Remove duplicated models

atorralba · atorralba · commit 9c12c5f8b8a1 · 2022-01-14T10:32:01.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -39,125 +39,3 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
       ]
   }
 }
-
-// TODO: Remove when https://github.com/github/codeql/pull/6823 gets merged
-private class NotificationBuildersSummaryModels extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "android.app;Notification$Action;true;Action;(int,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Action$Builder;true;Builder;(int,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Action$Builder;true;Builder;(Icon,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Action$Builder;true;Builder;(Action);;SyntheticField[android.app.Notification.action] of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Action$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.app;Notification$Action$Builder;true;addExtras;;;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.app;Notification$Action$Builder;true;build;;;SyntheticField[android.app.Notification.action] of Argument[-1];SyntheticField[android.app.Notification.action] of ReturnValue;taint",
-        "android.app;Notification$Action$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
-        "android.app;Notification$Builder;true;addAction;(int,CharSequence,PendingIntent);;Argument[2];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Builder;true;addAction;(Action);;SyntheticField[android.app.Notification.action] of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.app;Notification$Builder;true;addExtras;;;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.app;Notification$Builder;true;build;;;SyntheticField[android.app.Notification.action] of Argument[-1];SyntheticField[android.app.Notification.action] of ReturnValue;taint",
-        "android.app;Notification$Builder;true;setContentIntent;;;Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
-        "android.app;Notification$Builder;true;recoverBuilder;;;SyntheticField[android.app.Notification.action] of Argument[1];SyntheticField[android.app.Notification.action] of ReturnValue;taint",
-        "android.app;Notification$Builder;true;setActions;;;SyntheticField[android.app.Notification.action] of ArrayElement of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Builder;true;setExtras;;;Argument[0];SyntheticField[android.content.Intent.extras] of Argument[-1];value",
-        "android.app;Notification$Builder;true;setDeleteIntent;;;Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        "android.app;Notification$Builder;true;setPublicVersion;;;SyntheticField[android.app.Notification.action] of Argument[0];SyntheticField[android.app.Notification.action] of Argument[-1];taint",
-        // Fluent models
-        "android.app;Notification$Action$Builder;true;" +
-          [
-            "addExtras", "addRemoteInput", "extend", "setAllowGeneratedReplies",
-            "setAuthenticationRequired", "setContextual", "setSemanticAction"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "android.app;Notification$Builder;true;" +
-          [
-            "addAction", "addExtras", "addPerson", "extend", "setActions", "setAutoCancel",
-            "setBadgeIconType", "setBubbleMetadata", "setCategory", "setChannelId",
-            "setChronometerCountDown", "setColor", "setColorized", "setContent", "setContentInfo",
-            "setContentIntent", "setContentText", "setContentTitle", "setCustomBigContentView",
-            "setCustomHeadsUpContentView", "setDefaults", "setDeleteIntent", "setExtras", "setFlag",
-            "setForegroundServiceBehavior", "setFullScreenIntent", "setGroup",
-            "setGroupAlertBehavior", "setGroupSummary", "setLargeIcon", "setLights", "setLocalOnly",
-            "setLocusId", "setNumber", "setOngoing", "setOnlyAlertOnce", "setPriority",
-            "setProgress", "setPublicVersion", "setRemoteInputHistory", "setSettingsText",
-            "setShortcutId", "setShowWhen", "setSmallIcon", "setSortKey", "setSound", "setStyle",
-            "setSubText", "setTicker", "setTimeoutAfter", "setUsesChronometer", "setVibrate",
-            "setVisibility", "setWhen"
-          ] + ";;;Argument[-1];ReturnValue;value"
-      ]
-  }
-}
-
-// TODO: Remove when https://github.com/github/codeql/pull/6801 gets merged
-private class SliceBuildersSummaryModels extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "androidx.slice.builders;ListBuilder;true;addAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;addGridRow;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;addInputRange;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;addRange;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;addRating;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;addRow;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;addSelection;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;setHeader;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;setSeeMoreAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;setSeeMoreRow;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder;true;build;;;SyntheticField[androidx.slice.Slice.action] of Argument[-1];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
-        "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;addEndItem;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setInputAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RangeBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RatingBuilder;true;setInputAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RatingBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;(SliceAction,boolean);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;(SliceAction);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RowBuilder;true;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;(SliceAction,boolean);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;(SliceAction);;SyntheticField[androidx.slice.Slice.action] of Argument[0];SyntheticField[androidx.slice.Slice.action] of Argument[-1];taint",
-        "androidx.slice.builders;SliceAction;true;create;(PendingIntent,IconCompat,int,CharSequence);;Argument[0];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
-        "androidx.slice.builders;SliceAction;true;createDeeplink;(PendingIntent,IconCompat,int,CharSequence);;Argument[0];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
-        "androidx.slice.builders;SliceAction;true;createToggle;(PendingIntent,CharSequence,boolean);;Argument[0];SyntheticField[androidx.slice.Slice.action] of ReturnValue;taint",
-        "androidx.slice.builders;SliceAction;true;getAction;;;SyntheticField[androidx.slice.Slice.action] of Argument[-1];ReturnValue;taint",
-        // Fluent models
-        "androidx.slice.builders;ListBuilder;true;" +
-          [
-            "addAction", "addGridRow", "addInputRange", "addRange", "addRating", "addRow",
-            "addSelection", "setAccentColor", "setHeader", "setHostExtras", "setIsError",
-            "setKeywords", "setLayoutDirection", "setSeeMoreAction", "setSeeMoreRow"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "androidx.slice.builders;ListBuilder$HeaderBuilder;true;" +
-          [
-            "setContentDescription", "setLayoutDirection", "setPrimaryAction", "setSubtitle",
-            "setSummary", "setTitle"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;" +
-          [
-            "addEndItem", "setContentDescription", "setInputAction", "setLayoutDirection", "setMax",
-            "setMin", "setPrimaryAction", "setSubtitle", "setThumb", "setTitle", "setTitleItem",
-            "setValue"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "androidx.slice.builders;ListBuilder$RangeBuilder;true;" +
-          [
-            "setContentDescription", "setMax", "setMode", "setPrimaryAction", "setSubtitle",
-            "setTitle", "setTitleItem", "setValue"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "androidx.slice.builders;ListBuilder$RatingBuilder;true;" +
-          [
-            "setContentDescription", "setInputAction", "setMax", "setMin", "setPrimaryAction",
-            "setSubtitle", "setTitle", "setTitleItem", "setValue"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "androidx.slice.builders;ListBuilder$RowBuilder;true;" +
-          [
-            "addEndItem", "setContentDescription", "setEndOfSection", "setLayoutDirection",
-            "setPrimaryAction", "setSubtitle", "setTitle", "setTitleItem"
-          ] + ";;;Argument[-1];ReturnValue;value",
-        "androidx.slice.builders;SliceAction;true;" +
-          ["setChecked", "setContentDescription", "setPriority"] +
-          ";;;Argument[-1];ReturnValue;value"
-      ]
-  }
-}
diff --git a/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.qhelp b/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.qhelp
@@ -12,7 +12,7 @@
   receiving application if they were not previously set. This means that a mutable <code>PendingIntent</code> that has 
   not defined a destination component (that is, an implicit <code>PendingIntent</code>) can be altered to execute an 
   arbitrary action with the privileges of the application that created it.</p>
-<p>If an implicit PendingIntent is obtainable by a malicious application by any of the following means:</p>
+<p>If an implicit <code>PendingIntent</code> is obtainable by a malicious application by any of the following means:</p>
 <ul>
   <li>It is wrapped and sent as an extra of another implicit Intent</li>
   <li>It is sent as the action of a Slide</li>
diff --git a/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql b/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
@@ -19,4 +19,6 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(ImplicitPendingIntentStartConf conf).hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "something"
+select sink.getNode(), source, sink,
+  "An implicit and mutable pending Intent is created $@ and sent to an unspecified third party.",
+  source.getNode(), "here"
