Add tests

Author: joefarebrother

java/ql/lib/semmle/code/java/frameworks/android/ExternalStorage.qll

@@ -34,7 +34,7 @@ private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2
 
 /**
  * Holds if `n` is a node that reads the contents of an external file in Android.
- * This may be controlable by third-party applications, so is treated as a remote flow source.
+ * This is controlable by third-party applications, so is treated as a remote flow source.
  */
 predicate androidExternalStorageSource(DataFlow::Node n) {
   exists(ConstructorCall fInp, DataFlow::Node externalDir |

java/ql/test/library-tests/frameworks/android/external-storage/Test.java

@@ -0,0 +1,51 @@
+import java.io.File;
+import java.io.InputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+import android.content.Context;
+import android.os.Environment;
+
+class Test {
+    void sink(Object o) {}
+
+    void test1(Context ctx) throws IOException {
+        File f = new File(ctx.getExternalFilesDir(null), "file.txt");
+        InputStream is = new FileInputStream(f);
+        byte[] data = new byte[is.available()];
+        is.read(data);
+        sink(data); // $hasTaintFlow
+        is.close();
+    }
+
+    void test2(Context ctx) throws IOException {
+        File f = new File(new File(new File(ctx.getExternalFilesDirs(null)[0], "things"), "stuff"), "file.txt");
+        sink(new FileInputStream(f)); // $hasTaintFlow
+    }
+
+    void test3(Context ctx) throws IOException {
+        File f = new File(ctx.getExternalCacheDir(), "file.txt");
+        sink(new FileInputStream(f)); // $hasTaintFlow
+    }
+
+    void test4(Context ctx) throws IOException {
+        File f = new File(ctx.getExternalCacheDirs()[0], "file.txt");
+        sink(new FileInputStream(f)); // $hasTaintFlow
+    }
+
+    void test5(Context ctx) throws IOException {
+        File f = new File(Environment.getExternalStorageDirectory(), "file.txt");
+        sink(new FileInputStream(f)); // $hasTaintFlow
+    }
+
+    void test6(Context ctx) throws IOException {
+        File f = new File(Environment.getExternalStoragePublicDirectory(null), "file.txt");
+        sink(new FileInputStream(f)); // $hasTaintFlow
+    }
+
+    static final File dir = Environment.getExternalStorageDirectory();
+ 
+    void test7(Context ctx) throws IOException {
+        File f = new File(dir, "file.txt");
+        sink(new FileInputStream(f)); // $hasTaintFlow
+    }
+ }

java/ql/test/library-tests/frameworks/android/external-storage/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0

java/ql/test/library-tests/frameworks/android/external-storage/test.expected

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineFlowTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:AndroidExternalFlowConf" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class ExternalStorageTest extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+
+  override DataFlow::Configuration getTaintFlowConfig() { result instanceof Conf }
+}