Java: Promote android sensitive broadcast query

[joefarebrother]

This PR promotes the query contributed by #4512 from experimental.

Changes:

• Moved everything from experimental and moved the main query logic to SensitiveBroadcastQuery.qll
• Refactored the tests to use inline expectations
• Replaced the extra cnfigurations with local flow
• Added additional models to methods of Intent and Bundle
• Allowed arbitrary read steps at the sink
• Considered the (deprecated) sendStickyBroadcast methods as additional sinks
• Minor qhelp changes

Considerations:

• A similar vulnerability is in sending sensitive data via methods like startActivity and startService. Should sinks for those be part of this same query?
• Should the additional models be a separate PR?

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    Android,``android.*``,18,34,70,,,3,67,,,
+    Android,``android.*``,18,136,70,,,3,67,,,
-    Totals,,84,3495,398,13,6,6,107,33,1,66
+    Totals,,84,3597,398,13,6,6,107,33,1,66

• Changes to framework-coverage-java.csv:

- android.content,8,,4,,,,,,,,,,,,,8,,,,,,4,
+ android.content,8,,44,,,,,,,,,,,,,8,,,,,,4,40
+ android.os,,,62,,,,,,,,,,,,,,,,,,,,62

[smowton]

Missing fluent mutators: addCategory, addFlags.

[smowton]

^^

[atorralba]

Added some inline comments. I still need to review the CSV models in detail.

[atorralba]

A similar vulnerability is in sending sensitive data via methods like startActivity and startService. Should sinks for those be part of this same query?

@joefarebrother IMHO yes, it would make sense, because you can send implicit (and thus, interceptable) Intents with those methods, although the exploitation is a little harder because the user needs to select the malicious app in a dialog for the Intent to reach it.

The query would need to identify implicit Intents (i.e. explicit component not set, just an action). I think some code from this PR could be reused for that.

[joefarebrother]

The query would need to identify implicit Intents (i.e. explicit component not set, just an action).

Do the existing sanitizers for setCompoent and similar methods suffice for that?

[atorralba]

The query would need to identify implicit Intents (i.e. explicit component not set, just an action).

Do the existing sanitizers for setCompoent and similar methods suffice for that?

Probably, now that you mention it. I was thinking that we could reuse some code since we're doing similar things, but the sanitizer approach is simpler. Adding the new sinks should be easier than I initially thought, then :)

[atorralba]

Added some more comments regarding CSV models. This covers the Intent extras pretty nicely, and the rest of the Intent methods (like get/setPackage) are or can be handled in other PRs like #6397.

Also, this will need a doc review at some point.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    Android,``android.*``,18,34,70,,,3,67,,,
+    Android,``android.*``,18,148,70,,,3,67,,,
-    Totals,,116,3554,402,13,6,10,107,33,1,66
+    Totals,,116,3668,402,13,6,10,107,33,1,66

• Changes to framework-coverage-java.csv:

- android.content,8,,4,,,,,,,,,,,,,8,,,,,,4,
+ android.content,8,,44,,,,,,,,,,,,,8,,,,,,4,40
+ android.os,,,74,,,,,,,,,,,,,,,,,,,2,72

[smowton]

@joefarebrother this has conflicts

[smowton]

Bad name (this indicates may-be-null, not is-null).

Also simplify this and isEmptyArrayArg using DataFlow::localExprFlow

[smowton]

Suggested change

	* Holds if a `sendBroadcast` call doesn't specify receiver permission.
	* Holds if a `sendBroadcast` call `sendBroadcastCall` doesn't specify receiver permission.

[smowton]

Suggested change

	private predicate isSensitiveBroadcastSink(DataFlow::Node sink) {
	private predicate isSensitiveBroadcastSink(DataFlow::Node sendBroadcastCall) {

[smowton]

Use localFlow instead of specifically one layer of access? Or (check by experiment) this might work just sanitising the qualifier due to use-use dataflow allowing sanitisers like this to interrupt dataflow paths to subsequent uses

(For example, in l = in; l.append("a"); l.append("b"), in Java the dataflow edges go in -> l, defn of l -> use of l in l.append("a"), use of l in l.append("a") -> use of l in l.append("b"), rather than both uses flowing from the definition as you might suppose)

[smowton]

^^

[bananabr]

The context and class of the Intent can also be determined at construction time so the sanitizer needs to account for that.

Something like:

    // Handle the cases where the PackageContext and Class are set at construction time
    //    Intent(Context packageContext, Class<?> cls)
    // Create an intent for a specific component.
    //    Intent(String action, Uri uri, Context packageContext, Class<?> cls)
    exists(ConstructorCall cc |
      cc.getConstructedType() instanceof TypeIntent and
      cc.getNumArgument() > 1 and
      (
        cc.getArgument(0).getType() instanceof TypeContext and
        not exists(Expr classArg |
          classArg instanceof NullLiteral and DataFlow::localExprFlow(classArg, cc.getArgument(1))
        )
        or
        cc.getArgument(2).getType() instanceof TypeContext and
        not exists(Expr classArg |
          classArg instanceof NullLiteral and DataFlow::localExprFlow(classArg, cc.getArgument(3))
        )
      ) and
      DataFlow::localExprFlow(cc, node.asExpr())
    )

[bananabr]

There is also the case when the broadcast receiver is determined dynamically. An attacker can abuse the intent filter priority to make it the first available receiver. The current sanitizers would ignore this case as setClassName or setPackage are usually called.

I don't have the skills to propose a query for this case though.

Intent intent = new Intent("com.victim.ADD_CARD_ACTION");
intent.putExtra("credit_card_number", num.getText().toString());
intent.putExtra("holder_name", name.getText().toString());
//...
for(ResolveInfo info : getPackageManager().queryBroadcastReceivers(intent, 0)) {
    intent.setClassName(info.activityInfo.packageName, info.activityInfo.name);
    sendBroadcast(intent);
    return;
}

[joefarebrother]

Additional models have been split into #6739

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    Android,``android.*``,18,94,70,,,3,67,,,
+    Android,``android.*``,18,208,70,,,3,67,,,
-    Totals,,116,4169,402,13,6,10,107,33,1,66
+    Totals,,116,4283,402,13,6,10,107,33,1,66

• Changes to framework-coverage-java.csv:

- android.content,8,,4,,,,,,,,,,,,,8,,,,,,4,
+ android.content,8,,44,,,,,,,,,,,,,8,,,,,,4,40
+ android.os,,,74,,,,,,,,,,,,,,,,,,,2,72

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. A recent commit removed the previously reported differences.

[atorralba]

Some tests are failing, and I added a minor inline comment. Otherwise, LGTM.

[atorralba]

Duplicates import in line 81.

Suggested change

private import semmle.code.java.frameworks.android.Intent

[mchammer01]

Hi everyone 👋🏻 - Docs First Responder here, thanks for the ping.
I've added this PR to our review board ⚡

[hubwriter]

LGTM. A couple of little editorial suggestions. 👍

[hubwriter]

For consistency, use lowercase for intent - as elsewhere:

Suggested change

	* @name Leaking sensitive information through an implicit Intent
	* @name Leaking sensitive information through an implicit intent

[aschackmull]

Isn't Intent the name of the class? I'm not sure this should be lower-cased.

[hubwriter]

If so we should make it Intent throughout.

[atorralba]

Indeed, it's the name of a class (just like Activity or Service), so I would use uppercase everywhere. Since there's more Android work coming, maybe a dedicated PR standardizing capitalization for this kind of thing in all files is due.

[aschackmull]

Let's fix the query name and change note of this query here in this PR instead of postponing these particular instances to a dedicated PR. Even if we need a general sweep to standardize, I don't think we should add to those needed changes.

[mchammer01]

I had set myself as a reviewer for this this morning and had actually started a review, but as this has been already reviewed by a Docs team member, I'll unassign myself 😄

[atorralba]

As suggested by @aschackmull and @hubwriter, let's capitalize the first letter in all occurrences of terms like Intent, Activity or Service.

[hubwriter]

@atorralba - thanks for suggesting those changes.
LGTM 👍