hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove duplicated models

Browse Source
This commit is contained in:
Tony Torralba
2021-12-09 16:13:49 +01:00
parent f963887c58
commit 9c12c5f8b8
3 changed files with 4 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
View File

@@ -39,125 +39,3 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
]
}
}
// TODO: Remove when https://github.com/github/codeql/pull/6823 gets merged
private class NotificationBuildersSummaryModels extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"android.app;Notification$Action;true;Action;(int,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Action$Builder;true;Builder;(int,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Action$Builder;true;Builder;(Icon,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Action$Builder;true;Builder;(Action);;SyntheticField[android.app.Notification.action] of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Action$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Action$Builder;true;addExtras;;;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Action$Builder;true;build;;;SyntheticField[android.app.Notification.action] of Argument[-1];SyntheticField[android.app.Notification.action] of ReturnValue;taint",
"android.app;Notification$Action$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
"android.app;Notification$Builder;true;addAction;(int,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Builder;true;addAction;(Action);;SyntheticField[android.app.Notification.action] of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Builder;true;addExtras;;;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Builder;true;build;;;SyntheticField[android.app.Notification.action] of Argument[-1];SyntheticField[android.app.Notification.action] of ReturnValue;taint",
"android.app;Notification$Builder;true;setContentIntent;;;Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
"android.app;Notification$Builder;true;recoverBuilder;;;SyntheticField[android.app.Notification.action] of Argument[1];SyntheticField[android.app.Notification.action] of ReturnValue;taint",
"android.app;Notification$Builder;true;setActions;;;SyntheticField[android.app.Notification.action] of ArrayElement of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Builder;true;setExtras;;;Argument[0];SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Builder;true;setDeleteIntent;;;Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
"android.app;Notification$Builder;true;setPublicVersion;;;SyntheticField[android.app.Notification.action] of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
// Fluent models
"android.app;Notification$Action$Builder;true;" +
[
"addExtras", "addRemoteInput", "extend", "setAllowGeneratedReplies",
"setAuthenticationRequired", "setContextual", "setSemanticAction"
] + ";;;Argument[-1];ReturnValue;value",
"android.app;Notification$Builder;true;" +
[
"addAction", "addExtras", "addPerson", "extend", "setActions", "setAutoCancel",
"setBadgeIconType", "setBubbleMetadata", "setCategory", "setChannelId",
"setChronometerCountDown", "setColor", "setColorized", "setContent", "setContentInfo",
"setContentIntent", "setContentText", "setContentTitle", "setCustomBigContentView",
"setCustomHeadsUpContentView", "setDefaults", "setDeleteIntent", "setExtras", "setFlag",
"setForegroundServiceBehavior", "setFullScreenIntent", "setGroup",
"setGroupAlertBehavior", "setGroupSummary", "setLargeIcon", "setLights", "setLocalOnly",
"setLocusId", "setNumber", "setOngoing", "setOnlyAlertOnce", "setPriority",
"setProgress", "setPublicVersion", "setRemoteInputHistory", "setSettingsText",
"setShortcutId", "setShowWhen", "setSmallIcon", "setSortKey", "setSound", "setStyle",
"setSubText", "setTicker", "setTimeoutAfter", "setUsesChronometer", "setVibrate",
"setVisibility", "setWhen"
] + ";;;Argument[-1];ReturnValue;value"
]
}
}
// TODO: Remove when https://github.com/github/codeql/pull/6801 gets merged
private class SliceBuildersSummaryModels extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"androidx.slice.builders;ListBuilder;true;addAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;addGridRow;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;addInputRange;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;addRange;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;addRating;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;addRow;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;addSelection;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;setHeader;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;setSeeMoreAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;setSeeMoreRow;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder;true;build;;;SyntheticField[androidx.slice.Slice.action] of Argument[-1];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
"androidx.slice.builders;ListBuilder$HeaderBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$InputRangeBuilder;true;addEndItem;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setInputAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RangeBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RatingBuilder;true;setInputAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RatingBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;(SliceAction,boolean);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;(SliceAction);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RowBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;(SliceAction,boolean);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;(SliceAction);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
"androidx.slice.builders;SliceAction;true;create;(PendingIntent,IconCompat,int,CharSequence);;Argument[0];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
"androidx.slice.builders;SliceAction;true;createDeeplink;(PendingIntent,IconCompat,int,CharSequence);;Argument[0];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
"androidx.slice.builders;SliceAction;true;createToggle;(PendingIntent,CharSequence,boolean);;Argument[0];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
"androidx.slice.builders;SliceAction;true;getAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[-1];ReturnValue;taint",
// Fluent models
"androidx.slice.builders;ListBuilder;true;" +
[
"addAction", "addGridRow", "addInputRange", "addRange", "addRating", "addRow",
"addSelection", "setAccentColor", "setHeader", "setHostExtras", "setIsError",
"setKeywords", "setLayoutDirection", "setSeeMoreAction", "setSeeMoreRow"
] + ";;;Argument[-1];ReturnValue;value",
"androidx.slice.builders;ListBuilder$HeaderBuilder;true;" +
[
"setContentDescription", "setLayoutDirection", "setPrimaryAction", "setSubtitle",
"setSummary", "setTitle"
] + ";;;Argument[-1];ReturnValue;value",
"androidx.slice.builders;ListBuilder$InputRangeBuilder;true;" +
[
"addEndItem", "setContentDescription", "setInputAction", "setLayoutDirection", "setMax",
"setMin", "setPrimaryAction", "setSubtitle", "setThumb", "setTitle", "setTitleItem",
"setValue"
] + ";;;Argument[-1];ReturnValue;value",
"androidx.slice.builders;ListBuilder$RangeBuilder;true;" +
[
"setContentDescription", "setMax", "setMode", "setPrimaryAction", "setSubtitle",
"setTitle", "setTitleItem", "setValue"
] + ";;;Argument[-1];ReturnValue;value",
"androidx.slice.builders;ListBuilder$RatingBuilder;true;" +
[
"setContentDescription", "setInputAction", "setMax", "setMin", "setPrimaryAction",
"setSubtitle", "setTitle", "setTitleItem", "setValue"
] + ";;;Argument[-1];ReturnValue;value",
"androidx.slice.builders;ListBuilder$RowBuilder;true;" +
[
"addEndItem", "setContentDescription", "setEndOfSection", "setLayoutDirection",
"setPrimaryAction", "setSubtitle", "setTitle", "setTitleItem"
] + ";;;Argument[-1];ReturnValue;value",
"androidx.slice.builders;SliceAction;true;" +
["setChecked", "setContentDescription", "setPriority"] +
";;;Argument[-1];ReturnValue;value"
]
}
}

2
java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.qhelp
View File

@@ -12,7 +12,7 @@
receiving application if they were not previously set. This means that a mutable <code>PendingIntent</code> that has
not defined a destination component (that is, an implicit <code>PendingIntent</code>) can be altered to execute an
arbitrary action with the privileges of the application that created it.</p>
<p>If an implicit PendingIntent is obtainable by a malicious application by any of the following means:</p>
<p>If an implicit <code>PendingIntent</code> is obtainable by a malicious application by any of the following means:</p>
<ul>
<li>It is wrapped and sent as an extra of another implicit Intent</li>
<li>It is sent as the action of a Slide</li>

4
java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
View File

@@ -19,4 +19,6 @@ import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink
where any(ImplicitPendingIntentStartConf conf).hasFlowPath(source, sink)
select sink.getNode(), source, sink, "something"
select sink.getNode(), source, sink,
"An implicit and mutable pending Intent is created $@ and sent to an unspecified third party.",
source.getNode(), "here"