Add okhttp tests

2026-04-30 03:05:15 +02:00 · 2022-11-14 10:57:32 +00:00
parent c32dc1e674
commit 53c4ada883
6 changed files with 55 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/AndroidManifest.xml
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/AndroidManifest.xml
@@ -0,0 +1,10 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application android:networkSecurityConfig="@xml/NetworkSecurityConfig">
+    </application>
+
+</manifest>
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/Test.java
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/Test.java
@@ -0,0 +1,17 @@
+import okhttp3.OkHttpClient;
+import okhttp3.CertificatePinner;
+import okhttp3.Request;
+
+class Test{
+    void test1() throws Exception {
+    CertificatePinner certificatePinner = new CertificatePinner.Builder()
+         .add("good.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
+         .build();
+     OkHttpClient client = OkHttpClient.Builder()
+         .certificatePinner(certificatePinner)
+         .build();
+
+     client.newCall(new Request.Builder().url("https://good.example.com").build()).execute();
+     client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $hasUntrustedResult
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/options
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0:${testdir}/../../../../../stubs/okhttp-4.9.3
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/res/xml/NetworkSecurityConfig.xml
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/res/xml/NetworkSecurityConfig.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+
+</network-security-config>
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/test.expected
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/test.expected
--- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/test.ql
+++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning_/Test3/test.ql
@@ -0,0 +1,23 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.AndroidCertificatePinningQuery
+
+class Test extends InlineExpectationsTest {
+  Test() { this = "AndroidMissingCertificatePinningTest" }
+
+  override string getARelevantTag() { result = ["hasNoTrustedResult", "hasUntrustedResult"] }
+
+  override predicate hasActualResult(Location loc, string el, string tag, string value) {
+    exists(DataFlow::Node node |
+      missingPinning(node) and
+      loc = node.getLocation() and
+      el = node.toString() and
+      value = "" and
+      (
+        if exists(string x | trustedDomain(x))
+        then tag = "hasUntrustedResult"
+        else tag = "hasNoTrustedResult"
+      )
+    )
+  }
+}
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0:${testdir}/../../../../../stubs/okhttp-4.9.3`