Add sink models to notification builder setters

joefarebrother · joefarebrother · commit f9bb004618e2 · 2024-01-23T09:51:38.000Z
diff --git a/java/ql/lib/ext/android.app.model.yml b/java/ql/lib/ext/android.app.model.yml
@@ -38,10 +38,55 @@ extensions:
       - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,PendingIntent$OnFinished,Handler)", "", "Argument[2]", "pending-intents", "manual"]
       - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,PendingIntent$OnFinished,Handler,String)", "", "Argument[2]", "pending-intents", "manual"]
       - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,PendingIntent$OnFinished,Handler,String,Bundle)", "", "Argument[2]", "pending-intents", "manual"]
-      - ["android.app", "NotificationManager", True, "notify", "(String,int,Notification)", "", "Argument[2]", "notification", "manual"]
-      - ["android.app", "NotificationManager", True, "notify", "(int,Notification)", "", "Argument[1]", "notification", "manual"]
-      - ["android.app", "NotificationManager", True, "notifyAsPackage", "(String,String,int,Notification)", "", "Argument[3]", "notification", "manual"]
-      - ["android.app", "NotificationManager", True, "notifyAsUser", "(String,int,Notification,UserHandle)", "", "Argument[2]", "notification", "manual"]
+
+      - ["android.app", "Notification$Action", True, "Action", "(int,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["android.app", "Notification$Action$Builder", True, "Builder", "(Icon,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["android.app", "Notification$Action$Builder", True, "Builder", "(int,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["android.app", "Notification$Action$Builder", True, "addExtras", "(Bundle)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$BigPictureStyle", True, "setBigContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$BigPictureStyle", True, "setContentDescription", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$BigPictureStyle", True, "setSummaryText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$BigTextStyle", True, "bigText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$BigTextStyle", True, "setBigContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$BigTextStyle", True, "setContentDescription", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "addAction", "(int,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "addExtras", "(Bundle)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setCategory", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setChannel", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setContent", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setContentInfo", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setContentText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setCustomBigContentView", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setCustomContentView", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setCustomHeadsUpContentView", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setDeleteIntent", "(PendingIntent)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setExtras", "(Bundle)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setGroup", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setRemoteInputHistory", "(CharSequence[])", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setSettingsText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setSortKey", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setSubText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setTicker", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$Builder", True, "setTicker", "(CharSequence, RemoteViews)", "", "Argument[0..1]", "notification", "manual"]
+      - ["android.app", "Notification$CallStyle", True, "forIncomingCall", "(Person,PendingIntent,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["android.app", "Notification$CallStyle", True, "forOngoingCallCall", "(Person,PendingIntent)", "", "Argument[1]", "notification", "manual"]
+      - ["android.app", "Notification$CallStyle", True, "forScreeningCall", "(Person,PendingIntent,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["android.app", "Notification$CallStyle", True, "setVerificationText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$InboxStyle", True, "addLine", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$InboxStyle", True, "setBigContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$InboxStyle", True, "setSummaryText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MediaStyle", True, "setSummaryText", "(CharSequence,int,PendingIntent)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MediaStyle", True, "setSummaryText", "(CharSequence,int,PendingIntent)", "", "Argument[2]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle", True, "MessagingStyle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle", True, "addMessage", "(CharSequence,long,CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle", True, "addMessage", "(CharSequence,long,CharSequence)", "", "Argument[2]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle", True, "addMessage", "(CharSequence,long,Person)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle", True, "setConversationTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle$Message", True, "Message", "(CharSequence,long,CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle$Message", True, "Message", "(CharSequence,long,CharSequence)", "", "Argument[2]", "notification", "manual"]
+      - ["android.app", "Notification$MessagingStyle$Message", True, "Message", "(CharSequence,long,Person)", "", "Argument[0]", "notification", "manual"]
+      
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/ext/androidx.core.app.model.yml b/java/ql/lib/ext/androidx.core.app.model.yml
@@ -9,8 +9,54 @@ extensions:
       - ["androidx.core.app", "AlarmManagerCompat", True, "setExactAndAllowWhileIdle", "", "", "Argument[3]", "pending-intents", "manual"]
       - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intents", "manual"]
       - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intents", "manual"]
-      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(String,int,Notification)", "", "Argument[2]", "notification", "manual"]
-      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(int,Notification)", "", "Argument[1]", "notification", "manual"]
+      
+      - ["androidx.core.app", "NotificationCompat$Action", True, "Action", "(int,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Action$Builder", True, "Builder", "(Icon,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Action$Builder", True, "Builder", "(int,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Action$Builder", True, "addExtras", "(Bundle)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$BigPictureStyle", True, "setBigContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$BigPictureStyle", True, "setContentDescription", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$BigPictureStyle", True, "setSummaryText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$BigTextStyle", True, "bigText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$BigTextStyle", True, "setBigContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$BigTextStyle", True, "setContentDescription", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "addAction", "(int,CharSequence,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "addExtras", "(Bundle)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setCategory", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setChannel", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setContent", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setContentInfo", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setContentText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setCustomBigContentView", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setCustomContentView", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setCustomHeadsUpContentView", "(RemoteViews)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setDeleteIntent", "(PendingIntent)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setExtras", "(Bundle)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setGroup", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setRemoteInputHistory", "(CharSequence[])", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setSettingsText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setSortKey", "(String)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setSubText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setTicker", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$Builder", True, "setTicker", "(CharSequence, RemoteViews)", "", "Argument[0..1]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$CallStyle", True, "forIncomingCall", "(Person,PendingIntent,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$CallStyle", True, "forOngoingCallCall", "(Person,PendingIntent)", "", "Argument[1]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$CallStyle", True, "forScreeningCall", "(Person,PendingIntent,PendingIntent)", "", "Argument[1..2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$CallStyle", True, "setVerificationText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$InboxStyle", True, "addLine", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$InboxStyle", True, "setBigContentTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$InboxStyle", True, "setSummaryText", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MediaStyle", True, "setSummaryText", "(CharSequence,int,PendingIntent)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MediaStyle", True, "setSummaryText", "(CharSequence,int,PendingIntent)", "", "Argument[2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle", True, "addMessage", "(CharSequence,long,CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle", True, "addMessage", "(CharSequence,long,CharSequence)", "", "Argument[2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle", True, "addMessage", "(CharSequence,long,Person)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle", True, "setConversationTitle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle", True, "MessagingStyle", "(CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle$Message", True, "Message", "(CharSequence,long,CharSequence)", "", "Argument[0]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle$Message", True, "Message", "(CharSequence,long,CharSequence)", "", "Argument[2]", "notification", "manual"]
+      - ["androidx.core.app", "NotificationCompat$MessagingStyle$Message", True, "Message", "(CharSequence,long,Person)", "", "Argument[0]", "notification", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
@@ -9,7 +9,7 @@ private import semmle.code.java.security.SensitiveActions
 private module NotificationTrackingConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
 
-  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notifications") }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notification") }
 }
 
 /** Taint tracking flow for sensitive data flowing to system notifications. */
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/Test.java
@@ -1,13 +1,16 @@
 import android.app.Activity;
+import android.app.Notification;
 import androidx.core.app.NotificationCompat;
-import androidx.core.app.NotificationManagerCompat;
 
 class Test extends Activity {
     void test(String password) {
-        NotificationManagerCompat manager = NotificationManagerCompat.from(this);
-
         NotificationCompat.Builder builder = new NotificationCompat.Builder(this, "");
-        builder.setContentText(password);
-        manager.notify(0, builder.build()); // sensitive-notification
+        builder.setContentText(password); // $sensitive-notification
+
+    }
+
+    void test2(String password) {
+        Notification.Builder builder = new Notification.Builder(this, "");
+        builder.setContentText(password); // $sensitive-notification
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ private import semmle.code.java.security.SensitiveActions`
`9`	`9`	`private module NotificationTrackingConfig implements DataFlow::ConfigSig {`
`10`	`10`	`predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }`
`11`	`11`
`12`		`- predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notifications") }`
	`12`	`+ predicate isSink(DataFlow::Node sink) { sinkNode(sink, "notification") }`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`/** Taint tracking flow for sensitive data flowing to system notifications. */`