Move query and tests out of experimental

java/ql/test/query-tests/security/CWE-927/SensitiveBroadcast.expected

@@ -0,0 +1,37 @@
+edges
+| SensitiveBroadcast.java:12:34:12:38 | token : String | SensitiveBroadcast.java:14:31:14:36 | intent |
+| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
+| SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
+| SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
+| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String | SensitiveBroadcast.java:52:31:52:36 | intent |
+| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String |
+| SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
+| SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent |
+| SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent |
+nodes
+| SensitiveBroadcast.java:12:34:12:38 | token : String | semmle.label | token : String |
+| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | semmle.label | refreshToken : String |
+| SensitiveBroadcast.java:14:31:14:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:25:32:25:39 | password : String | semmle.label | password : String |
+| SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
+| SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String | semmle.label | userinfo [post update] [<element>] : String |
+| SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
+| SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |
+| SensitiveBroadcast.java:98:54:98:59 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:109:32:109:39 | passcode : String | semmle.label | passcode : String |
+| SensitiveBroadcast.java:111:54:111:59 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:136:33:136:38 | passwd : String | semmle.label | passwd : String |
+| SensitiveBroadcast.java:140:54:140:59 | intent | semmle.label | intent |
+subpaths
+#select
+| SensitiveBroadcast.java:14:31:14:36 | intent | SensitiveBroadcast.java:12:34:12:38 | token : String | SensitiveBroadcast.java:14:31:14:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:12:34:12:38 | token | sensitive information |
+| SensitiveBroadcast.java:14:31:14:36 | intent | SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:13:41:13:52 | refreshToken | sensitive information |
+| SensitiveBroadcast.java:26:31:26:36 | intent | SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:25:32:25:39 | password | sensitive information |
+| SensitiveBroadcast.java:38:31:38:36 | intent | SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:36:35:36:39 | email | sensitive information |
+| SensitiveBroadcast.java:52:31:52:36 | intent | SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:50:22:50:29 | password | sensitive information |
+| SensitiveBroadcast.java:98:54:98:59 | intent | SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:97:35:97:40 | ticket | sensitive information |
+| SensitiveBroadcast.java:111:54:111:59 | intent | SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:109:32:109:39 | passcode | sensitive information |
+| SensitiveBroadcast.java:140:54:140:59 | intent | SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:136:33:136:38 | passwd | sensitive information |

java/ql/test/query-tests/security/CWE-927/SensitiveBroadcast.java

@@ -0,0 +1,173 @@
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import java.util.ArrayList;
+
+class SensitiveBroadcast {
+
+    // BAD - Tests broadcast of access token with intent extra.
+    public void sendBroadcast1(Context context, String token, String refreshToken) {
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent);
+    }
+
+    // BAD - Tests broadcast of sensitive user information with intent extra.
+    public void sendBroadcast2(Context context) {
+        String userName = "test123";
+        String password = "abc12345";
+
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", userName);
+        intent.putExtra("pwd", password);
+        context.sendBroadcast(intent);
+    }
+
+    // BAD - Tests broadcast of email information with extra bundle.
+    public void sendBroadcast3(Context context) {
+        String email = "user123@example.com";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        Bundle bundle = new Bundle();
+        bundle.putString("email", email);
+        intent.putExtras(bundle);
+        context.sendBroadcast(intent);
+    }    
+
+    // BAD - Tests broadcast of sensitive user information with null permission.
+    public void sendBroadcast4(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        ArrayList<String> userinfo = new ArrayList<String>();
+        userinfo.add(username);
+        userinfo.add(password);
+        intent.putStringArrayListExtra("userinfo", userinfo);
+        context.sendBroadcast(intent, null);
+    }
+
+    // GOOD - Tests broadcast of sensitive user information with permission using string literal.
+    public void sendBroadcast5(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        context.sendBroadcast(intent, "com.example.user_permission");
+    }
+
+    // GOOD - Tests broadcast of access ticket with permission using string object.
+    public void sendBroadcast6(Context context) {
+        String ticket = "Tk9UIFNlY3VyZSBUaWNrZXQ=";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("ticket", ticket);
+        String perm = "com.example.user_permission";
+        context.sendBroadcast(intent, perm);
+    }
+
+    // GOOD - Tests broadcast of sensitive user information to a specific application.
+    public void sendBroadcast7(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.setClassName("com.example2", "com.example2.UserInfoHandler");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        context.sendBroadcast(intent);
+    }    
+
+    // BAD - Tests broadcast of access ticket with multiple permissions using direct empty array initialization.
+    public void sendBroadcast8(Context context) {
+        String ticket = "Tk9UIFNlY3VyZSBUaWNrZXQ=";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("ticket", ticket);
+        context.sendBroadcastWithMultiplePermissions(intent, new String[]{});
+    }    
+
+    // BAD - Tests broadcast of sensitive user information with multiple permissions using empty array initialization through a variable.
+    public void sendBroadcast9(Context context) {
+        String username = "test123";
+        String passcode = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", passcode);
+        String[] perms = new String[0];
+        context.sendBroadcastWithMultiplePermissions(intent, perms);
+    }    
+
+    // GOOD - Tests broadcast of sensitive user information with multiple permissions.
+    public void sendBroadcast10(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        String[] perms = new String[]{"com.example.custom_action", "com.example.custom_action2"};
+        context.sendBroadcastWithMultiplePermissions(intent, perms);
+    }    
+   
+    // BAD - Tests broadcast of sensitive user information with multiple permissions using empty array initialization through two variables and `intent.putExtras(bundle)`.
+    public void sendBroadcast11(Context context) {
+        String username = "test123";
+        String passwd = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        Bundle bundle = new Bundle();
+        bundle.putString("name", username);
+        bundle.putString("pwd", passwd);
+        intent.putExtras(bundle);
+        String[] perms = new String[0];
+        String[] perms2 = perms;
+        context.sendBroadcastWithMultiplePermissions(intent, perms2);
+    }    
+
+    /** 
+     * BAD - Tests broadcast of sensitive user information with multiple permissions using empty array initialization through two variables and `intent.getExtras().putString()`.
+     * Note this case of `getExtras().putString(...)` is not yet detected thus is beyond what the query is capable of.
+     */ 
+    public void sendBroadcast12(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        Bundle bundle = new Bundle();
+        intent.putExtras(bundle);
+        intent.getExtras().putString("name", username);
+        intent.getExtras().putString("pwd", password);
+        String[] perms = new String[0];
+        String[] perms2 = perms;
+        context.sendBroadcastWithMultiplePermissions(intent, perms2);
+    }    
+
+    // GOOD - Tests broadcast of sensitive user information with ordered broadcast.
+    public void sendBroadcast13(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        context.sendOrderedBroadcast(intent, "com.example.USER_PERM");
+    }        
+}

java/ql/test/query-tests/security/CWE-927/SensitiveBroadcast.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-927/SensitiveBroadcast.ql

java/ql/test/query-tests/security/CWE-927/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0