Added options, .qhelp and .expected file for unit test.

masterofnow · masterofnow · commit 7162540faf59 · 2023-12-21T19:57:37.000+08:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.qhelp b/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.qhelp
@@ -17,6 +17,18 @@ Verify that the signature of an app in addition to the package name before loadi
 </p>
 </recommendation>
 
+<example>
+<p>
+The <code>BadClassLoader</code> class illustrate class loading with <code>android.content.pm.PackageInfo.packageName.startsWith()</code> method without any check on the package signature. 
+</p>
+<sample src="BadClassLoader.java" />
+<p>
+The <code>GoodClassLoader</code> class illustrate class loading with package signature check using <code>android.content.pm.PackageManager.checkSignatures()</code> method.
+</p>
+<sample src="GoodClassLoader.java" />
+</example>
+
+
 <references>
 <li>
 <a href="https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/">
diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.expected b/java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.expected
@@ -0,0 +1,12 @@
+edges
+| BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | BadClassLoader.java:17:47:17:56 | appContext : Context |
+| BadClassLoader.java:17:47:17:56 | appContext : Context | BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader |
+| BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader | BadClassLoader.java:18:37:18:47 | classLoader |
+nodes
+| BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | semmle.label | createPackageContext(...) : Context |
+| BadClassLoader.java:17:47:17:56 | appContext : Context | semmle.label | appContext : Context |
+| BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader | semmle.label | getClassLoader(...) : ClassLoader |
+| BadClassLoader.java:18:37:18:47 | classLoader | semmle.label | classLoader |
+subpaths
+#select
+| BadClassLoader.java:18:37:18:47 | classLoader | BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | BadClassLoader.java:18:37:18:47 | classLoader | Class loaded from a $@ without signature check | BadClassLoader.java:15:42:16:75 | createPackageContext(...) | third party library |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/options b/java/ql/test/experimental/query-tests/security/CWE-470/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/google-android-9.0.0

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/google-android-9.0.0`