Add sensitive text flow query

joefarebrother · joefarebrother · commit 5dd0addfc295 · 2024-01-29T16:25:36.000Z
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
@@ -20,3 +20,38 @@ private module NotificationTrackingConfig implements DataFlow::ConfigSig {
 
 /** Taint tracking flow for sensitive data flowing to system notifications. */
 module NotificationTracking = TaintTracking::Global<NotificationTrackingConfig>;
+
+/** A call to a method that sets the text of a `TextView`. */
+private class SetTextCall extends MethodCall {
+  SetTextCall() {
+    this.getMethod()
+        .getAnOverride*()
+        .hasQualifiedName("android.widget", "TextView", ["append", "setText", "setHint"]) and
+    (
+      this.getMethod()
+          .getParameter(0)
+          .getType()
+          .(RefType)
+          .hasQualifiedName("java.lang", "CharSequence")
+      or
+      this.getMethod().getParameter(0).getType().(Array).getElementType() instanceof CharacterType
+    )
+  }
+
+  /** Gets the string argument of this call. */
+  Expr getStringArgument() { result = this.getArgument(0) }
+}
+
+/** A configuration for tracking sensitive information to text fields. */
+private module TextFieldTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(SetTextCall s).getStringArgument() }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+}
+
+/** Taint tracking flow for sensitive data flowing to text fields. */
+module TextFieldTracking = TaintTracking::Global<NotificationTrackingConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Exposure of sensitive information to UI text fields.
+ * @id java/android/sensitive-text
+ * @kind path-problem
+ * @description Sensitive information ... TODO
+ * @problem.severity warning
+ * @precision medium
+ * @security-severity 6.5
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import java
+import semmle.code.java.security.SensitiveUiQuery
+import TextFieldTracking::PathGraph
+
+from TextFieldTracking::PathNode source, TextFieldTracking::PathNode sink
+where NotificationTracking::flowPath(source, sink)
+select sink, source, sink, "This $@ is exposed in a text view.", source, "sensitive information"
