Java: update pending-intent-sent sink kind to pending-intents

Jami Cogswell · Jami Cogswell · commit 5aa3e57ff32f · 2023-05-31T15:49:07.000-04:00
diff --git a/java/ql/lib/ext/android.app.model.yml b/java/ql/lib/ext/android.app.model.yml
@@ -5,20 +5,20 @@ extensions:
     data:
       - ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-start", "manual"]
       - ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "setResult", "(int,Intent)", "", "Argument[1]", "pending-intent-sent", "manual"]
+      - ["android.app", "Activity", True, "setResult", "(int,Intent)", "", "Argument[1]", "pending-intents", "manual"]
       - ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-start", "manual"]
       - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-start", "manual"]
       - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-start", "manual"]
       - ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-start", "manual"]
       - ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "AlarmManager", True, "set", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setAlarmClock", "", "", "Argument[1]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setAndAllowWhileIdle", "", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setExact", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setExactAndAllowWhileIdle", "", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setInexactRepeating", "", "", "Argument[3]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setRepeating", "", "", "Argument[3]", "pending-intent-sent", "manual"]
-      - ["android.app", "AlarmManager", True, "setWindow", "(int,long,long,PendingIntent)", "", "Argument[3]", "pending-intent-sent", "manual"]
+      - ["android.app", "AlarmManager", True, "set", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setAlarmClock", "", "", "Argument[1]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setAndAllowWhileIdle", "", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setExact", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setExactAndAllowWhileIdle", "", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setInexactRepeating", "", "", "Argument[3]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setRepeating", "", "", "Argument[3]", "pending-intents", "manual"]
+      - ["android.app", "AlarmManager", True, "setWindow", "(int,long,long,PendingIntent)", "", "Argument[3]", "pending-intents", "manual"]
       - ["android.app", "FragmentTransaction", True, "add", "(Class,Bundle,String)", "", "Argument[0]", "fragment-injection", "manual"]
       - ["android.app", "FragmentTransaction", True, "add", "(Fragment,String)", "", "Argument[0]", "fragment-injection", "manual"]
       - ["android.app", "FragmentTransaction", True, "add", "(int,Class,Bundle)", "", "Argument[1]", "fragment-injection", "manual"]
@@ -30,14 +30,14 @@ extensions:
       - ["android.app", "FragmentTransaction", True, "replace", "(int,Class,Bundle,String)", "", "Argument[1]", "fragment-injection", "manual"]
       - ["android.app", "FragmentTransaction", True, "replace", "(int,Fragment)", "", "Argument[1]", "fragment-injection", "manual"]
       - ["android.app", "FragmentTransaction", True, "replace", "(int,Fragment,String)", "", "Argument[1]", "fragment-injection", "manual"]
-      - ["android.app", "NotificationManager", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "NotificationManager", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intent-sent", "manual"]
-      - ["android.app", "NotificationManager", True, "notifyAsPackage", "(String,String,int,Notification)", "", "Argument[3]", "pending-intent-sent", "manual"]
-      - ["android.app", "NotificationManager", True, "notifyAsUser", "(String,int,Notification,UserHandle)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String,Bundle)", "", "Argument[2]", "pending-intent-sent", "manual"]
+      - ["android.app", "NotificationManager", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "NotificationManager", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intents", "manual"]
+      - ["android.app", "NotificationManager", True, "notifyAsPackage", "(String,String,int,Notification)", "", "Argument[3]", "pending-intents", "manual"]
+      - ["android.app", "NotificationManager", True, "notifyAsUser", "(String,int,Notification,UserHandle)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["android.app", "PendingIntent", False, "send", "(Context,int,Intent,OnFinished,Handler,String,Bundle)", "", "Argument[2]", "pending-intents", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/ext/androidx.core.app.model.yml b/java/ql/lib/ext/androidx.core.app.model.yml
@@ -3,12 +3,12 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["androidx.core.app", "AlarmManagerCompat", True, "setAlarmClock", "", "", "Argument[2..3]", "pending-intent-sent", "manual"]
-      - ["androidx.core.app", "AlarmManagerCompat", True, "setAndAllowWhileIdle", "", "", "Argument[3]", "pending-intent-sent", "manual"]
-      - ["androidx.core.app", "AlarmManagerCompat", True, "setExact", "", "", "Argument[3]", "pending-intent-sent", "manual"]
-      - ["androidx.core.app", "AlarmManagerCompat", True, "setExactAndAllowWhileIdle", "", "", "Argument[3]", "pending-intent-sent", "manual"]
-      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intent-sent", "manual"]
-      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intent-sent", "manual"]
+      - ["androidx.core.app", "AlarmManagerCompat", True, "setAlarmClock", "", "", "Argument[2..3]", "pending-intents", "manual"]
+      - ["androidx.core.app", "AlarmManagerCompat", True, "setAndAllowWhileIdle", "", "", "Argument[3]", "pending-intents", "manual"]
+      - ["androidx.core.app", "AlarmManagerCompat", True, "setExact", "", "", "Argument[3]", "pending-intents", "manual"]
+      - ["androidx.core.app", "AlarmManagerCompat", True, "setExactAndAllowWhileIdle", "", "", "Argument[3]", "pending-intents", "manual"]
+      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(String,int,Notification)", "", "Argument[2]", "pending-intents", "manual"]
+      - ["androidx.core.app", "NotificationManagerCompat", True, "notify", "(int,Notification)", "", "Argument[1]", "pending-intents", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/ext/androidx.slice.model.yml b/java/ql/lib/ext/androidx.slice.model.yml
@@ -12,5 +12,5 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["androidx.slice", "SliceProvider", True, "onBindSlice", "", "", "ReturnValue", "pending-intent-sent", "manual"]
-      - ["androidx.slice", "SliceProvider", True, "onCreatePermissionRequest", "", "", "ReturnValue", "pending-intent-sent", "manual"]
+      - ["androidx.slice", "SliceProvider", True, "onBindSlice", "", "", "ReturnValue", "pending-intents", "manual"]
+      - ["androidx.slice", "SliceProvider", True, "onCreatePermissionRequest", "", "", "ReturnValue", "pending-intents", "manual"]
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -276,7 +276,7 @@ module ModelValidation {
         [
           "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",
           "log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss",
-          "ognl-injection", "intent-start", "pending-intent-sent", "url-redirection", "create-file",
+          "ognl-injection", "intent-start", "pending-intents", "url-redirection", "create-file",
           "read-file", "write-file", "set-hostname-verifier", "header-splitting",
           "information-leak", "xslt-injection", "jexl-injection", "bean-validation",
           "template-injection", "fragment-injection", "command-injection"
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -63,7 +63,7 @@ private class SendPendingIntent extends ImplicitPendingIntentSink {
       this.asExpr() = ma.getArgument(0)
     )
     or
-    sinkNode(this, "pending-intent-sent")
+    sinkNode(this, "pending-intents")
   }
 
   override predicate hasState(DataFlow::FlowState state) { state = "MutablePendingIntent" }

Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ module ModelValidation {`
`276`	`276`	`[`
`277`	`277`	`"open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",`
`278`	`278`	`"log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss",`
`279`		`- "ognl-injection", "intent-start", "pending-intent-sent", "url-redirection", "create-file",`
	`279`	`+ "ognl-injection", "intent-start", "pending-intents", "url-redirection", "create-file",`
`280`	`280`	`"read-file", "write-file", "set-hostname-verifier", "header-splitting",`
`281`	`281`	`"information-leak", "xslt-injection", "jexl-injection", "bean-validation",`
`282`	`282`	`"template-injection", "fragment-injection", "command-injection"`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ private class SendPendingIntent extends ImplicitPendingIntentSink {`
`63`	`63`	`this.asExpr() = ma.getArgument(0)`
`64`	`64`	`)`
`65`	`65`	`or`
`66`		`- sinkNode(this, "pending-intent-sent")`
	`66`	`+ sinkNode(this, "pending-intents")`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`override predicate hasState(DataFlow::FlowState state) { state = "MutablePendingIntent" }`