Merge branch 'main' into ockers/certification_not_certificate

Author: ockers

java/documentation/library-coverage/coverage.csv

@@ -77,7 +77,7 @@ jakarta.xml.bind.attachment,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,
 java.awt,1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,3
 java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
 java.io,50,1,46,,,,,,,,,22,,,,,,,,,,,,,,,28,,,,,,,,,,,,,,,,,,,,,1,,44,2
-java.lang,33,3,103,,13,,,,,,1,,,,,,,,,,,,8,,,,6,,,4,,,1,,,,,,,,,,,,,,3,,,60,43
+java.lang,33,3,101,,13,,,,,,1,,,,,,,,,,,,8,,,,6,,,4,,,1,,,,,,,,,,,,,,3,,,58,43
 java.net,21,3,23,,,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,,,,,3,23,
 java.nio,49,,36,,,,,,,,,5,,,,,,,,,,,,,,,43,,,,,,,,,1,,,,,,,,,,,,,,36,
 java.security,21,,,,,11,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

java/documentation/library-coverage/coverage.rst

@@ -18,10 +18,10 @@ Java framework & library support
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,43,9,,,,,
    JBoss Logging,``org.jboss.logging``,,,324,,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
-   Java Standard Library,``java.*``,10,733,237,79,,9,,,24
+   Java Standard Library,``java.*``,10,731,237,79,,9,,,24
    Java extensions,"``javax.*``, ``jakarta.*``",67,688,80,5,4,2,1,1,4
    Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,38,481,118,5,,28,14,,35
    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.influxdb``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",131,10516,889,121,6,22,18,,208
-   Totals,,308,18947,2551,331,16,128,33,1,407
+   Totals,,308,18945,2551,331,16,128,33,1,407
 

java/ql/lib/semmle/code/java/frameworks/android/Layout.qll

@@ -0,0 +1,65 @@
+/** Provides classes and predicates for working with Android layouts and UI elements. */
+
+import java
+import semmle.code.xml.AndroidManifest
+private import semmle.code.java.dataflow.DataFlow
+
+/** An Android Layout XML file. */
+class AndroidLayoutXmlFile extends XmlFile {
+  AndroidLayoutXmlFile() { this.getRelativePath().matches("%/res/layout/%.xml") }
+}
+
+/** A component declared in an Android layout file. */
+class AndroidLayoutXmlElement extends XmlElement {
+  AndroidLayoutXmlElement() { this.getFile() instanceof AndroidLayoutXmlFile }
+
+  /** Gets the ID of this component, if any. */
+  string getId() { result = this.getAttribute("id").getValue() }
+
+  /** Gets the class of this component. */
+  Class getClass() {
+    this.getName() = "view" and
+    this.getAttribute("class").getValue() = result.getQualifiedName()
+    or
+    this.getName() = result.getQualifiedName()
+    or
+    result.hasQualifiedName(["android.widget", "android.view"], this.getName())
+  }
+}
+
+/** An XML element that represents an editable text field. */
+class AndroidEditableXmlElement extends AndroidLayoutXmlElement {
+  AndroidEditableXmlElement() {
+    this.getClass().getASourceSupertype*().hasQualifiedName("android.widget", "EditText")
+  }
+
+  /** Gets the input type of this field, if any. */
+  string getInputType() { result = this.getAttribute("inputType").(AndroidXmlAttribute).getValue() }
+}
+
+/** A `findViewById` or `requireViewById` method on `Activity` or `View`. */
+private class FindViewMethod extends Method {
+  FindViewMethod() {
+    exists(Method m | this.getAnOverride*() = m |
+      m.hasQualifiedName("android.app", "Activity", ["findViewById", "requireViewById"])
+      or
+      m.hasQualifiedName("android.view", "View", ["findViewById", "requireViewById"])
+      or
+      m.hasQualifiedName("android.app", "Dialog", ["findViewById", "requireViewById"])
+    )
+  }
+}
+
+/** Gets a use of the view that has the given id. (that is, from a call to a method like `findViewById`) */
+MethodCall getAUseOfViewWithId(string id) {
+  exists(string name, NestedClass r_id, Field id_field |
+    id = ["@+id/", "@id/"] + name and
+    result.getMethod() instanceof FindViewMethod and
+    r_id.getEnclosingType().hasName("R") and
+    r_id.hasName("id") and
+    id_field.getDeclaringType() = r_id and
+    id_field.hasName(name)
+  |
+    DataFlow::localExprFlow(id_field.getAnAccess(), result.getArgument(0))
+  )
+}

java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll

@@ -3,71 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.SensitiveActions
-import semmle.code.xml.AndroidManifest
-
-/** An Android Layout XML file. */
-private class AndroidLayoutXmlFile extends XmlFile {
-  AndroidLayoutXmlFile() { this.getRelativePath().matches("%/res/layout/%.xml") }
-}
-
-/** A component declared in an Android layout file. */
-class AndroidLayoutXmlElement extends XmlElement {
-  AndroidXmlAttribute id;
-
-  AndroidLayoutXmlElement() {
-    this.getFile() instanceof AndroidLayoutXmlFile and
-    id = this.getAttribute("id")
-  }
-
-  /** Gets the ID of this component. */
-  string getId() { result = id.getValue() }
-
-  /** Gets the class of this component. */
-  Class getClass() {
-    this.getName() = "view" and
-    this.getAttribute("class").getValue() = result.getQualifiedName()
-    or
-    this.getName() = result.getQualifiedName()
-    or
-    result.hasQualifiedName(["android.widget", "android.view"], this.getName())
-  }
-}
-
-/** An XML element that represents an editable text field. */
-class AndroidEditableXmlElement extends AndroidLayoutXmlElement {
-  AndroidEditableXmlElement() {
-    this.getClass().getASourceSupertype*().hasQualifiedName("android.widget", "EditText")
-  }
-
-  /** Gets the input type of this field, if any. */
-  string getInputType() { result = this.getAttribute("inputType").(AndroidXmlAttribute).getValue() }
-}
-
-/** A `findViewById` or `requireViewById` method on `Activity` or `View`. */
-private class FindViewMethod extends Method {
-  FindViewMethod() {
-    this.hasQualifiedName("android.view", "View", ["findViewById", "requireViewById"])
-    or
-    exists(Method m |
-      m.hasQualifiedName("android.app", "Activity", ["findViewById", "requireViewById"]) and
-      this = m.getAnOverride*()
-    )
-  }
-}
-
-/** Gets a use of the view that has the given id. */
-private MethodCall getAUseOfViewWithId(string id) {
-  exists(string name, NestedClass r_id, Field id_field |
-    id = "@+id/" + name and
-    result.getMethod() instanceof FindViewMethod and
-    r_id.getEnclosingType().hasName("R") and
-    r_id.hasName("id") and
-    id_field.getDeclaringType() = r_id and
-    id_field.hasName(name)
-  |
-    DataFlow::localExprFlow(id_field.getAnAccess(), result.getArgument(0))
-  )
-}
+import semmle.code.java.frameworks.android.Layout
 
 /** Gets the argument of a use of `setInputType` called on the view with the given id. */
 private Argument setInputTypeForId(string id) {

java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll

@@ -4,6 +4,8 @@ import java
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.SensitiveActions
+private import semmle.code.java.frameworks.android.Layout
+private import semmle.code.java.security.Sanitizers
 
 /** A configuration for tracking sensitive information to system notifications. */
 private module NotificationTrackingConfig implements DataFlow::ConfigSig {
@@ -20,3 +22,94 @@ private module NotificationTrackingConfig implements DataFlow::ConfigSig {
 
 /** Taint tracking flow for sensitive data flowing to system notifications. */
 module NotificationTracking = TaintTracking::Global<NotificationTrackingConfig>;
+
+/** A call to a method that sets the text of a `TextView`. */
+private class SetTextCall extends MethodCall {
+  SetTextCall() {
+    this.getMethod()
+        .getAnOverride*()
+        .hasQualifiedName("android.widget", "TextView", ["append", "setText", "setHint"]) and
+    (
+      this.getMethod()
+          .getParameter(0)
+          .getType()
+          .(RefType)
+          .hasQualifiedName("java.lang", "CharSequence")
+      or
+      this.getMethod().getParameter(0).getType().(Array).getElementType() instanceof CharacterType
+    )
+  }
+
+  /** Gets the string argument of this call. */
+  Expr getStringArgument() { result = this.getArgument(0) }
+}
+
+/** A call to a method indicating that the contents of a UI element are safely masked. */
+private class MaskCall extends MethodCall {
+  MaskCall() {
+    this.getMethod().getAnOverride*().hasQualifiedName("android.widget", "TextView", "setInputType")
+    or
+    this.getMethod().getAnOverride*().hasQualifiedName("android.view", "View", "setVisibility")
+  }
+}
+
+/** A configuration for tracking sensitive information to text fields. */
+private module TextFieldTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(SetTextCall call |
+      sink.asExpr() = call.getStringArgument() and
+      not setTextCallIsMasked(call)
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+}
+
+/** A local flow step that also flows through access to fields containing `View`s */
+private predicate localViewFieldFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  DataFlow::localFlowStep(node1, node2)
+  or
+  exists(Field f |
+    f.getType().(Class).getASupertype*().hasQualifiedName("android.view", "View") and
+    node1.asExpr() = f.getAnAccess().(FieldWrite).getASource() and
+    node2.asExpr() = f.getAnAccess().(FieldRead)
+  )
+}
+
+/** Holds if data can flow from `node1` to `node2` with local flow steps as well as flow through fields containing `View`s */
+private predicate localViewFieldFlow(DataFlow::Node node1, DataFlow::Node node2) {
+  localViewFieldFlowStep*(node1, node2)
+}
+
+/** Holds if data can flow from `e1` to `e2` with local flow steps as well as flow through fields containing `View`s */
+private predicate localViewFieldExprFlow(Expr e1, Expr e2) {
+  localViewFieldFlow(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
+
+/** Holds if the given view may be properly masked. */
+private predicate viewIsMasked(AndroidLayoutXmlElement view) {
+  localViewFieldExprFlow(getAUseOfViewWithId(view.getId()), any(MaskCall mcall).getQualifier())
+  or
+  view.getAttribute("inputType")
+      .(AndroidXmlAttribute)
+      .getValue()
+      .regexpMatch("(?i).*(text|number)(web)?password.*")
+  or
+  view.getAttribute("visibility").(AndroidXmlAttribute).getValue().toLowerCase() =
+    ["invisible", "gone"]
+}
+
+/** Holds if the qualifier of `call` may be properly masked. */
+private predicate setTextCallIsMasked(SetTextCall call) {
+  exists(AndroidLayoutXmlElement view |
+    localViewFieldExprFlow(getAUseOfViewWithId(view.getId()), call.getQualifier()) and
+    viewIsMasked(view.getParent*())
+  )
+}
+
+/** Taint tracking flow for sensitive data flowing to text fields. */
+module TextFieldTracking = TaintTracking::Global<TextFieldTrackingConfig>;

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java

@@ -0,0 +1,2 @@
+TextView pwView = getViewById(R.id.pw_text);
+pwView.setText("Your password is: " + password);

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Sensitive information such as passwords should not be displayed in UI components unless explicitly required, to mitigate shoulder-surfing attacks.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+    For editable text fields containing sensitive information, the <code>inputType</code> should be set to <code>textPassword</code> or similar to ensure it is properly masked.
+    Otherwise, sensitive data that must be displayed should be hidden by default, and only revealed based on an explicit user action.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+    In the following (bad) case, sensitive information in <code>password</code> is exposed to the <code>TextView</code>.
+    </p>
+
+    <sample src="AndroidSensitiveTextBad.java"/>
+
+    <p>
+    In the following (good) case, the user must press a button to reveal sensitive information.
+    </p>
+
+    <sample src="AndroidSensitiveTextGood.java"/>
+  </example>
+
+  <references>
+    <li>
+      OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#ui-components">Android Data Storage - UI Components</a> 
+    </li>
+  </references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Exposure of sensitive information to UI text views.
+ * @id java/android/sensitive-text
+ * @kind path-problem
+ * @description Sensitive information displayed in UI text views should be properly masked.
+ * @problem.severity warning
+ * @precision medium
+ * @security-severity 6.5
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import java
+import semmle.code.java.security.SensitiveUiQuery
+import TextFieldTracking::PathGraph
+
+from TextFieldTracking::PathNode source, TextFieldTracking::PathNode sink
+where TextFieldTracking::flowPath(source, sink)
+select sink, source, sink, "This $@ is exposed in a text view.", source, "sensitive information"

java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java

@@ -0,0 +1,10 @@
+TextView pwView = findViewById(R.id.pw_text);
+pwView.setVisibility(View.INVISIBLE);
+pwView.setText("Your password is: " + password);
+
+Button showButton = findViewById(R.id.show_pw_button);
+showButton.setOnClickListener(new View.OnClickListener() {
+    public void onClick(View v) {
+      pwView.setVisibility(View.VISIBLE);
+    }
+});

java/ql/src/change-notes/2024-01-29-android-sensitive-text-field-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `java/android/sensitive-text` to detect instances of sensitive data being exposed through text fields without being properly masked.