Add additional test cases

joefarebrother · joefarebrother · commit a1a2acd3ce19 · 2024-01-23T09:51:38.000Z
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
@@ -10,6 +10,10 @@ private module NotificationTrackingConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
 
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notification") }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    isSink(node) and exists(c)
+  }
 }
 
 /** Taint tracking flow for sensitive data flowing to system notifications. */
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/Test.java
@@ -1,6 +1,8 @@
 import android.app.Activity;
 import android.app.Notification;
 import androidx.core.app.NotificationCompat;
+import android.content.Intent;
+import android.app.PendingIntent;
 
 class Test extends Activity {
     void test(String password) {
@@ -12,5 +14,17 @@ void test(String password) {
     void test2(String password) {
         Notification.Builder builder = new Notification.Builder(this, "");
         builder.setContentText(password); // $sensitive-notification
+        builder.setContentTitle(password); // $sensitive-notification
+        builder.addAction(0, password, null); // $sensitive-notification
+        builder.addAction(new Notification.Action(0, password, null)); // $sensitive-notification
+        // builder.setStyle( // TODO: update stubs to include MessagingStyle
+        //         new Notification.MessagingStyle(password) // $sensitive-notification
+        //             .setConversationTitle(password)) // $sensitive-notification
+        //             .addMessage(password, 0, null); // $sensitive-notification
+        builder.setStyle(new Notification.BigTextStyle().bigText(password)); // $sensitive-notification 
+        Intent intent = new Intent();
+        intent.putExtra("a", password);
+        builder.setContentIntent(PendingIntent.getActivity(this, 0, intent, PendingIntent.FLAG_IMMUTABLE)); // $MISSING: sensitive-notification // missing model for getActivity
+
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,10 @@ private module NotificationTrackingConfig implements DataFlow::ConfigSig {`
`10`	`10`	`predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }`
`11`	`11`
`12`	`12`	`predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notification") }`
	`13`	`+`
	`14`	`+ predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
	`15`	`+ isSink(node) and exists(c)`
	`16`	`+ }`
`13`	`17`	`}`
`14`	`18`
`15`	`19`	`/** Taint tracking flow for sensitive data flowing to system notifications. */`