Add test and fix a bug

java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll

@@ -42,6 +42,12 @@ private class SensitiveResultReceiverConf extends TaintTracking::Configuration {
       node.asExpr() = call.getSentData()
     )
   }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    super.allowImplicitRead(node, c)
+    or
+    this.isSink(node)
+  }
 }
 
 predicate sensitiveResultReceiver(

java/ql/test/query-tests/security/CWE-927/SensitiveResultReceiver.java

@@ -0,0 +1,13 @@
+import android.os.Bundle;
+import android.os.ResultReceiver;
+
+class SensitiveResultReceiver {
+    <T> T source() { return null; }
+
+    void test1(String password) {
+        ResultReceiver rec = source();
+        Bundle b = new Bundle();
+        b.putCharSequence("pass", password);
+        rec.send(0, b); // $hasSensitiveResultReceiver
+    }
+}

java/ql/test/query-tests/security/CWE-927/SensitiveResultReceiver.ql

@@ -0,0 +1,25 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.SensitiveResultReceiverQuery
+
+class TestSource extends RemoteFlowSource {
+  TestSource() { this.asExpr().(MethodAccess).getMethod().hasName("source") }
+
+  override string getSourceType() { result = "test" }
+}
+
+class ResultReceiverTest extends InlineExpectationsTest {
+  ResultReceiverTest() { this = "ResultReceiverTest" }
+
+  override string getARelevantTag() { result = "hasSensitiveResultReceiver" }
+
+  override predicate hasActualResult(Location loc, string element, string tag, string value) {
+    exists(DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc |
+      sensitiveResultReceiver(src, sink, recSrc) and
+      element = sink.toString() and
+      loc = sink.getNode().getLocation() and
+      tag = "hasSensitiveResultReceiver" and
+      value = ""
+    )
+  }
+}