Add sensitive notification query

Author: joefarebrother

java/ql/lib/ext/android.app.model.yml

@@ -38,6 +38,10 @@ extensions:
       - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,PendingIntent$OnFinished,Handler)", "", "Argument[2]", "pending-intents", "manual"]
       - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,PendingIntent$OnFinished,Handler,String)", "", "Argument[2]", "pending-intents", "manual"]
       - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,PendingIntent$OnFinished,Handler,String,Bundle)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "NotificationManager", True, "notify", "(String,int,Notification)", "", "Argument[2]", "notification", "manual"]
+      - ["android.app", "NotificationManager", True, "notify", "(int,Notification)", "", "Argument[1]", "notification", "manual"]
+      - ["android.app", "NotificationManager", True, "notifyAsPackage", "(String,String,int,Notification)", "", "Argument[3]", "notification", "manual"]
+      - ["android.app", "NotificationManager", True, "notifyAsUser", "(String,int,Notification,UserHandle)", "", "Argument[2]", "notification", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

java/ql/lib/ext/androidx.core.app.model.yml

@@ -9,6 +9,8 @@ extensions:
       - ["androidx.core.app", "AlarmManagerCompat", True, "setExactAndAllowWhileIdle", "", "", "Argument[3]", "pending-intents", "manual"]
       - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intents", "manual"]
       - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intents", "manual"]
+      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(String,int,Notification)", "", "Argument[2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(int,Notification)", "", "Argument[1]", "notification", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll

@@ -0,0 +1,16 @@
+/** Definitions for Android Sensitive UI queries */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.SensitiveActions
+
+/** A configuration for tracking sensitive information to system notifications. */
+private module NotificationTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notifications") }
+}
+
+/** Taint tracking flow for sensitive data flowing to system notifications. */
+module NotificationTracking = TaintTracking::Global<NotificationTrackingConfig>;

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Exposure of sensitive information to notifications
+ * @id java/android/sensitive-notification
+ * @kind path-problem
+ * @description Sensitive information exposed in a system notification can be read by an unauthorized application.
+ * @problem.severity error
+ * @precision medium
+ * @security-severity 6.5
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import java
+import semmle.code.java.security.SensitiveUiQuery
+import NotificationTracking::PathGraph
+
+from NotificationTracking::PathNode source, NotificationTracking::PathNode sink
+where NotificationTracking::flowPath(source, sink)
+select sink, source, sink, "This $@ is exposed in a system notification.", source,
+  "sensitive information"