayListExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.lang.CharSequence getCharSequenceExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: android.content.ClipData getClipData()> -> _SOURCE_ %<android.content.Intent: android.content.ComponentName getComponent()> -> _SOURCE_ %<android.content.Intent: android.net.Uri getData()> -> _SOURCE_ %<android.content.Intent: java.lang.String getDataString()> -> _SOURCE_ %<android.content.Intent: double[] getDoubleArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: double getDoubleExtra(java.lang.String, double)> -> _SOURCE_ %<android.content.Intent: android.os.Bundle getExtras()> -> _SOURCE_ %<android.content.Intent: int getFlags()> -> _SOURCE_ %<android.content.Intent: float[] getFloatArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: float getFloatExtra(java.lang.String, float)> -> _SOURCE_ %<android.content.Intent: int[] getIntArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.util.ArrayList getIntegerArrayListExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: android.content.Intent getIntent(java.lang.String)> -> _SOURCE_ %<android.content.Intent: android.content.Intent getIntentOld(java.lang.String)> -> _SOURCE_ %<android.content.Intent: int getIntExtra(java.lang.String, int)> -> _SOURCE_ %<android.content.Intent: long[] getLongArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: long getLongExtra(java.lang.String, long)> -> _SOURCE_ %<android.content.Intent: java.lang.String getPackage()> -> _SOURCE_ %<android.content.Intent: android.os.Parcelable[] getParcelableArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.util.ArrayList getParcelableArrayListExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: android.os.Parcelable getParcelableExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.lang.String getScheme()> -> _SOURCE_ %<android.content.Intent: android.content.Intent getSelector()> -> _SOURCE_ %<android.content.Intent: java.io.Serializable getSerializableExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: short[] getShortArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: short getShortExtra(java.lang.String, short)> -> _SOURCE_ %<android.content.Intent: android.graphics.Rect getSourceBounds()> -> _SOURCE_ %<android.content.Intent: java.lang.String[] getStringArrayExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.util.ArrayList getStringArrayListExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.lang.String getStringExtra(java.lang.String)> -> _SOURCE_ %<android.content.Intent: java.lang.String getType()> -> _SOURCE_ %<android.content.Intent: void <init>()> -> _SOURCE_ %<android.content.Intent: void <init>(android.content.Intent)> -> _SOURCE_ %<android.content.Intent: void <init>(java.lang.String)> -> _SOURCE_ %<android.content.Intent: void <init>(java.lang.String,android.net.Uri)> -> _SOURCE_ %<android.content.Intent: void <init>(android.content.Context,java.lang.Class)> -> _SOURCE_ %<android.content.Intent: void <init>(java.lang.String,android.net.Uri,android.content.Context,java.lang.Class)> -> _SOURCE_ %bundle sources % do not consider them as sources, because we have the callback parameters from % which the apps obtain the bundles as sources anyway %<android.os.Bundle: java.lang.Object get(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: boolean getBoolean(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: boolean getBoolean(java.lang.String,boolean)> -> _SOURCE_ %<android.os.Bundle: boolean[] getBooleanArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: android.os.Bundle getBundle(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: byte getByte(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.lang.Byte getByte(java.lang.String,byte)> -> _SOURCE_ %<android.os.Bundle: byte[] getByteArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: char getChar(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: char getChar(java.lang.String,char)> -> _SOURCE_ %<android.os.Bundle: char[] getCharArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.lang.CharSequence getCharSequence(java.lang.String,java.lang.CharSequence)> -> _SOURCE_ %<android.os.Bundle: java.lang.CharSequence getCharSequence(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.lang.CharSequence[] getCharSequenceArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.util.ArrayList getCharSequenceArrayList(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.lang.ClassLoader getClassLoader()> -> _SOURCE_ %<android.os.Bundle: double getDouble(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: double getDouble(java.lang.String,double)> -> _SOURCE_ %<android.os.Bundle: double[] getDoubleArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: float getFloat(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: float getFloat(java.lang.String,float)> -> _SOURCE_ %<android.os.Bundle: float[] getFloatArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: int getInt(java.lang.String,int)> -> _SOURCE_ %<android.os.Bundle: int getInt(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: int[] getIntArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.util.ArrayList getIntegerArrayList(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: long getLong(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: long getLong(java.lang.String,long)> -> _SOURCE_ %<android.os.Bundle: long[] getLongArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: android.os.Parcelable getParcelable(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: android.os.Parcelable[] getParcelableArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.util.ArrayList getParcelableArrayList(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: short getShort(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: short getShort(java.lang.String,short)> -> _SOURCE_ %<android.os.Bundle: short[] getShortArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: android.util.SparseArray getSparseParcelableArray(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.lang.String getString(java.lang.String)> -> _SOURCE_ %<android.os.Bundle: java.util.ArrayList getStringArrayList(java.lang.String key)> -> _SOURCE_ %bundle sinks <android.os.Bundle: void putBinder(java.lang.String,android.os.IBinder)> -> _SINK_ <android.os.Bundle: void putBoolean(java.lang.String,boolean)> -> _SINK_ <android.os.Bundle: void putBooleanArray(java.lang.String,boolean[])> -> _SINK_ <android.os.Bundle: void putBundle(java.lang.String,android.os.Bundle)> -> _SINK_ <android.os.Bundle: void putByte(java.lang.String,byte)> -> _SINK_ <android.os.Bundle: void putByteArray(java.lang.String,byte[])> -> _SINK_ <android.os.Bundle: void putChar(java.lang.String,char)> -> _SINK_ <android.os.Bundle: void putCharArray(java.lang.String,char[])> -> _SINK_ <android.os.Bundle: void putCharSequence(java.lang.String,java.lang.CharSequence)> -> _SINK_ <android.os.Bundle: void putCharSequenceArray(java.lang.String,java.lang.CharSequence[])> -> _SINK_ <android.os.Bundle: void putCharSequenceArrayList(java.lang.String,java.util.ArrayList)> -> _SINK_ <android.os.Bundle: void putDouble(java.lang.String,double)> -> _SINK_ <android.os.Bundle: void putDoubleArray(java.lang.String,double[])> -> _SINK_ <android.os.Bundle: void putFloat(java.lang.String,float)> -> _SINK_ <android.os.Bundle: void putFloatArray(java.lang.String,float[])> -> _SINK_ <android.os.Bundle: void putInt(java.lang.String,int)> -> _SINK_ <android.os.Bundle: void putIntArray(java.lang.String,int[])> -> _SINK_ <android.os.Bundle: void putIntegerArrayList(java.lang.String,java.util.ArrayList)> -> _SINK_ <android.os.Bundle: void putLong(java.lang.String,long)> -> _SINK_ <android.os.Bundle: void putLongArray(java.lang.String,long[])> -> _SINK_ <android.os.Bundle: void putParcelable(java.lang.String,android.os.Parcelable)> -> _SINK_ <android.os.Bundle: void putParcelableArray(java.lang.String,android.os.Parcelable[])> -> _SINK_ <android.os.Bundle: void putParcelableArrayList(java.lang.String,java.util.ArrayList)> -> _SINK_ <android.os.Bundle: void putSerializable(java.lang.String,java.io.Serializable)> -> _SINK_ <android.os.Bundle: void putShort(java.lang.String,short)> -> _SINK_ <android.os.Bundle: void putShortArray(java.lang.String,short[])> -> _SINK_ <android.os.Bundle: void putSparseParcelableArray(java.lang.String,android.util.SparseArray)> -> _SINK_ <android.os.Bundle: void putString(java.lang.String,java.lang.String)> -> _SINK_ <android.os.Bundle: void putStringArray(java.lang.String,java.lang.String[])> -> _SINK_ <android.os.Bundle: void putStringArrayList(java.lang.String,java.util.ArrayList)> -> _SINK_ <android.os.Bundle: void putAll(android.os.Bundle)> -> _SINK_ <android.media.AudioRecord: int read(short[],int,int)> -> _SOURCE_ <android.media.AudioRecord: int read(byte[],int,int)> -> _SOURCE_ <android.media.AudioRecord: int read(java.nio.ByteBuffer,int)> -> _SOURCE_ <android.content.pm.PackageManager: java.util.List getInstalledApplications(int)> -> _SOURCE_ <android.content.pm.PackageManager: java.util.List getInstalledPackages(int)> -> _SOURCE_ <android.content.pm.PackageManager: java.util.List queryIntentActivities(android.content.Intent,int)> -> _SOURCE_ <android.content.pm.PackageManager: java.util.List queryIntentServices(android.content.Intent,int)> -> _SOURCE_ <android.content.pm.PackageManager: java.util.List queryBroadcastReceivers(android.content.Intent,int)> -> _SOURCE_ <android.content.pm.PackageManager: java.util.List queryContentProviders(java.lang.String,int,int)> -> _SOURCE_ <android.util.Log: int d(java.lang.String,java.lang.String)> -> _SINK_ <android.util.Log: int d(java.lang.String,java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int e(java.lang.String,java.lang.String)> -> _SINK_ <android.util.Log: int e(java.lang.String,java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int i(java.lang.String,java.lang.String)> -> _SINK_ <android.util.Log: int i(java.lang.String,java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int v(java.lang.String,java.lang.String)> -> _SINK_ <android.util.Log: int v(java.lang.String,java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int w(java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int w(java.lang.String,java.lang.String)> -> _SINK_ <android.util.Log: int w(java.lang.String,java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int wtf(java.lang.String,java.lang.Throwable)> -> _SINK_ <android.util.Log: int wtf(java.lang.String,java.lang.String)> -> _SINK_ <android.util.Log: int wtf(java.lang.String,java.lang.String,java.lang.Throwable)> -> _SINK_ <java.io.OutputStream: void write(byte[])> -> _SINK_ <java.io.OutputStream: void write(byte[],int,int)> -> _SINK_ <java.io.OutputStream: void write(int)> -> _SINK_ <java.io.Writer: void write(char[])> -> _SINK_ <java.io.Writer: void write(char[],int,int)> -> _SINK_ <java.io.Writer: void write(int)> -> _SINK_ <java.io.Writer: void write(java.lang.String)> -> _SINK_ <java.io.Writer: void write(java.lang.String,int,int)> -> _SINK_ <java.io.Writer: java.io.Writer append(java.lang.CharSequence)> -> _SINK_ <java.io.OutputStreamWriter: java.io.Writer append(java.lang.CharSequence)> -> _SINK_ <android.content.Intent: android.content.Intent setAction(java.lang.String)> -> _SINK_ <android.content.Intent: android.content.Intent setClassName(android.content.Context,java.lang.Class)> -> _SINK_ <android.content.Intent: android.content.Intent setClassName(android.content.Context,java.lang.String)> -> _SINK_ <android.content.Intent: android.content.Intent setComponent(android.content.ComponentName)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,double[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,int)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.CharSequence)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,char)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,android.os.Bundle)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,android.os.Parcelable[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.io.Serializable)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,int[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,float)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,byte[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,long[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,android.os.Parcelable)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,float[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,long)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.String[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,boolean)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,boolean[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,short)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,double)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,short[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.String)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,byte)> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,char[])> -> _SINK_ %<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.CharSequence[])> -> _SINK_ <android.content.Context: void sendBroadcast(android.content.Intent)> -> _SINK_ <android.content.Context: void sendBroadcast(android.content.Intent,java.lang.String)> -> _SINK_ <android.content.Context: void sendOrderedBroadcast(android.content.Intent,java.lang.String)> -> _SINK_ <android.content.ContextWrapper: void sendOrderedBroadcast(android.content.Intent,java.lang.String)> -> _SINK_ <android.media.MediaRecorder: void setVideoSource(int)> -> _SINK_ <android.media.MediaRecorder: void setPreviewDisplay(android.view.Surface)> -> _SINK_ <android.media.MediaRecorder: void start()> -> _SINK_ <android.content.Context: android.content.Intent registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter)> -> _SINK_ <android.content.Context: android.content.Intent registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter,java.lang.String,android.os.Handler)> -> _SINK_ <android.content.IntentFilter: void addAction(java.lang.String)> -> _SINK_ <android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)> android.permission.SEND_SMS -> _SINK_ <android.telephony.SmsManager: void sendDataMessage(java.lang.String,java.lang.String,short,byte[],android.app.PendingIntent,android.app.PendingIntent)> android.permission.SEND_SMS -> _SINK_ <android.telephony.SmsManager: void sendMultipartTextMessage(java.lang.String,java.lang.String,java.util.ArrayList,java.util.ArrayList,java.util.ArrayList)> android.permission.SEND_SMS -> _SINK_ <java.net.Socket: void connect(java.net.SocketAddress)> -> _SINK_ <android.os.Handler: boolean sendMessage(android.os.Message)> -> _SINK_ <android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putBoolean(java.lang.String,boolean)> -> _SINK_ <android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putFloat(java.lang.String,float)> -> _SINK_ <android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putInt(java.lang.String,int)> -> _SINK_ <android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putLong(java.lang.String,long)> -> _SINK_ <android.content.SharedPreferences$Editor: android.content.SharedPreferences$Editor putString(java.lang.String,java.lang.String)> -> _SINK_ <android.content.SharedPreferences: android.content.SharedPreferences getDefaultSharedPreferences(android.content.Context)> -> _SOURCE_ <android.bluetooth.BluetoothAdapter: java.lang.String getAddress()> -> _SOURCE_ <android.net.wifi.WifiInfo: java.lang.String getMacAddress()> -> _SOURCE_ <java.util.Locale: java.lang.String getCountry()> -> _SOURCE_ <android.net.wifi.WifiInfo: java.lang.String getSSID()> -> _SOURCE_ <android.telephony.gsm.GsmCellLocation: int getCid()> -> _SOURCE_ <android.telephony.gsm.GsmCellLocation: int getLac()> -> _SOURCE_ <android.accounts.AccountManager: android.accounts.Account[] getAccounts()> -> _SOURCE_ <java.util.Calendar: java.util.TimeZone getTimeZone()> -> _SOURCE_ <android.provider.Browser: android.database.Cursor getAllBookmarks()> -> _SOURCE_ <android.provider.Browser: android.database.Cursor getAllVisitedUrls()> -> _SOURCE_ <org.apache.http.impl.client.DefaultHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> -> _SINK_ <org.apache.http.client.HttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> -> _SINK_ <android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)> -> _SOURCE_ <android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String,android.os.CancellationSignal)> -> _SOURCE_ % This is handled by the Easy Taint Wrapper given that the URL is used afterwards %<java.net.URL: void <init>(java.lang.String,java.lang.String,int,java.lang.String)> -> _SINK_ %<java.net.URL: void <init>(java.lang.String,java.lang.String,java.lang.String)> -> _SINK_ %<java.net.URL: void <init>(java.lang.String,java.lang.String,int,java.lang.String,java.net.URLStreamHandler)> -> _SINK_ %<java.net.URL: void <init>(java.lang.String)> -> _SINK_ %<java.net.URL: void <init>(java.net.URL,java.lang.String)> -> _SINK_ %<java.net.URL: void <init>(java.net.URL,java.lang.String,java.net.URLStreamHandler)> -> _SINK_ %<android.content.Context: void startActivity(android.content.Intent)> -> _SINK_ %<android.content.ContextWrapper: void startActivity(android.content.Intent)> -> _SINK_ %<android.content.Context: void startActivity(android.content.Intent,android.os.Bundle)> -> _SINK_ <android.content.Context: void startActivities(android.content.Intent[])> -> _SINK_ <android.content.Context: void startActivities(android.content.Intent[],android.os.Bundle)> -> _SINK_ <android.content.Context: android.content.ComponentName startService(android.content.Intent)> -> _SINK_ <android.content.Context: boolean bindService(android.content.Intent,android.content.ServiceConnection,int)> -> _SINK_ <android.content.Context: void sendBroadcast(android.content.Intent)> -> _SINK_ <android.content.Context: void sendBroadcast(android.content.Intent,java.lang.String)> -> _SINK_ %<android.app.Activity: android.content.Intent getIntent()> -> _SOURCE_ <android.app.Activity: void setResult(int,android.content.Intent)> -> _SINK_ % Do not enter this method as a source. Our callback parameter handling will take care % of the parameters of this method anyway. Adding this method taints the whole activity! % <android.app.Activity: void onActivityResult(int,int,android.content.Intent)> -> _SOURCE_ %<android.app.Activity: void startActivity(android.content.Intent)> -> _SINK_ %<android.app.Activity: void startActivity(android.content.Intent,android.os.Bundle)> -> _SINK_ <android.app.Activity: void startActivities(android.content.Intent[])> -> _SINK_ <android.app.Activity: void startActivities(android.content.Intent[],android.os.Bundle)> -> _SINK_ <android.app.Activity: void startActivityForResult(android.content.Intent,int)> -> _SINK_ <android.app.Activity: void startActivityForResult(android.content.Intent,int,android.os.Bundle)> -> _SINK_ <android.app.Activity: void startActivityFromChild(android.app.Activity,android.content.Intent,int,android.os.Bundle)> -> _SINK_ <android.app.Activity: void startActivityFromChild(android.app.Activity,android.content.Intent,int)> -> _SINK_ <android.app.Activity: void startActivityFromFragment(android.app.Fragment,android.content.Intent,int,android.os.Bundle)> -> _SINK_ <android.app.Activity: void startActivityFromFragment(android.app.Fragment,android.content.Intent,int)> -> _SINK_ <android.app.Activity: void startActivityIfNeeded(android.content.Intent,int,android.os.Bundle)> -> _SINK_ <android.app.Activity: void startActivityIfNeeded(android.content.Intent,int)> -> _SINK_ <android.app.Activity: android.content.ComponentName startService(android.content.Intent)> -> _SINK_ <android.app.Activity: boolean bindService(android.content.Intent,android.content.ServiceConnection,int)> -> _SINK_ <android.app.Activity: void sendBroadcast(android.content.Intent)> -> _SINK_ <android.app.Activity: void sendBroadcast(android.content.Intent,java.lang.String)> -> _SINK_ <android.app.Activity: void sendBroadcastAsUser(android.content.Intent,android.os.UserHandle)> -> _SINK_ <android.app.Activity: void sendBroadcastAsUser(android.content.Intent,android.os.UserHandle,java.lang.String)> -> _SINK_ <android.app.Activity: void sendOrderedBroadcast(android.content.Intent,java.lang.String,android.content.BroadcastReceiver,android.os.Handler,int,java.lang.String,android.os.Bundle)> -> _SINK_ <android.app.Activity: void sendOrderedBroadcast(android.content.Intent,java.lang.String)> -> _SINK_ <android.app.Activity: void sendOrderedBroadcastAsUser(android.content.Intent,android.os.UserHandle,java.lang.String,android.content.BroadcastReceiver,android.os.Handler,int,java.lang.String,android.os.Bundle)> -> _SINK_ <android.app.Activity: void sendStickyBroadcast(android.content.Intent)> -> _SINK_ <android.app.Activity: void sendStickyBroadcastAsUser(android.content.Intent,android.os.UserHandle)> -> _SINK_ <android.app.Activity: void sendStickyOrderedBroadcast(android.content.Intent,android.content.BroadcastReceiver,android.os.Handler,int,java.lang.String,android.os.Bundle)> -> _SINK_ <android.app.Activity: void sendStickyOrderedBroadcastAsUser(android.content.Intent,android.os.UserHandle,android.content.BroadcastReceiver,android.os.Handler,int,java.lang.String,android.os.Bundle)> -> _SINK_ <android.content.ContentResolver: android.net.Uri insert(android.net.Uri,android.content.ContentValues)> -> _SINK_ <android.content.ContentResolver: int delete(android.net.Uri,java.lang.String,java.lang.String[])> -> _SINK_ <android.content.ContentResolver: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])> -> _SINK_ <android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)> -> _SINK_ <android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String,android.os.CancellationSignal)> -> _SINK_ % <android.app.Activity: android.view.View findViewById(int)> -> _SOURCE_ <android.database.Cursor: java.lang.String getString(int)> -> _SOURCE_ <android.database.sqlite.SQLiteDatabase: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)> -> _SOURCE_ <android.database.sqlite.SQLiteDatabase: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String,android.os.CancellationSignal)> -> _SOURCE_ <java.lang.ProcessBuilder: java.lang.Process start()> -> _SINK_

Latest Blog Posts

The 50MB Markdown Files That Broke Our Server
By punkpeye on December 3, 2025.
react
react-router
node-js
OpenTelemetry for Model Context Protocol (MCP) Analytics and Agent Observability
By Om-Shree-0709 on November 29, 2025.
observability
mcp
opentelemetry
Securing Enterprise AI Agents with Unique Identities in the Model Context Protocol (MCP)
By Om-Shree-0709 on November 27, 2025.

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/il-il1/APK-Security-Guard-MCP-Suite'

If you have feedback or need assistance with the MCP directory API, please join our Discord server