Merge pull request #15281 from joefarebrother/android-sensitive-ui-notif

Java: Add query for exposure of sensitive information to android notifiactions

java/ql/test/library-tests/frameworks/android/notification/Test.java

@@ -942,14 +942,28 @@ public class Test {
 			// "androidx.core.app;NotificationCompat$BigPictureStyle;true;bigLargeIcon;;;Argument[this];ReturnValue;value;manual"
 			NotificationCompat.BigPictureStyle out = null;
 			NotificationCompat.BigPictureStyle in = (NotificationCompat.BigPictureStyle) source();
-			out = in.bigLargeIcon(null);
+			out = in.bigLargeIcon((Bitmap)null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.core.app;NotificationCompat$BigPictureStyle;true;bigLargeIcon;;;Argument[this];ReturnValue;value;manual"
+			NotificationCompat.BigPictureStyle out = null;
+			NotificationCompat.BigPictureStyle in = (NotificationCompat.BigPictureStyle) source();
+			out = in.bigLargeIcon((Icon)null);
 			sink(out); // $ hasValueFlow
 		}
 		{
 			// "androidx.core.app;NotificationCompat$BigPictureStyle;true;bigPicture;;;Argument[this];ReturnValue;value;manual"
 			NotificationCompat.BigPictureStyle out = null;
 			NotificationCompat.BigPictureStyle in = (NotificationCompat.BigPictureStyle) source();
-			out = in.bigPicture(null);
+			out = in.bigPicture((Bitmap)null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.core.app;NotificationCompat$BigPictureStyle;true;bigPicture;;;Argument[this];ReturnValue;value;manual"
+			NotificationCompat.BigPictureStyle out = null;
+			NotificationCompat.BigPictureStyle in = (NotificationCompat.BigPictureStyle) source();
+			out = in.bigPicture((Icon)null);
 			sink(out); // $ hasValueFlow
 		}
 		{
@@ -1040,7 +1054,14 @@ public class Test {
 			// "androidx.core.app;NotificationCompat$Builder;true;addPerson;;;Argument[this];ReturnValue;value;manual"
 			NotificationCompat.Builder out = null;
 			NotificationCompat.Builder in = (NotificationCompat.Builder) source();
-			out = in.addPerson(null);
+			out = in.addPerson((androidx.core.app.Person)null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.core.app;NotificationCompat$Builder;true;addPerson;;;Argument[this];ReturnValue;value;manual"
+			NotificationCompat.Builder out = null;
+			NotificationCompat.Builder in = (NotificationCompat.Builder) source();
+			out = in.addPerson((String)null);
 			sink(out); // $ hasValueFlow
 		}
 		{
@@ -1252,7 +1273,14 @@ public class Test {
 			// "androidx.core.app;NotificationCompat$Builder;true;setLargeIcon;;;Argument[this];ReturnValue;value;manual"
 			NotificationCompat.Builder out = null;
 			NotificationCompat.Builder in = (NotificationCompat.Builder) source();
-			out = in.setLargeIcon(null);
+			out = in.setLargeIcon((Bitmap)null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.core.app;NotificationCompat$Builder;true;setLargeIcon;;;Argument[this];ReturnValue;value;manual"
+			NotificationCompat.Builder out = null;
+			NotificationCompat.Builder in = (NotificationCompat.Builder) source();
+			out = in.setLargeIcon((Icon)null);
 			sink(out); // $ hasValueFlow
 		}
 		{

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/Test.java

@@ -0,0 +1,129 @@
+import android.app.Activity;
+import android.app.Notification;
+import androidx.core.app.NotificationCompat;
+import android.content.Intent;
+import android.app.PendingIntent;
+import android.widget.RemoteViews;
+
+class Test extends Activity {
+    void test(String password) {
+        Notification.Builder builder = new Notification.Builder(this, "");
+        builder.setContentText(password); // $sensitive-notification
+        builder.setContentTitle(password); // $sensitive-notification
+        builder.setContentInfo(password); // $sensitive-notification
+
+        Intent intent = new Intent();
+        intent.putExtra("a", password);
+
+        builder.addExtras(intent.getExtras()); // $sensitive-notification
+        builder.setCategory(password); // $sensitive-notification
+        builder.setChannelId(password); // $sensitive-notification
+        builder.setGroup(password); // $sensitive-notification
+        builder.setExtras(intent.getExtras()); // $sensitive-notification
+        builder.setGroup(password); // $sensitive-notification
+        builder.setSortKey(password); // $sensitive-notification
+        builder.setSettingsText(password); // $sensitive-notification
+        builder.setRemoteInputHistory(new CharSequence[] { password }); // $sensitive-notification
+        builder.setTicker(password); // $sensitive-notification
+        builder.setTicker(password, null); // $sensitive-notification
+
+        builder.setStyle(new Notification.BigPictureStyle()
+            .setContentDescription(password) // $sensitive-notification
+            .setSummaryText(password) // $sensitive-notification
+            .setBigContentTitle(password)); // $sensitive-notification
+        builder.setStyle(new Notification.BigTextStyle()
+            .bigText(password) // $sensitive-notification
+            .setSummaryText(password) // $sensitive-notification
+            .setBigContentTitle(password)); // $sensitive-notification
+        builder.setStyle(new Notification.InboxStyle()
+            .addLine(password) // $sensitive-notification
+            .setBigContentTitle(password) // $sensitive-notification
+            .setSummaryText(password)); // $sensitive-notification
+        builder.setStyle(new Notification.MediaStyle()
+            .setRemotePlaybackInfo(password, 0, null)); // $sensitive-notification
+        builder.setStyle( 
+                new Notification.MessagingStyle(password) // $sensitive-notification
+                    .setConversationTitle(password) // $sensitive-notification
+                    .addMessage(password, 0, "") // $sensitive-notification
+                    .addMessage(password, 0, (android.app.Person)null) // $sensitive-notification
+                    .addMessage("", 0, password) // $sensitive-notification
+                    .addMessage(new Notification.MessagingStyle.Message(password, 0, "")) // $sensitive-notification
+                    .addMessage(new Notification.MessagingStyle.Message(password, 0, (android.app.Person)null)) // $sensitive-notification
+                    .addMessage(new Notification.MessagingStyle.Message("", 0, password)) // $sensitive-notification
+                );
+
+        builder.addAction(0, password, null); // $sensitive-notification
+        builder.addAction(new Notification.Action(0, password, null)); // $sensitive-notification
+        builder.addAction(new Notification.Action.Builder(0, password, null) // $sensitive-notification
+            .addExtras(intent.getExtras()) // $sensitive-notification
+            .build());
+        builder.addAction(new Notification.Action.Builder(null, password, null).build()); // $sensitive-notification
+
+        builder.setStyle(Notification.CallStyle.forScreeningCall(null, null, null) 
+            .setVerificationText(password)); // $sensitive-notification
+    }
+
+    void test2(RemoteViews passwordView) {
+        Notification.Builder builder = new Notification.Builder(this, "");
+        builder.setContent(passwordView); // $sensitive-notification
+        builder.setCustomBigContentView(passwordView); // $sensitive-notification
+        builder.setCustomContentView(passwordView); // $sensitive-notification
+        builder.setCustomHeadsUpContentView(passwordView); // $sensitive-notification
+        builder.setTicker("", passwordView); // $sensitive-notification
+    }
+
+    void test3(String password) {
+        NotificationCompat.Builder builder = new NotificationCompat.Builder(this, "");
+        builder.setContentText(password); // $sensitive-notification
+        builder.setContentTitle(password); // $sensitive-notification
+        builder.setContentInfo(password); // $sensitive-notification
+
+        Intent intent = new Intent();
+        intent.putExtra("a", password);
+
+        builder.addExtras(intent.getExtras()); // $sensitive-notification
+        builder.setCategory(password); // $sensitive-notification
+        builder.setChannelId(password); // $sensitive-notification
+        builder.setGroup(password); // $sensitive-notification
+        builder.setExtras(intent.getExtras()); // $sensitive-notification
+        builder.setGroup(password); // $sensitive-notification
+        builder.setSortKey(password); // $sensitive-notification
+        builder.setSettingsText(password); // $sensitive-notification
+        builder.setRemoteInputHistory(new CharSequence[] { password }); // $sensitive-notification
+        builder.setTicker(password); // $sensitive-notification
+        builder.setTicker(password, null); // $sensitive-notification
+
+        builder.setStyle(new NotificationCompat.BigPictureStyle()
+            .setContentDescription(password) // $sensitive-notification
+            .setSummaryText(password) // $sensitive-notification
+            .setBigContentTitle(password)); // $sensitive-notification
+        builder.setStyle(new NotificationCompat.BigTextStyle()
+            .bigText(password) // $sensitive-notification
+            .setSummaryText(password) // $sensitive-notification
+            .setBigContentTitle(password)); // $sensitive-notification
+        builder.setStyle(new NotificationCompat.InboxStyle()
+            .addLine(password) // $sensitive-notification
+            .setBigContentTitle(password) // $sensitive-notification
+            .setSummaryText(password)); // $sensitive-notification
+        builder.setStyle( 
+                new NotificationCompat.MessagingStyle(password) // $sensitive-notification
+                    .setConversationTitle(password) // $sensitive-notification
+                    .addMessage(password, 0, "") // $sensitive-notification
+                    .addMessage(password, 0, (androidx.core.app.Person)null) // $sensitive-notification
+                    .addMessage("", 0, password) // $sensitive-notification
+                    .addMessage(new NotificationCompat.MessagingStyle.Message(password, 0, "")) // $sensitive-notification
+                    .addMessage(new NotificationCompat.MessagingStyle.Message(password, 0, (androidx.core.app.Person)null)) // $sensitive-notification
+                    .addMessage(new NotificationCompat.MessagingStyle.Message("", 0, password)) // $sensitive-notification
+                );
+
+        builder.addAction(0, password, null); // $sensitive-notification
+        builder.addAction(new NotificationCompat.Action(0, password, null)); // $sensitive-notification
+        builder.addAction(new NotificationCompat.Action.Builder(0, password, null) // $sensitive-notification
+            .addExtras(intent.getExtras()) // $sensitive-notification
+            .build());
+        builder.addAction(new NotificationCompat.Action.Builder(null, password, null).build()); // $sensitive-notification
+
+        builder.setStyle(NotificationCompat.CallStyle.forScreeningCall(null, null, null)
+            .setVerificationText(password)); // $sensitive-notification
+    }
+}

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/test.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/test.ql

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.SensitiveUiQuery
+
+module SensitiveNotifTest implements TestSig {
+  string getARelevantTag() { result = "sensitive-notification" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "sensitive-notification" and
+    exists(DataFlow::Node sink | NotificationTracking::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<SensitiveNotifTest>

java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/apache-commons-lang3-3.7/

java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-200/semmle/tests/options

@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0

java/ql/test/stubs/google-android-9.0.0/android/app/Notification.java

@@ -358,6 +358,17 @@ public class Notification implements Parcelable
         public RemoteViews createHeadsUpContentView(){ return null; }
         public static Notification.Builder recoverBuilder(Context p0, Notification p1){ return null; }
     }
+    static public class CallStyle extends Notification.Style
+    {
+        public Notification.CallStyle setAnswerButtonColorHint(int p0){ return null; }
+        public Notification.CallStyle setDeclineButtonColorHint(int p0){ return null; }
+        public Notification.CallStyle setIsVideo(boolean p0){ return null; }
+        public Notification.CallStyle setVerificationIcon(Icon p0){ return null; }
+        public Notification.CallStyle setVerificationText(CharSequence p0){ return null; }
+        public static Notification.CallStyle forIncomingCall(Person p0, PendingIntent p1, PendingIntent p2){ return null; }
+        public static Notification.CallStyle forOngoingCall(Person p0, PendingIntent p1){ return null; }
+        public static Notification.CallStyle forScreeningCall(Person p0, PendingIntent p1, PendingIntent p2){ return null; }
+    }
     static public class InboxStyle extends Notification.Style
     {
         public InboxStyle(){}
@@ -371,8 +382,43 @@ public class Notification implements Parcelable
         public MediaStyle(){}
         public MediaStyle(Notification.Builder p0){}
         public Notification.MediaStyle setMediaSession(MediaSession.Token p0){ return null; }
+        public Notification.MediaStyle setRemotePlaybackInfo(CharSequence p0, int p1, PendingIntent p2){ return null; } // added manually
         public Notification.MediaStyle setShowActionsInCompactView(int... p0){ return null; }
     }
+    static public class MessagingStyle extends Notification.Style
+    {
+        protected MessagingStyle() {}
+        public CharSequence getConversationTitle(){ return null; }
+        public CharSequence getUserDisplayName(){ return null; }
+        public List<Notification.MessagingStyle.Message> getHistoricMessages(){ return null; }
+        public List<Notification.MessagingStyle.Message> getMessages(){ return null; }
+        public MessagingStyle(CharSequence p0){}
+        public MessagingStyle(Person p0){}
+        public Notification.MessagingStyle addHistoricMessage(Notification.MessagingStyle.Message p0){ return null; }
+        public Notification.MessagingStyle addMessage(CharSequence p0, long p1, CharSequence p2){ return null; }
+        public Notification.MessagingStyle addMessage(CharSequence p0, long p1, Person p2){ return null; }
+        public Notification.MessagingStyle addMessage(Notification.MessagingStyle.Message p0){ return null; }
+        public Notification.MessagingStyle setConversationTitle(CharSequence p0){ return null; }
+        public Notification.MessagingStyle setGroupConversation(boolean p0){ return null; }
+        public Person getUser(){ return null; }
+        public boolean isGroupConversation(){ return false; }
+        public static int MAXIMUM_RETAINED_MESSAGES = 0;
+        static public class Message
+        {
+            protected Message() {}
+            public Bundle getExtras(){ return null; }
+            public CharSequence getSender(){ return null; }
+            public CharSequence getText(){ return null; }
+            public Message(CharSequence p0, long p1, CharSequence p2){}
+            public Message(CharSequence p0, long p1, Person p2){}
+            public Notification.MessagingStyle.Message setData(String p0, Uri p1){ return null; }
+            public Person getSenderPerson(){ return null; }
+            public String getDataMimeType(){ return null; }
+            public Uri getDataUri(){ return null; }
+            public long getTimestamp(){ return 0; }
+            public static List<Notification.MessagingStyle.Message> getMessagesFromBundleArray(Parcelable[] p0){ return null; }
+        }
+    }
     static public interface Extender
     {
         Notification.Builder extend(Notification.Builder p0);

java/ql/test/stubs/google-android-9.0.0/android/content/pm/ShortcutInfo.java

@@ -0,0 +1,51 @@
+// Generated automatically from android.content.pm.ShortcutInfo for testing purposes
+
+package android.content.pm;
+
+import android.content.ComponentName;
+import android.content.Intent;
+import android.content.LocusId;
+import android.os.Parcel;
+import android.os.Parcelable;
+import android.os.PersistableBundle;
+import android.os.UserHandle;
+import java.util.Set;
+
+public class ShortcutInfo implements Parcelable
+{
+    public CharSequence getDisabledMessage(){ return null; }
+    public CharSequence getLongLabel(){ return null; }
+    public CharSequence getShortLabel(){ return null; }
+    public ComponentName getActivity(){ return null; }
+    public Intent getIntent(){ return null; }
+    public Intent[] getIntents(){ return null; }
+    public LocusId getLocusId(){ return null; }
+    public PersistableBundle getExtras(){ return null; }
+    public Set<String> getCategories(){ return null; }
+    public String getId(){ return null; }
+    public String getPackage(){ return null; }
+    public String toString(){ return null; }
+    public UserHandle getUserHandle(){ return null; }
+    public boolean hasKeyFieldsOnly(){ return false; }
+    public boolean isCached(){ return false; }
+    public boolean isDeclaredInManifest(){ return false; }
+    public boolean isDynamic(){ return false; }
+    public boolean isEnabled(){ return false; }
+    public boolean isImmutable(){ return false; }
+    public boolean isPinned(){ return false; }
+    public int describeContents(){ return 0; }
+    public int getDisabledReason(){ return 0; }
+    public int getRank(){ return 0; }
+    public long getLastChangedTimestamp(){ return 0; }
+    public static Parcelable.Creator<ShortcutInfo> CREATOR = null;
+    public static String SHORTCUT_CATEGORY_CONVERSATION = null;
+    public static int DISABLED_REASON_APP_CHANGED = 0;
+    public static int DISABLED_REASON_BACKUP_NOT_SUPPORTED = 0;
+    public static int DISABLED_REASON_BY_APP = 0;
+    public static int DISABLED_REASON_NOT_DISABLED = 0;
+    public static int DISABLED_REASON_OTHER_RESTORE_ISSUE = 0;
+    public static int DISABLED_REASON_SIGNATURE_MISMATCH = 0;
+    public static int DISABLED_REASON_UNKNOWN = 0;
+    public static int DISABLED_REASON_VERSION_LOWER = 0;
+    public void writeToParcel(Parcel p0, int p1){}
+}

java/ql/test/stubs/google-android-9.0.0/androidx/core/app/Person.java

@@ -0,0 +1,37 @@
+// Generated automatically from androidx.core.app.Person for testing purposes
+
+package androidx.core.app;
+
+import android.os.Bundle;
+import android.os.PersistableBundle;
+import androidx.core.graphics.drawable.IconCompat;
+
+public class Person
+{
+    protected Person() {}
+    public Bundle toBundle(){ return null; }
+    public CharSequence getName(){ return null; }
+    public IconCompat getIcon(){ return null; }
+    public PersistableBundle toPersistableBundle(){ return null; }
+    public String getKey(){ return null; }
+    public String getUri(){ return null; }
+    public String resolveToLegacyUri(){ return null; }
+    public android.app.Person toAndroidPerson(){ return null; }
+    public androidx.core.app.Person.Builder toBuilder(){ return null; }
+    public boolean isBot(){ return false; }
+    public boolean isImportant(){ return false; }
+    public static androidx.core.app.Person fromAndroidPerson(android.app.Person p0){ return null; }
+    public static androidx.core.app.Person fromBundle(Bundle p0){ return null; }
+    public static androidx.core.app.Person fromPersistableBundle(PersistableBundle p0){ return null; }
+    static public class Builder
+    {
+        public Builder(){}
+        public androidx.core.app.Person build(){ return null; }
+        public androidx.core.app.Person.Builder setBot(boolean p0){ return null; }
+        public androidx.core.app.Person.Builder setIcon(IconCompat p0){ return null; }
+        public androidx.core.app.Person.Builder setImportant(boolean p0){ return null; }
+        public androidx.core.app.Person.Builder setKey(String p0){ return null; }
+        public androidx.core.app.Person.Builder setName(CharSequence p0){ return null; }
+        public androidx.core.app.Person.Builder setUri(String p0){ return null; }
+    }
+}

java/ql/test/stubs/google-android-9.0.0/androidx/core/content/LocusIdCompat.java

@@ -0,0 +1,17 @@
+// Generated automatically from androidx.core.content.LocusIdCompat for testing purposes
+
+package androidx.core.content;
+
+import android.content.LocusId;
+
+public class LocusIdCompat
+{
+    protected LocusIdCompat() {}
+    public LocusId toLocusId(){ return null; }
+    public LocusIdCompat(String p0){}
+    public String getId(){ return null; }
+    public String toString(){ return null; }
+    public boolean equals(Object p0){ return false; }
+    public int hashCode(){ return 0; }
+    public static LocusIdCompat toLocusIdCompat(LocusId p0){ return null; }
+}

java/ql/test/stubs/google-android-9.0.0/androidx/core/content/pm/ShortcutInfoCompat.java

@@ -0,0 +1,45 @@
+// Generated automatically from androidx.core.content.pm.ShortcutInfoCompat for testing purposes
+
+package androidx.core.content.pm;
+
+import android.content.ComponentName;
+import android.content.Intent;
+import android.content.pm.ShortcutInfo;
+import android.os.Bundle;
+import android.os.PersistableBundle;
+import android.os.UserHandle;
+import androidx.core.content.LocusIdCompat;
+import androidx.core.graphics.drawable.IconCompat;
+import java.util.Set;
+
+public class ShortcutInfoCompat
+{
+    public Bundle getTransientExtras(){ return null; }
+    public CharSequence getDisabledMessage(){ return null; }
+    public CharSequence getLongLabel(){ return null; }
+    public CharSequence getShortLabel(){ return null; }
+    public ComponentName getActivity(){ return null; }
+    public IconCompat getIcon(){ return null; }
+    public Intent getIntent(){ return null; }
+    public Intent[] getIntents(){ return null; }
+    public LocusIdCompat getLocusId(){ return null; }
+    public PersistableBundle getExtras(){ return null; }
+    public Set<String> getCategories(){ return null; }
+    public ShortcutInfo toShortcutInfo(){ return null; }
+    public String getId(){ return null; }
+    public String getPackage(){ return null; }
+    public UserHandle getUserHandle(){ return null; }
+    public boolean hasKeyFieldsOnly(){ return false; }
+    public boolean isCached(){ return false; }
+    public boolean isDeclaredInManifest(){ return false; }
+    public boolean isDynamic(){ return false; }
+    public boolean isEnabled(){ return false; }
+    public boolean isExcludedFromSurfaces(int p0){ return false; }
+    public boolean isImmutable(){ return false; }
+    public boolean isPinned(){ return false; }
+    public int getDisabledReason(){ return 0; }
+    public int getExcludedFromSurfaces(){ return 0; }
+    public int getRank(){ return 0; }
+    public long getLastChangedTimestamp(){ return 0; }
+    public static int SURFACE_LAUNCHER = 0;
+}