Merge pull request #10330 from atorralba/atorralba/implicit-pendingintents-compat-sinks

Java: Add Implicit PendingIntents sinks for Compat classes

Author: atorralba

java/ql/lib/change-notes/2022-09-07-implicit-pendingintents-compat-sinks.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added new sinks to the query `java/android/implict-pendingintents` to take into account the classes `androidx.core.app.NotificationManagerCompat` and `androidx.core.app.AlarmManagerCompat`.
+  

java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll

@@ -102,6 +102,8 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
         "android.app;NotificationManager;true;notify;(String,int,Notification);;Argument[2];pending-intent-sent;manual",
         "android.app;NotificationManager;true;notifyAsPackage;(String,String,int,Notification);;Argument[3];pending-intent-sent;manual",
         "android.app;NotificationManager;true;notifyAsUser;(String,int,Notification,UserHandle);;Argument[2];pending-intent-sent;manual",
+        "androidx.core.app;NotificationManagerCompat;true;notify;(int,Notification);;Argument[1];pending-intent-sent;manual",
+        "androidx.core.app;NotificationManagerCompat;true;notify;(String,int,Notification);;Argument[2];pending-intent-sent;manual",
         "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler,String,Bundle);;Argument[2];pending-intent-sent;manual",
         "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler,String);;Argument[2];pending-intent-sent;manual",
         "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler);;Argument[2];pending-intent-sent;manual",
@@ -115,6 +117,10 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
         "android.app;AlarmManager;true;setInexactRepeating;;;Argument[3];pending-intent-sent;manual",
         "android.app;AlarmManager;true;setRepeating;;;Argument[3];pending-intent-sent;manual",
         "android.app;AlarmManager;true;setWindow;(int,long,long,PendingIntent);;Argument[3];pending-intent-sent;manual",
+        "androidx.core.app;AlarmManagerCompat;true;setAlarmClock;;;Argument[2..3];pending-intent-sent;manual",
+        "androidx.core.app;AlarmManagerCompat;true;setAndAllowWhileIdle;;;Argument[3];pending-intent-sent;manual",
+        "androidx.core.app;AlarmManagerCompat;true;setExact;;;Argument[3];pending-intent-sent;manual",
+        "androidx.core.app;AlarmManagerCompat;true;setExactAndAllowWhileIdle;;;Argument[3];pending-intent-sent;manual",
       ]
   }
 }

java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java

@@ -14,6 +14,8 @@
 import android.os.Bundle;
 import android.os.CancellationSignal;
 import android.os.RemoteException;
+import androidx.core.app.AlarmManagerCompat;
+import androidx.core.app.NotificationManagerCompat;
 import androidx.core.graphics.drawable.IconCompat;
 import androidx.slice.Slice;
 import androidx.slice.SliceProvider;
@@ -182,7 +184,7 @@ public static void testPendingIntentInANotification(Context ctx)
             Notification.Builder nBuilder =
                     new Notification.Builder(ctx).addAction(aBuilder.build());
             Notification notification = nBuilder.build();
-            NotificationManager nManager = new NotificationManager();
+            NotificationManager nManager = null;
             nManager.notifyAsPackage("targetPackage", "tag", 0, notification); // $hasImplicitPendingIntent
             nManager.notify(0, notification); // $hasImplicitPendingIntent
             nManager.notifyAsUser("", 0, notification, null); // $hasImplicitPendingIntent
@@ -195,7 +197,7 @@ public static void testPendingIntentInANotification(Context ctx)
             Notification.Builder nBuilder =
                     new Notification.Builder(ctx).addAction(aBuilder.build());
             Notification notification = nBuilder.build();
-            NotificationManager nManager = new NotificationManager();
+            NotificationManager nManager = null;
             nManager.notify(0, notification); // Safe
         }
         {
@@ -212,10 +214,21 @@ public static void testPendingIntentInANotification(Context ctx)
             Notification.Action action = new Notification.Action(0, "", pi2);
             Notification.Builder nBuilder = new Notification.Builder(ctx).addAction(action);
             Notification notification = nBuilder.build();
-            NotificationManager noMan = new NotificationManager();
+            NotificationManager noMan = null;
             noMan.notify(0, notification); // Safe
         }
-
+        // Compat sinks
+        {
+            Intent baseIntent = new Intent();
+            PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0);
+            Notification.Action.Builder aBuilder = new Notification.Action.Builder(0, "", pi);
+            Notification.Builder nBuilder =
+                    new Notification.Builder(ctx).addAction(aBuilder.build());
+            Notification notification = nBuilder.build();
+            NotificationManagerCompat nManager = null;
+            nManager.notify(0, notification); // $hasImplicitPendingIntent
+            nManager.notify("", 0, notification); // $hasImplicitPendingIntent
+        }
     }
 
     public static void testPendingIntentInAnAlarm(Context ctx) {
@@ -238,6 +251,16 @@ public static void testPendingIntentInAnAlarm(Context ctx) {
                     PendingIntent.getActivity(ctx, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE); // Sanitizer
             aManager.set(0, 0, pi); // Safe
         }
+        // Compat sinks
+        {
+            Intent baseIntent = new Intent();
+            PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0);
+            AlarmManagerCompat.setAlarmClock(aManager, 0, pi, null); // $hasImplicitPendingIntent
+            AlarmManagerCompat.setAlarmClock(aManager, 0, null, pi); // $hasImplicitPendingIntent
+            AlarmManagerCompat.setAndAllowWhileIdle(aManager, 0, 0, pi); // $hasImplicitPendingIntent
+            AlarmManagerCompat.setExact(aManager, 0, 0, pi); // $hasImplicitPendingIntent
+            AlarmManagerCompat.setExactAndAllowWhileIdle(aManager, 0, 0, pi); // $hasImplicitPendingIntent
+        }
     }
 
     static class TestActivity extends Activity {