Change test to avoid collision with SensitiveCommunication.ql

atorralba · atorralba · commit f963887c581c · 2022-01-14T10:32:01.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -36,7 +36,11 @@ class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
     super.allowImplicitRead(node, c)
     or
     this.isSink(node) and
-    allowIntentExtrasImplicitRead(node, c)
+    (
+      allowIntentExtrasImplicitRead(node, c) or
+      c.(DataFlow::SyntheticFieldContent).getField() =
+        ["android.app.Notification.action", "androidx.slice.Slice.action"]
+    )
     or
     this.isAdditionalTaintStep(node, _) and
     c.(DataFlow::FieldContent).getType() instanceof PendingIntent
diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
@@ -29,10 +29,10 @@ public static void testPendingIntentAsAnExtra(Context ctx)
             PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $hasTaintFlow
-            ctx.startActivities(new Intent[] {fwdIntent}); // $hasTaintFlow
+            ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent
+            ctx.startActivities(new Intent[] {fwdIntent}); // $hasImplicitPendingIntent
             ctx.startService(fwdIntent); // Safe
-            ctx.sendBroadcast(fwdIntent); // $hasTaintFlow
+            ctx.sendBroadcast(fwdIntent); // $hasImplicitPendingIntent
 
             fwdIntent.setPackage("a.safe.package"); // Sanitizer
             ctx.startActivity(fwdIntent); // Safe
@@ -43,15 +43,15 @@ public static void testPendingIntentAsAnExtra(Context ctx)
             PendingIntent pi = PendingIntent.getActivityAsUser(ctx, 0, baseIntent, 0, null, null);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $hasTaintFlow
+            ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
             Intent baseIntent = new Intent();
             PendingIntent pi = PendingIntent.getActivities(ctx, 0, new Intent[] {baseIntent}, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $hasTaintFlow
+            ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
@@ -60,39 +60,39 @@ public static void testPendingIntentAsAnExtra(Context ctx)
                     0, null, null);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $hasTaintFlow
+            ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
             Intent baseIntent = new Intent();
             PendingIntent pi = PendingIntent.getBroadcast(ctx, 0, baseIntent, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.sendBroadcast(fwdIntent); // $hasTaintFlow
+            ctx.sendBroadcast(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
             Intent baseIntent = new Intent();
             PendingIntent pi = PendingIntent.getBroadcastAsUser(ctx, 0, baseIntent, 0, null);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.sendBroadcast(fwdIntent); // $hasTaintFlow
+            ctx.sendBroadcast(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
             Intent baseIntent = new Intent();
             PendingIntent pi = PendingIntent.getService(ctx, 0, baseIntent, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $hasTaintFlow
+            ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
             Intent baseIntent = new Intent();
             PendingIntent pi = PendingIntent.getForegroundService(ctx, 0, baseIntent, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $hasTaintFlow
+            ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent
         }
 
         {
@@ -144,7 +144,7 @@ public static void testPendingIntentAsAnExtra(Context ctx)
             PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, flag); // Sanitizer
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $ SPURIOUS: $ hasTaintFlow
+            ctx.startActivity(fwdIntent); // $ SPURIOUS: $ hasImplicitPendingIntent
         }
     }
 
@@ -155,10 +155,10 @@ public static void testPendingIntentWrappedInAnotherPendingIntent(Context ctx,
             PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            other.send(ctx, 0, fwdIntent); // $hasTaintFlow
-            other.send(ctx, 0, fwdIntent, null, null); // $hasTaintFlow
-            other.send(ctx, 0, fwdIntent, null, null, null); // $hasTaintFlow
-            other.send(ctx, 0, fwdIntent, null, null, null, null); // $hasTaintFlow
+            other.send(ctx, 0, fwdIntent); // $hasImplicitPendingIntent
+            other.send(ctx, 0, fwdIntent, null, null); // $hasImplicitPendingIntent
+            other.send(ctx, 0, fwdIntent, null, null, null); // $hasImplicitPendingIntent
+            other.send(ctx, 0, fwdIntent, null, null, null, null); // $hasImplicitPendingIntent
         }
     }
 
@@ -173,9 +173,9 @@ public static void testPendingIntentInANotification(Context ctx)
                     new Notification.Builder(ctx).addAction(aBuilder.build());
             Notification notification = nBuilder.build();
             NotificationManager nManager = new NotificationManager();
-            nManager.notifyAsPackage("targetPackage", "tag", 0, notification); // $hasTaintFlow
-            nManager.notify(0, notification); // $hasTaintFlow
-            nManager.notifyAsUser("", 0, notification, null); // $hasTaintFlow
+            nManager.notifyAsPackage("targetPackage", "tag", 0, notification); // $hasImplicitPendingIntent
+            nManager.notify(0, notification); // $hasImplicitPendingIntent
+            nManager.notifyAsUser("", 0, notification, null); // $hasImplicitPendingIntent
         }
         {
             Intent baseIntent = new Intent();
@@ -215,7 +215,7 @@ public void onCreate(Bundle bundle) {
             PendingIntent pi = PendingIntent.getActivity(null, 0, baseIntent, 0);
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            setResult(0, fwdIntent); // $hasTaintFlow
+            setResult(0, fwdIntent); // $hasImplicitPendingIntent
         }
     }
 
@@ -232,7 +232,7 @@ public Slice onBindSlice(Uri sliceUri) {
                 ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, null);
                 listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title")
                         .setPrimaryAction(activityAction));
-                return listBuilder.build(); // $hasTaintFlow
+                return listBuilder.build(); // $hasImplicitPendingIntent
 
             } else if (sliceUri.getAuthority().equals("2")) {
                 Intent baseIntent = new Intent(getContext(), Activity.class); // Sanitizer
@@ -259,7 +259,7 @@ public Slice onBindSlice(Uri sliceUri) {
                 SliceAction action = SliceAction.createDeeplink(mPendingIntent, null, 0, "");
                 ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, 0);
                 listBuilder.addRow(new ListBuilder.RowBuilder(sliceUri).setPrimaryAction(action));
-                return listBuilder.build(); // $hasTaintFlow
+                return listBuilder.build(); // $hasImplicitPendingIntent
             }
         }
 
@@ -268,7 +268,7 @@ public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPacka
             if (sliceUri.getAuthority().equals("1")) {
                 Intent baseIntent = new Intent();
                 PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, 0);
-                return pi; // $hasTaintFlow
+                return pi; // $hasImplicitPendingIntent
             } else {
                 Intent baseIntent = new Intent();
                 PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent,
diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql
@@ -1,11 +1,20 @@
 import java
 import semmle.code.java.security.ImplicitPendingIntentsQuery
-import TestUtilities.InlineFlowTest
+import TestUtilities.InlineExpectationsTest
 
-class ImplicitPendingIntentsTest extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+class ImplicitPendingIntentsTest extends InlineExpectationsTest {
+  ImplicitPendingIntentsTest() { this = "ImplicitPendingIntentsTest" }
 
-  override DataFlow::Configuration getTaintFlowConfig() {
-    result instanceof ImplicitPendingIntentStartConf
+  override string getARelevantTag() { result = ["hasImplicitPendingIntent"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasImplicitPendingIntent" and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      any(ImplicitPendingIntentStartConf c).hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
   }
 }
