Info Call to dynamic code loading API

Description

List of all dynamic code loading API calls in the application. Loading code from untrsuted sources could allow the execution of malicious code in the context of the current application.

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method gnu.expr.ModuleExp.classFor() calling method java.lang.System.getProperty()


    public gnu.bytecode.ClassType classFor(gnu.expr.Compilation p12)
    {
        if ((this.type == null) || (this.type == gnu.expr.Compilation.typeProcedure)) {
            String v3_0;
            String v3_2 = this.getFileName();
            String v4 = this.getName();
            gnu.text.Path v7 = 0;
            if (v4 == null) {
                if (v3_2 != null) {
                    if ((!this.filename.equals("-")) && (!this.filename.equals("/dev/stdin"))) {
                        v7 = gnu.text.Path.valueOf(v3_2);
                        v3_0 = v7.getLast();
                        int v2 = v3_0.lastIndexOf(46);
                        if (v2 > 0) {
                            v3_0 = v3_0.substring(0, v2);
                        }
                    } else {
                        v3_0 = this.getName();
                        if (v3_0 == null) {
                            v3_0 = "$stdin$";
                        }
                    }
                } else {
                    v3_0 = this.getName();
                    if (v3_0 == null) {
                        v3_0 = "$unnamed_input_file$";
                    }
                }
            } else {
                v3_0 = v4;
            }
            if (this.getName() == null) {
                this.setName(v3_0);
            }
            String v1;
            String v3_1 = gnu.expr.Compilation.mangleNameIfNeeded(v3_0);
            if ((p12.classPrefix.length() != 0) || ((v7 == null) || (v7.isAbsolute()))) {
                v1 = new StringBuilder().append(p12.classPrefix).append(v3_1).toString();
            } else {
                gnu.text.Path v6 = v7.getParent();
                if (v6 == null) {
                } else {
                    String v5_0 = v6.toString();
                    if ((v5_0.length() <= 0) || (v5_0.indexOf("..") >= 0)) {
                    } else {
                        String v5_1 = v5_0.replaceAll(System.getProperty("file.separator"), "/");
                        if (v5_1.startsWith("./")) {
                            v5_1 = v5_1.substring(2);
                        }
                        if (!v5_1.equals(".")) {
                            v1 = new StringBuilder().append(gnu.expr.Compilation.mangleURI(v5_1)).append(".").append(v3_1).toString();
                        } else {
                            v1 = v3_1;
                        }
                    }
                }
            }
            gnu.bytecode.ClassType v0_1 = new gnu.bytecode.ClassType(v1);
            this.setType(v0_1);
            if (p12.mainLambda == this) {
                if (p12.mainClass != null) {
                    if (!v1.equals(p12.mainClass.getName())) {
                        p12.error(101, new StringBuilder().append("inconsistent main class name: ").append(v1).append(" - old name: ").append(p12.mainClass.getName()).toString());
                    }
                } else {
                    p12.mainClass = v0_1;
                }
            }
        } else {
            v0_1 = this.type;
        }
        return v0_1;
    }

Method kawa.lib.system.run() calling method java.lang.System.getProperty()


    public final void run(gnu.mapping.CallContext p4)
    {
        gnu.expr.ModuleMethod v1_3;
        if (!gnu.kawa.functions.IsEqual.apply(System.getProperty("file.separator"), "/")) {
            v1_3 = kawa.lib.system.tokenize$Mnstring$Mnto$Mnstring$Mnarray;
        } else {
            v1_3 = kawa.lib.system.tokenize$Mnstring$Mnusing$Mnshell;
        }
        kawa.lib.system.command$Mnparse = v1_3;
        return;
    }

Method kawa.lib.files.systemTmpdir() calling method java.lang.System.getProperty()


    public static String systemTmpdir()
    {
        String v0 = System.getProperty("java.io.tmpdir");
        if (v0 == null) {
            if (!gnu.kawa.functions.IsEqual.apply(kawa.lib.files.$PcFileSeparator(), "\\")) {
                v0 = "/tmp";
            } else {
                v0 = "C:\\temp";
            }
        }
        return v0;
    }

Method kawa.lib.files.$PcFileSeparator() calling method java.lang.System.getProperty()


    public static String $PcFileSeparator()
    {
        return System.getProperty("file.separator");
    }

Method kawa.repl.checkInitFile() calling method java.lang.System.getProperty()


    static void checkInitFile()
    {
        if (kawa.repl.homeDirectory == null) {
            Boolean v3_1;
            java.io.File v1_0 = 0;
            kawa.repl.homeDirectory = System.getProperty("user.home");
            if (kawa.repl.homeDirectory == null) {
                v3_1 = Boolean.FALSE;
            } else {
                String v2;
                v3_1 = new gnu.lists.FString(kawa.repl.homeDirectory);
                if (!"/".equals(System.getProperty("file.separator"))) {
                    v2 = "kawarc.scm";
                } else {
                    v2 = ".kawarc.scm";
                }
                v1_0 = new java.io.File(kawa.repl.homeDirectory, v2);
            }
            gnu.mapping.Environment.getCurrent().put("home-directory", v3_1);
            if ((v1_0 != null) && ((v1_0.exists()) && (!kawa.Shell.runFileOrClass(v1_0.getPath(), 1, 0)))) {
                System.exit(-1);
            }
        }
        return;
    }

Method gnu.text.FilePath.resolve() calling method java.lang.System.getProperty()


    public gnu.text.Path resolve(String p6)
    {
        java.io.File v3_7;
        if (!gnu.text.Path.uriSchemeSpecified(p6)) {
            java.io.File v1_1 = new java.io.File(p6);
            if (!v1_1.isAbsolute()) {
                char v2 = java.io.File.separatorChar;
                if (v2 != 47) {
                    p6 = p6.replace(47, v2);
                }
                java.io.File v0_1;
                if (this != gnu.text.Path.userDirPath) {
                    java.io.File v3_4;
                    if (!this.isDirectory()) {
                        v3_4 = this.file.getParentFile();
                    } else {
                        v3_4 = this.file;
                    }
                    v0_1 = new java.io.File(v3_4, p6);
                } else {
                    v0_1 = new java.io.File(System.getProperty("user.dir"), p6);
                }
                v3_7 = gnu.text.FilePath.valueOf(v0_1);
            } else {
                v3_7 = gnu.text.FilePath.valueOf(v1_1);
            }
        } else {
            v3_7 = gnu.text.URLPath.valueOf(p6);
        }
        return v3_7;
    }

Method gnu.kawa.functions.LispNewlineFormat.<clinit>() calling method java.lang.System.getProperty()


    static LispNewlineFormat()
    {
        gnu.kawa.functions.LispNewlineFormat.line_separator = System.getProperty("line.separator", "\n");
        return;
    }

Method gnu.bytecode.SourceFileAttr.fixSourceFile() calling method java.lang.System.getProperty()


    public static String fixSourceFile(String p5)
    {
        String v0 = System.getProperty("file.separator", "/");
        if ((v0 != null) && (v0.length() == 1)) {
            char v1 = v0.charAt(0);
            if (v1 != 47) {
                p5 = p5.replace(v1, 47);
            }
        }
        return p5;
    }

Method com.google.appinventor.components.runtime.util.NanoHTTPD$HTTPSession.saveTmpFile() calling method java.lang.System.getProperty()


    private String saveTmpFile(byte[] p9, int p10, int p11)
    {
        String v2 = "";
        if (p11 > 0) {
            try {
                java.io.File v3 = java.io.File.createTempFile("NanoHTTPD", "", new java.io.File(System.getProperty("java.io.tmpdir")));
                java.io.FileOutputStream v1_1 = new java.io.FileOutputStream(v3);
                v1_1.write(p9, p10, p11);
                v1_1.close();
                v2 = v3.getAbsolutePath();
            } catch (Exception v0) {
                com.google.appinventor.components.runtime.util.NanoHTTPD.myErr.println(new StringBuilder().append("Error: ").append(v0.getMessage()).toString());
            }
        }
        return v2;
    }

Method com.google.appinventor.components.runtime.multidex.MultiDex.install() calling method java.lang.System.getProperty()


    public static boolean install(android.content.Context p14, boolean p15)
    {
        RuntimeException v7_3 = 1;
        com.google.appinventor.components.runtime.multidex.MultiDex.installedApk.clear();
        android.util.Log.i("MultiDex", new StringBuilder().append("install: doIt = ").append(p15).toString());
        if (!com.google.appinventor.components.runtime.multidex.MultiDex.IS_VM_MULTIDEX_CAPABLE) {
            if (android.os.Build$VERSION.SDK_INT >= 4) {
                try {
                    android.content.pm.ApplicationInfo v1 = com.google.appinventor.components.runtime.multidex.MultiDex.getApplicationInfo(p14);
                } catch (RuntimeException v3_0) {
                    android.util.Log.e("MultiDex", "Multidex installation failure", v3_0);
                    throw new RuntimeException(new StringBuilder().append("Multi dex installation failed (").append(v3_0.getMessage()).append(").").toString());
                }
                if (v1 != null) {
                    String v0 = v1.sourceDir;
                    if (!com.google.appinventor.components.runtime.multidex.MultiDex.installedApk.contains(v0)) {
                        com.google.appinventor.components.runtime.multidex.MultiDex.installedApk.add(v0);
                        if (android.os.Build$VERSION.SDK_INT > 20) {
                            android.util.Log.w("MultiDex", new StringBuilder().append("MultiDex is not guaranteed to work in SDK version ").append(android.os.Build$VERSION.SDK_INT).append(": SDK version higher than ").append(20).append(" should be backed by runtime with built-in multidex capabilty but it\'s not the case here: java.vm.version=\"").append(System.getProperty("java.vm.version")).append("\"").toString());
                        }
                        try {
                            ClassLoader v5 = p14.getClassLoader();
                        } catch (RuntimeException v3_1) {
                            android.util.Log.w("MultiDex", "Failure while trying to obtain Context class loader. Must be running in test mode. Skip patching.", v3_1);
                        }
                        if (v5 != null) {
                            com.google.appinventor.components.runtime.multidex.MultiDex.clearOldDexDir(p14);
                            java.io.File v2_1 = new java.io.File(v1.dataDir, com.google.appinventor.components.runtime.multidex.MultiDex.SECONDARY_FOLDER_NAME);
                            if ((p15) || (!com.google.appinventor.components.runtime.multidex.MultiDexExtractor.mustLoad(p14, v1))) {
                                android.util.Log.d("MultiDex", "Proceeding with installation...");
                                java.util.List v4_0 = com.google.appinventor.components.runtime.multidex.MultiDexExtractor.load(p14, v1, v2_1, 0);
                                if (!com.google.appinventor.components.runtime.multidex.MultiDex.checkValidZipFiles(v4_0)) {
                                    android.util.Log.w("MultiDex", "Files were not valid zip files.  Forcing a reload.");
                                    java.util.List v4_1 = com.google.appinventor.components.runtime.multidex.MultiDexExtractor.load(p14, v1, v2_1, 1);
                                    if (!com.google.appinventor.components.runtime.multidex.MultiDex.checkValidZipFiles(v4_1)) {
                                        throw new RuntimeException("Zip files were not valid.");
                                    } else {
                                        com.google.appinventor.components.runtime.multidex.MultiDex.installSecondaryDexes(v5, v2_1, v4_1);
                                    }
                                } else {
                                    com.google.appinventor.components.runtime.multidex.MultiDex.installSecondaryDexes(v5, v2_1, v4_0);
                                }
                                android.util.Log.i("MultiDex", "install done");
                            } else {
                                android.util.Log.d("MultiDex", "Returning because of mustLoad");
                                v7_3 = 0;
                            }
                        } else {
                            android.util.Log.e("MultiDex", "Context class loader is null. Must be running in test mode. Skip patching.");
                        }
                    } else {
                    }
                } else {
                    android.util.Log.d("MultiDex", "applicationInfo is null, returning");
                }
            } else {
                throw new RuntimeException(new StringBuilder().append("Multi dex installation failed. SDK ").append(android.os.Build$VERSION.SDK_INT).append(" is unsupported. Min SDK version is ").append(4).append(".").toString());
            }
        } else {
            android.util.Log.i("MultiDex", "VM has multidex support, MultiDex support library is disabled.");
        }
        return v7_3;
    }

Method com.google.appinventor.components.runtime.multidex.MultiDex.<clinit>() calling method java.lang.System.getProperty()


    static MultiDex()
    {
        com.google.appinventor.components.runtime.multidex.MultiDex.SECONDARY_FOLDER_NAME = new StringBuilder().append("code_cache").append(java.io.File.separator).append("secondary-dexes").toString();
        com.google.appinventor.components.runtime.multidex.MultiDex.installedApk = new java.util.HashSet();
        com.google.appinventor.components.runtime.multidex.MultiDex.IS_VM_MULTIDEX_CAPABLE = com.google.appinventor.components.runtime.multidex.MultiDex.isVMMultidexCapable(System.getProperty("java.vm.version"));
        return;
    }

Method com.google.appinventor.components.runtime.multidex.MultiDex$V4.install() calling method dalvik.system.DexFile.loadDex()


    private static void install(ClassLoader p13, java.util.List p14)
    {
        int v5 = p14.size();
        reflect.Field v10 = com.google.appinventor.components.runtime.multidex.MultiDex.access$300(p13, "path");
        StringBuilder v9_1 = new StringBuilder(((String) v10.get(p13)));
        String[] v4 = new String[v5];
        java.io.File[] v3 = new java.io.File[v5];
        java.util.zip.ZipFile[] v6 = new java.util.zip.ZipFile[v5];
        dalvik.system.DexFile[] v2 = new dalvik.system.DexFile[v5];
        java.util.ListIterator v8 = p14.listIterator();
        while (v8.hasNext()) {
            java.io.File v0_1 = ((java.io.File) v8.next());
            String v1 = v0_1.getAbsolutePath();
            v9_1.append(58).append(v1);
            int v7 = v8.previousIndex();
            v4[v7] = v1;
            v3[v7] = v0_1;
            v6[v7] = new java.util.zip.ZipFile(v0_1);
            v2[v7] = dalvik.system.DexFile.loadDex(v1, new StringBuilder().append(v1).append(".dex").toString(), 0);
        }
        v10.set(p13, v9_1.toString());
        com.google.appinventor.components.runtime.multidex.MultiDex.access$400(p13, "mPaths", v4);
        com.google.appinventor.components.runtime.multidex.MultiDex.access$400(p13, "mFiles", v3);
        com.google.appinventor.components.runtime.multidex.MultiDex.access$400(p13, "mZips", v6);
        com.google.appinventor.components.runtime.multidex.MultiDex.access$400(p13, "mDexs", v2);
        return;
    }

Method com.google.appinventor.components.runtime.ReplForm.loadComponents() calling method dalvik.system.DexClassLoader.<init>()


    public void loadComponents(java.util.List p18)
    {
        java.util.HashSet v7_1 = new java.util.HashSet(p18);
        java.io.File v6 = com.google.appinventor.components.runtime.ReplForm.activeForm.$context().getDir("componentDexs", 0);
        java.io.File v4_1 = new java.io.File(com.google.appinventor.components.runtime.ReplForm.REPL_COMP_DIR);
        if (this.checkComponentDir()) {
            ClassLoader v9 = com.google.appinventor.components.runtime.ReplForm.getClassLoader();
            StringBuilder v10_1 = new StringBuilder();
            this.loadedExternalDexs.clear();
            String v12_2 = v4_1.listFiles();
            int v13_2 = v12_2.length;
            int v11_1 = 0;
            while (v11_1 < v13_2) {
                java.io.File v2 = v12_2[v11_1];
                if ((v2.isDirectory()) && (v7_1.contains(v2.getName()))) {
                    java.io.File v3_1 = new java.io.File(new StringBuilder().append(v2.getPath()).append(java.io.File.separator).append("classes.jar").toString());
                    java.io.File v8_0 = new java.io.File(new StringBuilder().append(v2.getPath()).append(java.io.File.separator).append(v2.getName()).append(".jar").toString());
                    v3_1.renameTo(v8_0);
                    if ((v8_0.exists()) && (!this.loadedExternalDexs.contains(v8_0.getName()))) {
                        android.util.Log.d(com.google.appinventor.components.runtime.ReplForm.LOG_TAG, new StringBuilder().append("Loading component dex ").append(v8_0.getAbsolutePath()).toString());
                        this.loadedExternalDexs.add(v8_0.getName());
                        v10_1.append(java.io.File.pathSeparatorChar);
                        v10_1.append(v8_0.getAbsolutePath());
                    }
                }
                v11_1++;
            }
            dalvik.system.DexClassLoader v5_1 = new dalvik.system.DexClassLoader(v10_1.substring(1), v6.getAbsolutePath(), 0, v9);
            Thread.currentThread().setContextClassLoader(v5_1);
            android.util.Log.d(com.google.appinventor.components.runtime.ReplForm.LOG_TAG, Thread.currentThread().toString());
            android.util.Log.d(com.google.appinventor.components.runtime.ReplForm.LOG_TAG, android.os.Looper.getMainLooper().getThread().toString());
            android.os.Looper.getMainLooper().getThread().setContextClassLoader(v5_1);
        } else {
            android.util.Log.d(com.google.appinventor.components.runtime.ReplForm.LOG_TAG, "Unable to create components directory");
            int v13_1 = new Object[3];
            v13_1[0] = Integer.valueOf(1);
            v13_1[1] = "App Inventor";
            v13_1[2] = "Unable to create component directory.";
            this.dispatchErrorOccurredEventDialog(this, "loadComponents", 3300, v13_1);
        }
        return;
    }