Add Sensitive Result Receiver query

Author: joefarebrother

java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll

@@ -0,0 +1,55 @@
+/** Definitions for the sensitive result receiver query. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.SensitiveActions
+
+private class ResultReceiverSendCall extends MethodAccess {
+  ResultReceiverSendCall() {
+    this.getMethod()
+        .getASourceOverriddenMethod*()
+        .hasQualifiedName("android.os", "ResultReceiver", "send")
+  }
+
+  Expr getReceiver() { result = this.getQualifier() }
+
+  Expr getSentData() { result = this.getArgument(1) }
+}
+
+private class UntrustedResultReceiverConf extends TaintTracking2::Configuration {
+  UntrustedResultReceiverConf() { this = "UntrustedResultReceiverConf" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node node) {
+    node.asExpr() = any(ResultReceiverSendCall c).getReceiver()
+  }
+}
+
+private predicate untrustedResultReceiverSend(DataFlow::Node src, ResultReceiverSendCall call) {
+  any(UntrustedResultReceiverConf c).hasFlow(src, DataFlow::exprNode(call.getReceiver()))
+}
+
+private class SensitiveResultReceiverConf extends TaintTracking::Configuration {
+  SensitiveResultReceiverConf() { this = "SensitiveResultReceiverConf" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(ResultReceiverSendCall call |
+      untrustedResultReceiverSend(_, call) and
+      node.asExpr() = call.getSentData()
+    )
+  }
+}
+
+predicate sensitiveResultReceiver(
+  DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
+) {
+  exists(ResultReceiverSendCall call, SensitiveResultReceiverConf conf |
+    conf.hasFlowPath(src, sink) and
+    sink.getNode().asExpr() = call.getSentData() and
+    untrustedResultReceiverSend(recSrc, call)
+  )
+}

java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Leaking sensitive information through a ResultReceiver
+ * @description An Android application obtains a ResultReceiver from a
+ *              third-party component and uses it to send sensitive data
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.2
+ * @precision mediums
+ * @id java/android/sensitive-result-receiver
+ * @tags security
+ *       external/cwe/cwe-927
+ */
+
+import java
+import semmle.code.java.security.SensitiveResultReceiverQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
+where sensitiveResultReceiver(src, sink, recSrc)
+select sink, src, sink, "This $@ is sent to a ResultReceiver obtained from $@.", src,
+  "sensitive information", recSrc, "this untrusted source"