Potentially SQL injection

Description

Improper SQL query construction could lead to SQL injection. An SQL injection attack consists of injecting of an SQL query via the input data from the client to the application

Recommendation

Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks or access unauthorized content.

Technical details
[TAINT] Parameter '0' ==>>> Sink '['Landroid/database/sqlite/SQLiteDatabase;', 'rawQuery', '(Ljava/lang/String; [Ljava/lang/String;)Landroid/database/Cursor;', '0', 'SQL_SINK']' [[('Lcom/adobe/creativesdk/aviary/internal/cds/CdsProvider;', 'query', '(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;'), ('Lcom/adobe/creativesdk/aviary/internal/cds/CdsDatabaseHelper;', 'getFeaturedBanners', '(I)Landroid/database/Cursor;'), ('Landroid/database/sqlite/SQLiteDatabase;', 'rawQuery', '(Ljava/lang/String; [Ljava/lang/String;)Landroid/database/Cursor;')]]

User controlled parameter is used to construct an SQL parameter vulnerable to SQL injection

Method com.adobe.creativesdk.aviary.internal.cds.CdsProvider.query():


    public android.database.Cursor query(android.net.Uri p11, String[] p12, String p13, String[] p14, String p15)
    {
        android.database.Cursor v0_0 = 0;
        int v8 = 1;
        switch (com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mUriMatcher.match(p11)) {
            case 1:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getManifestVersion(p12);
                break;
            case 2:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessages(p12, p13, p14);
                break;
            case 3:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 4:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageContent(Long.parseLong(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 5:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackById(Long.parseLong(p11.getLastPathSegment()), p12);
                break;
            case 6:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 7:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacks(p12, p13, p14);
                break;
            case 8:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentById(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 9:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2))), p12);
                break;
            case 10:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItems(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3)))), p12);
                break;
            case 11:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 12:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemById(((long) Integer.parseInt(p11.getLastPathSegment())), p12);
                break;
            case 13:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getActiveMessage(p11.getLastPathSegment(), p12);
                break;
            case 14:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getNextMessage(p11.getLastPathSegment(), p12);
                break;
            case 15:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailableForRestorePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 16:
            case 24:
            case 25:
            case 26:
            case 27:
            case 28:
            case 29:
            case 30:
            case 31:
            case 32:
            case 33:
            case 34:
            case 35:
            case 36:
            case 37:
            case 38:
            case 39:
            case 40:
            case 41:
            case 42:
            case 44:
            case 45:
            case 46:
            case 49:
            case 50:
            case 51:
            case 52:
            case 53:
            default:
                com.adobe.creativesdk.aviary.internal.cds.CdsProvider.logger.error(new StringBuilder().append("Unrecognized query: ").append(p11).toString());
                break;
            case 17:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 18:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, "content_isFree>0", 0, p15);
                break;
            case 19:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 20:
                String v1_13 = ((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4)));
                int v6_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(v1_13, p12, p13, p14, p15);
                String v1_14 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(v1_13, p12, p13, p14, p15);
                int v2_6 = new android.database.Cursor[2];
                v2_6[0] = v6_0;
                v2_6[1] = v1_14;
                v0_0 = new android.database.MergeCursor(v2_6);
                break;
            case 21:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3))), p11.getLastPathSegment(), p12, p13, p14);
                break;
            case 22:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFutureMessages(p11.getLastPathSegment(), p12);
                break;
            case 23:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, 0, 0, p15);
                break;
            case 43:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacksContent(p12, p13, p14, p15);
                break;
            case 47:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackDownloadStatus(p11.getLastPathSegment(), p12);
                break;
            case 48:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackIdOfDownload(p11.getLastPathSegment(), p12);
                break;
            case 54:
                int v6_1;
                int v2_22 = p11.getPathSegments();
                String v7 = p11.getLastPathSegment();
                String v1_63 = ((String) v2_22.get((v2_22.size() - 2)));
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 3)))) != 1) {
                    v6_1 = 0;
                } else {
                    v6_1 = 1;
                }
                int v5_5;
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 4)))) != 1) {
                    v5_5 = 0;
                } else {
                    v5_5 = 1;
                }
                int v3_1;
                int v4_7 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 5))));
                int v3_0 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 6))));
                int v2_1 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 7))));
                if (v3_0 == 0) {
                    v3_1 = 0;
                } else {
                    v3_1 = 1;
                }
                int v4_0;
                if (v4_7 == 0) {
                    v4_0 = 0;
                } else {
                    v4_0 = 1;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTray(v1_63, v2_1, v3_1, v4_0, v5_5, v6_1, v7);
                break;
            case 55:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPermissions(p12);
                break;
            case 56:
                String v1_60 = Integer.parseInt(p11.getLastPathSegment());
                if (Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))) <= 0) {
                    v8 = 0;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeatured(v8, v1_60);
                break;
            case 57:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeaturedBanners(Integer.parseInt(p11.getLastPathSegment()));
                break;
            case 58:
                String v1_64 = p11.getPathSegments();
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTrayItems(Long.parseLong(p11.getLastPathSegment()), ((String) v1_64.get((v1_64.size() - 3))), ((String) v1_64.get((v1_64.size() - 2))));
                break;
        }
        return v0_0;
    }

Method com.adobe.creativesdk.aviary.internal.cds.CdsDatabaseHelper.getFeaturedBanners():


    android.database.Cursor getFeaturedBanners(int p4)
    {
        android.database.Cursor v0 = 0;
        if (p4 >= 1) {
            String v1_1 = new StringBuilder().append("SELECT pack_id as _id, pack_identifier as identifier, pack_type as packType, content_displayName as displayName, content_featureImageURL as featureURL, content_featureImageLocalPath as featureImageLocalPath, content_isFree as free, content_purchased as purchased, 0 as type FROM (SELECT * FROM content_table JOIN packs_table ON (packs_table.pack_id=content_table.content_packId) WHERE ifnull(length(content_featureImageURL), 0) > 0 AND pack_visible=1 AND pack_markedForDeletion=0 ORDER BY content_isFree DESC, pack_displayOrder DESC, pack_id DESC ) GROUP BY pack_type LIMIT 0, ").append(p4).toString();
            android.database.sqlite.SQLiteDatabase v2_0 = this.getReadableDatabase();
            if (v2_0 != null) {
                v0 = v2_0.rawQuery(v1_1, 0);
            }
        }
        return v0;
    }

Method android.database.sqlite.SQLiteDatabase.rawQuery() not found.

[TAINT] Parameter '1' ==>>> Sink '['Landroid/database/sqlite/SQLiteDatabase;', 'query', '(Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;', '1', 'SQL_SINK']' [[('Lcom/adobe/creativesdk/aviary/internal/cds/CdsProvider;', 'query', '(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;'), ('Lcom/adobe/creativesdk/aviary/internal/cds/CdsDatabaseHelper;', 'getPermissions', '([Ljava/lang/String;)Landroid/database/Cursor;'), ('Landroid/database/sqlite/SQLiteDatabase;', 'query', '(Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;')]]

User controlled parameter is used to construct an SQL parameter vulnerable to SQL injection

Method com.adobe.creativesdk.aviary.internal.cds.CdsProvider.query():


    public android.database.Cursor query(android.net.Uri p11, String[] p12, String p13, String[] p14, String p15)
    {
        android.database.Cursor v0_0 = 0;
        int v8 = 1;
        switch (com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mUriMatcher.match(p11)) {
            case 1:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getManifestVersion(p12);
                break;
            case 2:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessages(p12, p13, p14);
                break;
            case 3:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 4:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageContent(Long.parseLong(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 5:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackById(Long.parseLong(p11.getLastPathSegment()), p12);
                break;
            case 6:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 7:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacks(p12, p13, p14);
                break;
            case 8:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentById(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 9:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2))), p12);
                break;
            case 10:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItems(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3)))), p12);
                break;
            case 11:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 12:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemById(((long) Integer.parseInt(p11.getLastPathSegment())), p12);
                break;
            case 13:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getActiveMessage(p11.getLastPathSegment(), p12);
                break;
            case 14:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getNextMessage(p11.getLastPathSegment(), p12);
                break;
            case 15:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailableForRestorePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 16:
            case 24:
            case 25:
            case 26:
            case 27:
            case 28:
            case 29:
            case 30:
            case 31:
            case 32:
            case 33:
            case 34:
            case 35:
            case 36:
            case 37:
            case 38:
            case 39:
            case 40:
            case 41:
            case 42:
            case 44:
            case 45:
            case 46:
            case 49:
            case 50:
            case 51:
            case 52:
            case 53:
            default:
                com.adobe.creativesdk.aviary.internal.cds.CdsProvider.logger.error(new StringBuilder().append("Unrecognized query: ").append(p11).toString());
                break;
            case 17:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 18:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, "content_isFree>0", 0, p15);
                break;
            case 19:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 20:
                String v1_13 = ((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4)));
                int v6_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(v1_13, p12, p13, p14, p15);
                String v1_14 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(v1_13, p12, p13, p14, p15);
                int v2_6 = new android.database.Cursor[2];
                v2_6[0] = v6_0;
                v2_6[1] = v1_14;
                v0_0 = new android.database.MergeCursor(v2_6);
                break;
            case 21:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3))), p11.getLastPathSegment(), p12, p13, p14);
                break;
            case 22:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFutureMessages(p11.getLastPathSegment(), p12);
                break;
            case 23:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, 0, 0, p15);
                break;
            case 43:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacksContent(p12, p13, p14, p15);
                break;
            case 47:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackDownloadStatus(p11.getLastPathSegment(), p12);
                break;
            case 48:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackIdOfDownload(p11.getLastPathSegment(), p12);
                break;
            case 54:
                int v6_1;
                int v2_22 = p11.getPathSegments();
                String v7 = p11.getLastPathSegment();
                String v1_63 = ((String) v2_22.get((v2_22.size() - 2)));
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 3)))) != 1) {
                    v6_1 = 0;
                } else {
                    v6_1 = 1;
                }
                int v5_5;
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 4)))) != 1) {
                    v5_5 = 0;
                } else {
                    v5_5 = 1;
                }
                int v3_1;
                int v4_7 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 5))));
                int v3_0 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 6))));
                int v2_1 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 7))));
                if (v3_0 == 0) {
                    v3_1 = 0;
                } else {
                    v3_1 = 1;
                }
                int v4_0;
                if (v4_7 == 0) {
                    v4_0 = 0;
                } else {
                    v4_0 = 1;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTray(v1_63, v2_1, v3_1, v4_0, v5_5, v6_1, v7);
                break;
            case 55:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPermissions(p12);
                break;
            case 56:
                String v1_60 = Integer.parseInt(p11.getLastPathSegment());
                if (Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))) <= 0) {
                    v8 = 0;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeatured(v8, v1_60);
                break;
            case 57:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeaturedBanners(Integer.parseInt(p11.getLastPathSegment()));
                break;
            case 58:
                String v1_64 = p11.getPathSegments();
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTrayItems(Long.parseLong(p11.getLastPathSegment()), ((String) v1_64.get((v1_64.size() - 3))), ((String) v1_64.get((v1_64.size() - 2))));
                break;
        }
        return v0_0;
    }

Method com.adobe.creativesdk.aviary.internal.cds.CdsDatabaseHelper.getPermissions():


    android.database.Cursor getPermissions(String[] p9)
    {
        android.database.Cursor v3 = 0;
        android.database.sqlite.SQLiteDatabase v0 = this.getReadableDatabase();
        if (v0 != null) {
            v3 = v0.query("permission_table", p9, 0, 0, 0, 0, "perm_id DESC");
        }
        return v3;
    }

Method android.database.sqlite.SQLiteDatabase.query() not found.

[TAINT] Parameter '1' ==>>> Sink '['Landroid/database/sqlite/SQLiteDatabase;', 'query', '(Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;', '1', 'SQL_SINK']' [[('Lcom/adobe/creativesdk/aviary/internal/cds/ExtCdsProvider;', 'query', '(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;'), ('Lcom/adobe/creativesdk/aviary/internal/cds/CdsProvider;', 'query', '(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;'), ('Lcom/adobe/creativesdk/aviary/internal/cds/CdsDatabaseHelper;', 'getPermissions', '([Ljava/lang/String;)Landroid/database/Cursor;'), ('Landroid/database/sqlite/SQLiteDatabase;', 'query', '(Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;')]]

User controlled parameter is used to construct an SQL parameter vulnerable to SQL injection

Method com.adobe.creativesdk.aviary.internal.cds.ExtCdsProvider.query():


    public android.database.Cursor query(android.net.Uri p7, String[] p8, String p9, String[] p10, String p11)
    {
        android.database.Cursor v0_1 = this.cdsProvider.query(p7, p8, p9, p10, p11);
        if (this.uriMatcher.match(p7) == 54) {
            v0_1 = this.filterNonInternal(v0_1);
        }
        return v0_1;
    }

Method com.adobe.creativesdk.aviary.internal.cds.CdsProvider.query():


    public android.database.Cursor query(android.net.Uri p11, String[] p12, String p13, String[] p14, String p15)
    {
        android.database.Cursor v0_0 = 0;
        int v8 = 1;
        switch (com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mUriMatcher.match(p11)) {
            case 1:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getManifestVersion(p12);
                break;
            case 2:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessages(p12, p13, p14);
                break;
            case 3:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 4:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageContent(Long.parseLong(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 5:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackById(Long.parseLong(p11.getLastPathSegment()), p12);
                break;
            case 6:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 7:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacks(p12, p13, p14);
                break;
            case 8:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentById(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 9:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2))), p12);
                break;
            case 10:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItems(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3)))), p12);
                break;
            case 11:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 12:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemById(((long) Integer.parseInt(p11.getLastPathSegment())), p12);
                break;
            case 13:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getActiveMessage(p11.getLastPathSegment(), p12);
                break;
            case 14:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getNextMessage(p11.getLastPathSegment(), p12);
                break;
            case 15:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailableForRestorePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 16:
            case 24:
            case 25:
            case 26:
            case 27:
            case 28:
            case 29:
            case 30:
            case 31:
            case 32:
            case 33:
            case 34:
            case 35:
            case 36:
            case 37:
            case 38:
            case 39:
            case 40:
            case 41:
            case 42:
            case 44:
            case 45:
            case 46:
            case 49:
            case 50:
            case 51:
            case 52:
            case 53:
            default:
                com.adobe.creativesdk.aviary.internal.cds.CdsProvider.logger.error(new StringBuilder().append("Unrecognized query: ").append(p11).toString());
                break;
            case 17:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 18:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, "content_isFree>0", 0, p15);
                break;
            case 19:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 20:
                String v1_13 = ((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4)));
                int v6_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(v1_13, p12, p13, p14, p15);
                String v1_14 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(v1_13, p12, p13, p14, p15);
                int v2_6 = new android.database.Cursor[2];
                v2_6[0] = v6_0;
                v2_6[1] = v1_14;
                v0_0 = new android.database.MergeCursor(v2_6);
                break;
            case 21:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3))), p11.getLastPathSegment(), p12, p13, p14);
                break;
            case 22:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFutureMessages(p11.getLastPathSegment(), p12);
                break;
            case 23:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, 0, 0, p15);
                break;
            case 43:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacksContent(p12, p13, p14, p15);
                break;
            case 47:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackDownloadStatus(p11.getLastPathSegment(), p12);
                break;
            case 48:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackIdOfDownload(p11.getLastPathSegment(), p12);
                break;
            case 54:
                int v6_1;
                int v2_22 = p11.getPathSegments();
                String v7 = p11.getLastPathSegment();
                String v1_63 = ((String) v2_22.get((v2_22.size() - 2)));
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 3)))) != 1) {
                    v6_1 = 0;
                } else {
                    v6_1 = 1;
                }
                int v5_5;
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 4)))) != 1) {
                    v5_5 = 0;
                } else {
                    v5_5 = 1;
                }
                int v3_1;
                int v4_7 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 5))));
                int v3_0 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 6))));
                int v2_1 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 7))));
                if (v3_0 == 0) {
                    v3_1 = 0;
                } else {
                    v3_1 = 1;
                }
                int v4_0;
                if (v4_7 == 0) {
                    v4_0 = 0;
                } else {
                    v4_0 = 1;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTray(v1_63, v2_1, v3_1, v4_0, v5_5, v6_1, v7);
                break;
            case 55:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPermissions(p12);
                break;
            case 56:
                String v1_60 = Integer.parseInt(p11.getLastPathSegment());
                if (Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))) <= 0) {
                    v8 = 0;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeatured(v8, v1_60);
                break;
            case 57:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeaturedBanners(Integer.parseInt(p11.getLastPathSegment()));
                break;
            case 58:
                String v1_64 = p11.getPathSegments();
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTrayItems(Long.parseLong(p11.getLastPathSegment()), ((String) v1_64.get((v1_64.size() - 3))), ((String) v1_64.get((v1_64.size() - 2))));
                break;
        }
        return v0_0;
    }

Method com.adobe.creativesdk.aviary.internal.cds.CdsDatabaseHelper.getPermissions():


    android.database.Cursor getPermissions(String[] p9)
    {
        android.database.Cursor v3 = 0;
        android.database.sqlite.SQLiteDatabase v0 = this.getReadableDatabase();
        if (v0 != null) {
            v3 = v0.query("permission_table", p9, 0, 0, 0, 0, "perm_id DESC");
        }
        return v3;
    }

Method android.database.sqlite.SQLiteDatabase.query() not found.

[TAINT] Parameter '0' ==>>> Sink '['Landroid/database/sqlite/SQLiteDatabase;', 'rawQuery', '(Ljava/lang/String; [Ljava/lang/String;)Landroid/database/Cursor;', '0', 'SQL_SINK']' [[('Lcom/adobe/creativesdk/aviary/internal/cds/ExtCdsProvider;', 'query', '(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;'), ('Lcom/adobe/creativesdk/aviary/internal/cds/CdsProvider;', 'query', '(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;'), ('Lcom/adobe/creativesdk/aviary/internal/cds/CdsDatabaseHelper;', 'getFeaturedBanners', '(I)Landroid/database/Cursor;'), ('Landroid/database/sqlite/SQLiteDatabase;', 'rawQuery', '(Ljava/lang/String; [Ljava/lang/String;)Landroid/database/Cursor;')]]

User controlled parameter is used to construct an SQL parameter vulnerable to SQL injection

Method com.adobe.creativesdk.aviary.internal.cds.ExtCdsProvider.query():


    public android.database.Cursor query(android.net.Uri p7, String[] p8, String p9, String[] p10, String p11)
    {
        android.database.Cursor v0_1 = this.cdsProvider.query(p7, p8, p9, p10, p11);
        if (this.uriMatcher.match(p7) == 54) {
            v0_1 = this.filterNonInternal(v0_1);
        }
        return v0_1;
    }

Method com.adobe.creativesdk.aviary.internal.cds.CdsProvider.query():


    public android.database.Cursor query(android.net.Uri p11, String[] p12, String p13, String[] p14, String p15)
    {
        android.database.Cursor v0_0 = 0;
        int v8 = 1;
        switch (com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mUriMatcher.match(p11)) {
            case 1:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getManifestVersion(p12);
                break;
            case 2:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessages(p12, p13, p14);
                break;
            case 3:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 4:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getMessageContent(Long.parseLong(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 5:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackById(Long.parseLong(p11.getLastPathSegment()), p12);
                break;
            case 6:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackByIdentifier(p11.getLastPathSegment(), p12);
                break;
            case 7:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacks(p12, p13, p14);
                break;
            case 8:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentById(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))), p12);
                break;
            case 9:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackContentByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2))), p12);
                break;
            case 10:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItems(Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3)))), p12);
                break;
            case 11:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 12:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemById(((long) Integer.parseInt(p11.getLastPathSegment())), p12);
                break;
            case 13:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getActiveMessage(p11.getLastPathSegment(), p12);
                break;
            case 14:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getNextMessage(p11.getLastPathSegment(), p12);
                break;
            case 15:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailableForRestorePacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 16:
            case 24:
            case 25:
            case 26:
            case 27:
            case 28:
            case 29:
            case 30:
            case 31:
            case 32:
            case 33:
            case 34:
            case 35:
            case 36:
            case 37:
            case 38:
            case 39:
            case 40:
            case 41:
            case 42:
            case 44:
            case 45:
            case 46:
            case 49:
            case 50:
            case 51:
            case 52:
            case 53:
            default:
                com.adobe.creativesdk.aviary.internal.cds.CdsProvider.logger.error(new StringBuilder().append("Unrecognized query: ").append(p11).toString());
                break;
            case 17:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p15);
                break;
            case 18:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, "content_isFree>0", 0, p15);
                break;
            case 19:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4))), p12, p13, p14, p15);
                break;
            case 20:
                String v1_13 = ((String) p11.getPathSegments().get((p11.getPathSegments().size() - 4)));
                int v6_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getAvailablePacksByType(v1_13, p12, p13, p14, p15);
                String v1_14 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getHiddenPacksByType(v1_13, p12, p13, p14, p15);
                int v2_6 = new android.database.Cursor[2];
                v2_6[0] = v6_0;
                v2_6[1] = v1_14;
                v0_0 = new android.database.MergeCursor(v2_6);
                break;
            case 21:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackItemByIdentifier(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 3))), p11.getLastPathSegment(), p12, p13, p14);
                break;
            case 22:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFutureMessages(p11.getLastPathSegment(), p12);
                break;
            case 23:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getInstalledPacks(p12, 0, 0, p15);
                break;
            case 43:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPacksContent(p12, p13, p14, p15);
                break;
            case 47:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackDownloadStatus(p11.getLastPathSegment(), p12);
                break;
            case 48:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPackIdOfDownload(p11.getLastPathSegment(), p12);
                break;
            case 54:
                int v6_1;
                int v2_22 = p11.getPathSegments();
                String v7 = p11.getLastPathSegment();
                String v1_63 = ((String) v2_22.get((v2_22.size() - 2)));
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 3)))) != 1) {
                    v6_1 = 0;
                } else {
                    v6_1 = 1;
                }
                int v5_5;
                if (Integer.parseInt(((String) v2_22.get((v2_22.size() - 4)))) != 1) {
                    v5_5 = 0;
                } else {
                    v5_5 = 1;
                }
                int v3_1;
                int v4_7 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 5))));
                int v3_0 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 6))));
                int v2_1 = Integer.parseInt(((String) v2_22.get((v2_22.size() - 7))));
                if (v3_0 == 0) {
                    v3_1 = 0;
                } else {
                    v3_1 = 1;
                }
                int v4_0;
                if (v4_7 == 0) {
                    v4_0 = 0;
                } else {
                    v4_0 = 1;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTray(v1_63, v2_1, v3_1, v4_0, v5_5, v6_1, v7);
                break;
            case 55:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getPermissions(p12);
                break;
            case 56:
                String v1_60 = Integer.parseInt(p11.getLastPathSegment());
                if (Integer.parseInt(((String) p11.getPathSegments().get((p11.getPathSegments().size() - 2)))) <= 0) {
                    v8 = 0;
                }
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeatured(v8, v1_60);
                break;
            case 57:
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getFeaturedBanners(Integer.parseInt(p11.getLastPathSegment()));
                break;
            case 58:
                String v1_64 = p11.getPathSegments();
                v0_0 = com.adobe.creativesdk.aviary.internal.cds.CdsProvider.mDbHelper.getTrayItems(Long.parseLong(p11.getLastPathSegment()), ((String) v1_64.get((v1_64.size() - 3))), ((String) v1_64.get((v1_64.size() - 2))));
                break;
        }
        return v0_0;
    }

Method com.adobe.creativesdk.aviary.internal.cds.CdsDatabaseHelper.getFeaturedBanners():


    android.database.Cursor getFeaturedBanners(int p4)
    {
        android.database.Cursor v0 = 0;
        if (p4 >= 1) {
            String v1_1 = new StringBuilder().append("SELECT pack_id as _id, pack_identifier as identifier, pack_type as packType, content_displayName as displayName, content_featureImageURL as featureURL, content_featureImageLocalPath as featureImageLocalPath, content_isFree as free, content_purchased as purchased, 0 as type FROM (SELECT * FROM content_table JOIN packs_table ON (packs_table.pack_id=content_table.content_packId) WHERE ifnull(length(content_featureImageURL), 0) > 0 AND pack_visible=1 AND pack_markedForDeletion=0 ORDER BY content_isFree DESC, pack_displayOrder DESC, pack_id DESC ) GROUP BY pack_type LIMIT 0, ").append(p4).toString();
            android.database.sqlite.SQLiteDatabase v2_0 = this.getReadableDatabase();
            if (v2_0 != null) {
                v0 = v2_0.rawQuery(v1_1, 0);
            }
        }
        return v0;
    }

Method android.database.sqlite.SQLiteDatabase.rawQuery() not found.