Add test cases for TrustManager case

2026-04-30 03:05:15 +02:00 · 2022-11-25 16:37:41 +00:00
parent c8aca06190
commit 0d6a376a36
14 changed files with 157 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/AndroidManifest.xml
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/AndroidManifest.xml
@@ -0,0 +1,10 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application android:networkSecurityConfig="@xml/NetworkSecurityConfig">
+    </application>
+
+</manifest>
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/R.java
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/R.java
@@ -0,0 +1,7 @@
+package com.example;
+
+class R {
+    static final class raw {
+        static final int cert = 0;
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/Test.java
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/Test.java
@@ -0,0 +1,32 @@
+package com.example;
+
+import java.net.URL;
+import java.net.URLConnection;
+import java.security.KeyStore;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import android.content.res.Resources;
+
+class Test{
+    void test1(Resources resources) throws Exception {
+        KeyStore keyStore = KeyStore.getInstance("BKS");
+        keyStore.load(resources.openRawResource(R.raw.cert), null);
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(keyStore);
+
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, tmf.getTrustManagers(), null);
+
+        URL url = new URL("http://www.example.com/");
+        HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); 
+
+        urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
+    }
+
+    void test2() throws Exception {
+        URL url = new URL("http://www.example.com/");
+        HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); // $hasNoTrustedResult
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/options
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/res/xml/NetworkSecurityConfig.xml
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/res/xml/NetworkSecurityConfig.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+
+</network-security-config>
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.expected
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.expected
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.ql
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.ql
@@ -0,0 +1,23 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.AndroidCertificatePinningQuery
+
+class Test extends InlineExpectationsTest {
+  Test() { this = "AndroidMissingCertificatePinningTest" }
+
+  override string getARelevantTag() { result = ["hasNoTrustedResult", "hasUntrustedResult"] }
+
+  override predicate hasActualResult(Location loc, string el, string tag, string value) {
+    exists(DataFlow::Node node |
+      missingPinning(node) and
+      loc = node.getLocation() and
+      el = node.toString() and
+      value = "" and
+      (
+        if exists(string x | trustedDomain(x))
+        then tag = "hasUntrustedResult"
+        else tag = "hasNoTrustedResult"
+      )
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/AndroidManifest.xml
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/AndroidManifest.xml
@@ -0,0 +1,10 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application android:networkSecurityConfig="@xml/NetworkSecurityConfig">
+    </application>
+
+</manifest>
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/R.java
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/R.java
@@ -0,0 +1,7 @@
+package com.example;
+
+class R {
+    static final class raw {
+        static final int cert = 0;
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/Test.java
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/Test.java
@@ -0,0 +1,35 @@
+package com.example;
+
+import java.net.URL;
+import java.net.URLConnection;
+import java.io.InputStream;
+import java.security.KeyStore;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import android.content.res.Resources;
+
+class Test{
+    void init(Resources resources) throws Exception {
+        KeyStore keyStore = KeyStore.getInstance("BKS");
+        keyStore.load(resources.openRawResource(R.raw.cert), null);
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(keyStore);
+
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, tmf.getTrustManagers(), null);
+
+        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
+    }
+
+    URLConnection test1() throws Exception {
+        URL url = new URL("http://www.example.com/");
+        return url.openConnection(); 
+    }
+
+    InputStream test2() throws Exception {
+        URL url = new URL("http://www.example.com/");
+        return url.openStream(); 
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/options
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/res/xml/NetworkSecurityConfig.xml
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/res/xml/NetworkSecurityConfig.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+
+</network-security-config>
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.expected
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.expected
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.ql
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.ql
@@ -0,0 +1,23 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.AndroidCertificatePinningQuery
+
+class Test extends InlineExpectationsTest {
+  Test() { this = "AndroidMissingCertificatePinningTest" }
+
+  override string getARelevantTag() { result = ["hasNoTrustedResult", "hasUntrustedResult"] }
+
+  override predicate hasActualResult(Location loc, string el, string tag, string value) {
+    exists(DataFlow::Node node |
+      missingPinning(node) and
+      loc = node.getLocation() and
+      el = node.toString() and
+      value = "" and
+      (
+        if exists(string x | trustedDomain(x))
+        then tag = "hasUntrustedResult"
+        else tag = "hasNoTrustedResult"
+      )
+    )
+  }
+}
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0`