Merge pull request #10251 from atorralba/atorralba/implicit-pendingintent-sinks

atorralba · web-flow · commit b94e0d3e6926 · 2022-09-06T11:31:27.000+02:00
Java: Add new AlarmManager sinks to Use of implicit PendingIntents
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -106,7 +106,15 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
         "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler,String);;Argument[2];pending-intent-sent;manual",
         "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler);;Argument[2];pending-intent-sent;manual",
         "android.app;PendingIntent;false;send;(Context,int,Intent);;Argument[2];pending-intent-sent;manual",
-        "android.app;Activity;true;setResult;(int,Intent);;Argument[1];pending-intent-sent;manual"
+        "android.app;Activity;true;setResult;(int,Intent);;Argument[1];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;set;(int,long,PendingIntent);;Argument[2];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setAlarmClock;;;Argument[1];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setAndAllowWhileIdle;;;Argument[2];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setExact;(int,long,PendingIntent);;Argument[2];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setExactAndAllowWhileIdle;;;Argument[2];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setInexactRepeating;;;Argument[3];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setRepeating;;;Argument[3];pending-intent-sent;manual",
+        "android.app;AlarmManager;true;setWindow;(int,long,long,PendingIntent);;Argument[3];pending-intent-sent;manual",
       ]
   }
 }
diff --git a/java/ql/src/change-notes/2022-09-01-implicit-pendingintents-new-sinks.md b/java/ql/src/change-notes/2022-09-01-implicit-pendingintents-new-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added new sinks related to Android's `AlarmManager` to the query `java/android/implicit-pendingintents`.
diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
@@ -2,6 +2,7 @@
 
 import java.io.FileNotFoundException;
 import android.app.Activity;
+import android.app.AlarmManager;
 import android.app.Notification;
 import android.app.NotificationManager;
 import android.app.PendingIntent;
@@ -217,6 +218,28 @@ public static void testPendingIntentInANotification(Context ctx)
 
     }
 
+    public static void testPendingIntentInAnAlarm(Context ctx) {
+        AlarmManager aManager = (AlarmManager) ctx.getSystemService(Context.ALARM_SERVICE);
+        {
+            Intent baseIntent = new Intent();
+            PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0);
+            aManager.set(0, 0, pi); // $hasImplicitPendingIntent
+            aManager.setAlarmClock(null, pi); // $hasImplicitPendingIntent
+            aManager.setAndAllowWhileIdle(0, 0, pi); // $hasImplicitPendingIntent
+            aManager.setExact(0, 0, pi); // $hasImplicitPendingIntent
+            aManager.setExactAndAllowWhileIdle(0, 0, pi); // $hasImplicitPendingIntent
+            aManager.setInexactRepeating(0, 0, 0, pi); // $hasImplicitPendingIntent
+            aManager.setRepeating(0, 0, 0, pi); // $hasImplicitPendingIntent
+            aManager.setWindow(0, 0, 0, pi); // $hasImplicitPendingIntent
+        }
+        {
+            Intent baseIntent = new Intent();
+            PendingIntent pi =
+                    PendingIntent.getActivity(ctx, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE); // Sanitizer
+            aManager.set(0, 0, pi); // Safe
+        }
+    }
+
     static class TestActivity extends Activity {
         @Override
         public void onCreate(Bundle bundle) {
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/app/AlarmManager.java b/java/ql/test/stubs/google-android-9.0.0/android/app/AlarmManager.java

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,15 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {`
`106`	`106`	`"android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler,String);;Argument[2];pending-intent-sent;manual",`
`107`	`107`	`"android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler);;Argument[2];pending-intent-sent;manual",`
`108`	`108`	`"android.app;PendingIntent;false;send;(Context,int,Intent);;Argument[2];pending-intent-sent;manual",`
`109`		`- "android.app;Activity;true;setResult;(int,Intent);;Argument[1];pending-intent-sent;manual"`
	`109`	`+ "android.app;Activity;true;setResult;(int,Intent);;Argument[1];pending-intent-sent;manual",`
	`110`	`+ "android.app;AlarmManager;true;set;(int,long,PendingIntent);;Argument[2];pending-intent-sent;manual",`
	`111`	`+ "android.app;AlarmManager;true;setAlarmClock;;;Argument[1];pending-intent-sent;manual",`
	`112`	`+ "android.app;AlarmManager;true;setAndAllowWhileIdle;;;Argument[2];pending-intent-sent;manual",`
	`113`	`+ "android.app;AlarmManager;true;setExact;(int,long,PendingIntent);;Argument[2];pending-intent-sent;manual",`
	`114`	`+ "android.app;AlarmManager;true;setExactAndAllowWhileIdle;;;Argument[2];pending-intent-sent;manual",`
	`115`	`+ "android.app;AlarmManager;true;setInexactRepeating;;;Argument[3];pending-intent-sent;manual",`
	`116`	`+ "android.app;AlarmManager;true;setRepeating;;;Argument[3];pending-intent-sent;manual",`
	`117`	`+ "android.app;AlarmManager;true;setWindow;(int,long,long,PendingIntent);;Argument[3];pending-intent-sent;manual",`
`110`	`118`	`]`
`111`	`119`	`}`
`112`	`120`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added new sinks related to Android's `AlarmManager` to the query `java/android/implicit-pendingintents`.