Java: convert UnsafeContentUriResolution test to .qlref

2026-04-24 16:25:15 +02:00 · 2025-06-23 16:58:35 +02:00
parent 28694276e2
commit 2b19cbcd7e
4 changed files with 78 additions and 19 deletions
--- a/java/ql/test/query-tests/security/CWE-441/Test.java
+++ b/java/ql/test/query-tests/security/CWE-441/Test.java
@@ -29,23 +29,23 @@ public class Test extends Activity {
    public void onCreate() {
        {
            ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
-            contentResolver.openOutputStream(uri); // $ hasTaintFlow
-            contentResolver.openAssetFile(uri, null, null); // $ hasTaintFlow
-            contentResolver.openAssetFileDescriptor(uri, null); // $ hasTaintFlow
-            contentResolver.openFile(uri, null, null); // $ hasTaintFlow
-            contentResolver.openFileDescriptor(uri, null); // $ hasTaintFlow
-            contentResolver.openTypedAssetFile(uri, null, null, null); // $ hasTaintFlow
-            contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ hasTaintFlow
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
+            contentResolver.openInputStream(uri); // $ Alert
+            contentResolver.openOutputStream(uri); // $ Alert
+            contentResolver.openAssetFile(uri, null, null); // $ Alert
+            contentResolver.openAssetFileDescriptor(uri, null); // $ Alert
+            contentResolver.openFile(uri, null, null); // $ Alert
+            contentResolver.openFileDescriptor(uri, null); // $ Alert
+            contentResolver.openTypedAssetFile(uri, null, null, null); // $ Alert
+            contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ Alert
        }
        {
            ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
            String path = uri.getPath();
            if (path.startsWith("/data"))
                throw new SecurityException();
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openInputStream(uri); // $ Alert
        }
        // Equals checks
        {
@@ -64,11 +64,11 @@ public class Test extends Activity {
        // Allow list checks
        {
            ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
            String path = uri.getPath();
            if (!path.startsWith("/safe/path"))
                throw new SecurityException();
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openInputStream(uri); // $ Alert
        }
        {
            ContentResolver contentResolver = getContentResolver();
@@ -89,11 +89,11 @@ public class Test extends Activity {
        // Block list checks
        {
            ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
            String path = uri.getPath();
            if (path.startsWith("/data"))
                throw new SecurityException();
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openInputStream(uri); // $ Alert
        }
        {
            ContentResolver contentResolver = getContentResolver();
--- a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected
+++ b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected
@@ -0,0 +1,59 @@
+#select
+| Test.java:33:45:33:47 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:33:45:33:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:34:46:34:48 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:34:46:34:48 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:35:43:35:45 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:35:43:35:45 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:36:53:36:55 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:36:53:36:55 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:37:38:37:40 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:37:38:37:40 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:38:48:38:50 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:38:48:38:50 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:39:48:39:50 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:39:48:39:50 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:40:58:40:60 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:40:58:40:60 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:48:45:48:47 | uri | Test.java:44:29:44:39 | getIntent(...) : Intent | Test.java:48:45:48:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:44:29:44:39 | getIntent(...) | user-provided value |
+| Test.java:71:45:71:47 | uri | Test.java:67:29:67:39 | getIntent(...) : Intent | Test.java:71:45:71:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:67:29:67:39 | getIntent(...) | user-provided value |
+| Test.java:96:45:96:47 | uri | Test.java:92:29:92:39 | getIntent(...) : Intent | Test.java:96:45:96:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:92:29:92:39 | getIntent(...) | user-provided value |
+edges
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:33:45:33:47 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:34:46:34:48 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:35:43:35:45 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:36:53:36:55 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:37:38:37:40 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:38:48:38:50 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:39:48:39:50 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:40:58:40:60 | uri | provenance |  |
+| Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | Test.java:32:23:32:71 | (...)... : Uri | provenance |  |
+| Test.java:44:23:44:71 | (...)... : Uri | Test.java:48:45:48:47 | uri | provenance |  |
+| Test.java:44:29:44:39 | getIntent(...) : Intent | Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | Test.java:44:23:44:71 | (...)... : Uri | provenance |  |
+| Test.java:67:23:67:71 | (...)... : Uri | Test.java:71:45:71:47 | uri | provenance |  |
+| Test.java:67:29:67:39 | getIntent(...) : Intent | Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | Test.java:67:23:67:71 | (...)... : Uri | provenance |  |
+| Test.java:92:23:92:71 | (...)... : Uri | Test.java:96:45:96:47 | uri | provenance |  |
+| Test.java:92:29:92:39 | getIntent(...) : Intent | Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | Test.java:92:23:92:71 | (...)... : Uri | provenance |  |
+models
+| 1 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
+nodes
+| Test.java:32:23:32:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:32:29:32:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:33:45:33:47 | uri | semmle.label | uri |
+| Test.java:34:46:34:48 | uri | semmle.label | uri |
+| Test.java:35:43:35:45 | uri | semmle.label | uri |
+| Test.java:36:53:36:55 | uri | semmle.label | uri |
+| Test.java:37:38:37:40 | uri | semmle.label | uri |
+| Test.java:38:48:38:50 | uri | semmle.label | uri |
+| Test.java:39:48:39:50 | uri | semmle.label | uri |
+| Test.java:40:58:40:60 | uri | semmle.label | uri |
+| Test.java:44:23:44:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:44:29:44:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:48:45:48:47 | uri | semmle.label | uri |
+| Test.java:67:23:67:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:67:29:67:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:71:45:71:47 | uri | semmle.label | uri |
+| Test.java:92:23:92:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:92:29:92:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:96:45:96:47 | uri | semmle.label | uri |
+subpaths
--- a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql
@@ -1,4 +0,0 @@
-import java
-import utils.test.InlineFlowTest
-import semmle.code.java.security.UnsafeContentUriResolutionQuery
-import TaintFlowTest<UnsafeContentResolutionConfig>
--- a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.qlref
+++ b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.qlref
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql