Java: Expanded test suite of java/visible-for-testing-abuse

Napalys · Napalys · commit 6844b78f6821 · 2025-08-06T12:55:08.000+02:00
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.expected b/java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.expected
@@ -1,4 +1,25 @@
-| packageone/SourcePackage.java:8:21:8:32 | Annotated.m1 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:9:29:9:30 | m1 | element |
-| packagetwo/Source.java:7:17:7:29 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:12:16:12:16 | f | element |
+| packageone/SourcePackage.java:9:21:9:32 | Annotated.m1 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:9:29:9:30 | m1 | element |
+| packageone/SourcePackage.java:10:21:10:32 | Annotated.m2 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:11:26:11:27 | m2 | element |
+| packageone/SourcePackage.java:16:18:16:36 | fPublic(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:26:23:26:29 | fPublic | element |
+| packageone/SourcePackage.java:17:18:17:39 | fProtected(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:31:26:31:35 | fProtected | element |
+| packageone/SourcePackage.java:25:31:25:42 | Annotated.m1 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:9:29:9:30 | m1 | element |
+| packageone/SourcePackage.java:26:31:26:42 | Annotated.m2 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:11:26:11:27 | m2 | element |
+| packageone/SourcePackage.java:29:28:29:46 | fPublic(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:26:23:26:29 | fPublic | element |
+| packageone/SourcePackage.java:30:28:30:49 | fProtected(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:31:26:31:35 | fProtected | element |
+| packagetwo/Annotated.java:49:31:49:31 | m | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:7:19:7:19 | m | element |
+| packagetwo/Annotated.java:50:32:50:33 | m1 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:9:29:9:30 | m1 | element |
+| packagetwo/Annotated.java:51:32:51:33 | m2 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:11:26:11:27 | m2 | element |
+| packagetwo/Annotated.java:54:26:54:28 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:16:16:16:16 | f | element |
+| packagetwo/Annotated.java:56:32:56:40 | fPublic(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:26:23:26:29 | fPublic | element |
+| packagetwo/Annotated.java:57:35:57:46 | fProtected(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:31:26:31:35 | fProtected | element |
+| packagetwo/Annotated.java:64:28:64:28 | m | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:7:19:7:19 | m | element |
+| packagetwo/Annotated.java:69:26:69:28 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:16:16:16:16 | f | element |
 | packagetwo/Source.java:8:20:8:30 | Annotated.m | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:7:19:7:19 | m | element |
-| packagetwo/Source.java:9:28:9:47 | new AnnotatedClass(...) | Access of $@ annotated with VisibleForTesting found in production code. | packageone/AnnotatedClass.java:4:14:4:27 | AnnotatedClass | element |
+| packagetwo/Source.java:14:17:14:29 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:16:16:16:16 | f | element |
+| packagetwo/Source.java:20:28:20:47 | new AnnotatedClass(...) | Access of $@ annotated with VisibleForTesting found in production code. | packageone/AnnotatedClass.java:4:14:4:27 | AnnotatedClass | element |
+| packagetwo/Source.java:24:30:24:40 | Annotated.m | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:7:19:7:19 | m | element |
+| packagetwo/Source.java:25:31:25:42 | Annotated.m1 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:9:29:9:30 | m1 | element |
+| packagetwo/Source.java:26:31:26:42 | Annotated.m2 | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:11:26:11:27 | m2 | element |
+| packagetwo/Source.java:28:27:28:39 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:16:16:16:16 | f | element |
+| packagetwo/Source.java:29:28:29:46 | fPublic(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:26:23:26:29 | fPublic | element |
+| packagetwo/Source.java:30:28:30:49 | fProtected(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:31:26:31:35 | fProtected | element |
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/packageone/SourcePackage.java b/java/ql/test/query-tests/VisibleForTestingAbuse/packageone/SourcePackage.java
@@ -4,7 +4,31 @@
 
 public class SourcePackage extends Annotated {
     void f() {
-        AnnotatedClass a = new AnnotatedClass(); // COMPLIANT - same package
+        // Fields - cross-package access (only accessible ones)
+        // String s = Annotated.m; // Cannot access package-private from different package
         String s1 = Annotated.m1; // $ Alert
+        String s2 = Annotated.m2; // $ Alert
+        // String s3 = Annotated.m3; // Cannot access private field
+        
+        // Methods - cross-package access (only accessible ones)
+        // int i = Annotated.f(); // Cannot access package-private from different package
+        // int i1 = Annotated.fPrivate(); // Cannot access private method
+        int i2 = Annotated.fPublic(); // $ Alert
+        int i3 = Annotated.fProtected(); // $ Alert
+        
+        // Same package class
+        AnnotatedClass a = new AnnotatedClass(); // COMPLIANT - same package
+        
+        // Lambda usage - cross-package (only accessible members)
+        Runnable lambda = () -> {
+            // String lambdaS = Annotated.m; // Cannot access package-private
+            String lambdaS1 = Annotated.m1; // $ Alert
+            String lambdaS2 = Annotated.m2; // $ Alert
+            
+            // int lambdaI = Annotated.f(); // Cannot access package-private
+            int lambdaI2 = Annotated.fPublic(); // $ Alert
+            int lambdaI3 = Annotated.fProtected(); // $ Alert
+        };
+        lambda.run();
     }
 }
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Annotated.java b/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Annotated.java
@@ -7,9 +7,69 @@ public class Annotated {
     static String m;
     @VisibleForTesting
     static protected String m1;
+    @VisibleForTesting
+    static public String m2;
+    @VisibleForTesting
+    static private String m3;
 
     @VisibleForTesting
     static int f() {
         return 1;
     }
+
+    @VisibleForTesting
+    static private int fPrivate() {
+        return 1;
+    }
+
+    @VisibleForTesting
+    static public int fPublic() {
+        return 1;
+    }
+
+    @VisibleForTesting
+    static protected int fProtected() {
+        return 1;
+    }
+
+    private static void resetPriorities() {
+        String priority = m;
+        String priority1 = m1;
+        String priority2 = m2;
+        String priority3 = m3;
+
+        int result = f();
+        int resultPrivate = fPrivate();
+        int resultPublic = fPublic();
+        int resultProtected = fProtected();
+    }
+
+    private static void resetPriorities2() {
+        Runnable task = () -> {
+            String priority = m; // $ SPURIOUS: Alert
+            String priority1 = m1; // $ SPURIOUS: Alert
+            String priority2 = m2; // $ SPURIOUS: Alert
+            String priority3 = m3;
+
+            int result = f(); // $ SPURIOUS: Alert
+            int resultPrivate = fPrivate();
+            int resultPublic = fPublic(); // $ SPURIOUS: Alert
+            int resultProtected = fProtected(); // $ SPURIOUS: Alert
+        };
+        task.run();
+    }
+
+    private static class InnerClass {
+        void useVisibleForMembers() {
+            String field = m; // $ SPURIOUS: Alert
+            String field1 = m1;
+            String field2 = m2;
+            String field3 = m3;
+
+            int method = f(); // $ SPURIOUS: Alert
+            int methodPrivate = fPrivate();
+            int methodPublic = fPublic();
+            int methodProtected = fProtected();
+        }
+    }
 }
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Source.java b/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Source.java
@@ -4,9 +4,31 @@
 
 public class Source {
     void f() {
-        int i = Annotated.f(); // $ Alert
+        // Fields
         String s = Annotated.m; // $ Alert
-        AnnotatedClass a = new AnnotatedClass(); // $ Alert
         String s1 = Annotated.m1; // COMPLIANT - same package
+        String s2 = Annotated.m2;
+        // String s3 = Annotated.m3; // Cannot access private field
+        
+        // Methods
+        int i = Annotated.f(); // $ Alert
+        // int i1 = Annotated.fPrivate(); // Cannot access private method
+        int i2 = Annotated.fPublic();
+        int i3 = Annotated.fProtected();
+        
+        // Other class
+        AnnotatedClass a = new AnnotatedClass(); // $ Alert
+        
+        // Lambda usage
+        Runnable lambda = () -> {
+            String lambdaS = Annotated.m; // $ Alert
+            String lambdaS1 = Annotated.m1; // $ SPURIOUS: Alert
+            String lambdaS2 = Annotated.m2; // $ SPURIOUS: Alert
+            
+            int lambdaI = Annotated.f(); // $ Alert
+            int lambdaI2 = Annotated.fPublic(); // $ SPURIOUS: Alert
+            int lambdaI3 = Annotated.fProtected(); // $ SPURIOUS: Alert
+        };
+        lambda.run();
     }
 }
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Test.java b/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Test.java
@@ -4,9 +4,31 @@
 
 public class Test {
     void f() {
-        int i = Annotated.f(); // COMPLIANT
+        // Fields
         String s = Annotated.m; // COMPLIANT
-        AnnotatedClass a = new AnnotatedClass(); // COMPLIANT
         String s1 = Annotated.m1; // COMPLIANT
+        String s2 = Annotated.m2; // COMPLIANT
+        // String s3 = Annotated.m3; // Cannot access private field
+        
+        // Methods
+        int i = Annotated.f(); // COMPLIANT
+        // int i1 = Annotated.fPrivate(); // Cannot access private method
+        int i2 = Annotated.fPublic(); // COMPLIANT
+        int i3 = Annotated.fProtected(); // COMPLIANT
+        
+        // Other class
+        AnnotatedClass a = new AnnotatedClass(); // COMPLIANT
+        
+        // Lambda usage
+        Runnable lambda = () -> {
+            String lambdaS = Annotated.m; // COMPLIANT
+            String lambdaS1 = Annotated.m1; // COMPLIANT
+            String lambdaS2 = Annotated.m2; // COMPLIANT
+            
+            int lambdaI = Annotated.f(); // COMPLIANT
+            int lambdaI2 = Annotated.fPublic(); // COMPLIANT
+            int lambdaI3 = Annotated.fProtected(); // COMPLIANT
+        };
+        lambda.run();
     }
 }
