Add test cases; fix handling of recievers declared through xml

2026-04-27 01:35:13 +02:00 · 2022-04-22 16:41:01 +01:00
parent 87f26bf033
commit 4aed1a1e23
7 changed files with 80 additions and 3 deletions
--- a/java/ql/test/query-tests/security/CWE-925/AndroidManifest.xml
+++ b/java/ql/test/query-tests/security/CWE-925/AndroidManifest.xml
@@ -0,0 +1,9 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="test">
+    <application>
+        <receiver android:name=".BootReceiverXml">
+            <intent-filter>
+                <action android:name="android.intent.action.BOOT_COMPLETED" />
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>
--- a/java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java
+++ b/java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java
@@ -0,0 +1,13 @@
+package test;
+import android.content.Intent;
+import android.content.Context;
+import android.content.BroadcastReceiver;
+
+class BootReceiverXml extends BroadcastReceiver {
+    void doStuff(Intent intent) {}
+
+    @Override 
+    public void onReceive(Context ctx, Intent intent) { // $hasResult
+        doStuff(intent);
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.expected
+++ b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.expected
--- a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.ql
+++ b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.ImproperIntentVerificationQuery
+import TestUtilities.InlineExpectationsTest
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasResult" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasResult" and
+    exists(Method orm | unverifiedSystemReceiver(_, orm, _) |
+      orm.getLocation() = location and
+      element = orm.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerificationTest.java
+++ b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerificationTest.java
@@ -0,0 +1,31 @@
+package test;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.Context;
+import android.content.BroadcastReceiver;
+
+class ImproperIntentVerificationTest {
+    static void doStuff(Intent intent) {}
+
+    class ShutdownBroadcastReceiver extends BroadcastReceiver {
+        @Override
+        public void onReceive(Context ctx, Intent intent) { // $hasResult
+            doStuff(intent);
+        }
+    }
+
+    class ShutdownBroadcastReceiverSafe extends BroadcastReceiver {
+        @Override
+        public void onReceive(Context ctx, Intent intent) {
+            if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {
+                return;
+            }
+            doStuff(intent);
+        }
+    }
+
+    void test(Context c) {
+        c.registerReceiver(new ShutdownBroadcastReceiver(), new IntentFilter(Intent.ACTION_SHUTDOWN));
+        c.registerReceiver(new ShutdownBroadcastReceiverSafe(), new IntentFilter(Intent.ACTION_SHUTDOWN));
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-925/options
+++ b/java/ql/test/query-tests/security/CWE-925/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0`