Java: convert ArbitraryApkInstallation test to .qlref

Author: d10c

java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.expected

@@ -11,46 +11,46 @@ public class ApkInstallation extends Activity {
     public void installAPK(String path) {
         // BAD: the path is not checked
         Intent intent = new Intent(Intent.ACTION_VIEW);
-        intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ hasApkInstallation
+        intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert
         startActivity(intent);
     }
 
     public void installAPK3(String path) {
         Intent intent = new Intent(Intent.ACTION_VIEW);
         intent.setType(APK_MIMETYPE);
         // BAD: the path is not checked
-        intent.setData(Uri.fromFile(new File(path))); // $ hasApkInstallation
+        intent.setData(Uri.fromFile(new File(path))); // $ Alert
         startActivity(intent);
     }
 
     public void installAPKFromExternalStorage(String path) {
         // BAD: file is from external storage
         File file = new File(Environment.getExternalStorageDirectory(), path);
         Intent intent = new Intent(Intent.ACTION_VIEW);
-        intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ hasApkInstallation
+        intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert
         startActivity(intent);
     }
 
     public void installAPKFromExternalStorageWithActionInstallPackage(String path) {
         // BAD: file is from external storage
         File file = new File(Environment.getExternalStorageDirectory(), path);
         Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE);
-        intent.setData(Uri.fromFile(file)); // $ hasApkInstallation
+        intent.setData(Uri.fromFile(file)); // $ Alert
         startActivity(intent);
     }
 
     public void installAPKInstallPackageLiteral(String path) {
         File file = new File(Environment.getExternalStorageDirectory(), path);
         Intent intent = new Intent("android.intent.action.INSTALL_PACKAGE");
-        intent.setData(Uri.fromFile(file)); // $ hasApkInstallation
+        intent.setData(Uri.fromFile(file)); // $ Alert
         startActivity(intent);
     }
 
     public void otherIntent(File file) {
         Intent intent = new Intent(this, OtherActivity.class);
         intent.setAction(Intent.ACTION_VIEW);
         // BAD: the file is from unknown source
-        intent.setData(Uri.fromFile(file)); // $ hasApkInstallation
+        intent.setData(Uri.fromFile(file)); // $ Alert
     }
 }
 

java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql

@@ -0,0 +1,16 @@
+#select
+| ApkInstallation.java:14:31:14:58 | fromFile(...) | ApkInstallation.java:14:31:14:58 | fromFile(...) | ApkInstallation.java:14:31:14:58 | fromFile(...) | Arbitrary Android APK installation. |
+| ApkInstallation.java:22:24:22:51 | fromFile(...) | ApkInstallation.java:22:24:22:51 | fromFile(...) | ApkInstallation.java:22:24:22:51 | fromFile(...) | Arbitrary Android APK installation. |
+| ApkInstallation.java:30:31:30:48 | fromFile(...) | ApkInstallation.java:30:31:30:48 | fromFile(...) | ApkInstallation.java:30:31:30:48 | fromFile(...) | Arbitrary Android APK installation. |
+| ApkInstallation.java:38:24:38:41 | fromFile(...) | ApkInstallation.java:38:24:38:41 | fromFile(...) | ApkInstallation.java:38:24:38:41 | fromFile(...) | Arbitrary Android APK installation. |
+| ApkInstallation.java:45:24:45:41 | fromFile(...) | ApkInstallation.java:45:24:45:41 | fromFile(...) | ApkInstallation.java:45:24:45:41 | fromFile(...) | Arbitrary Android APK installation. |
+| ApkInstallation.java:53:24:53:41 | fromFile(...) | ApkInstallation.java:53:24:53:41 | fromFile(...) | ApkInstallation.java:53:24:53:41 | fromFile(...) | Arbitrary Android APK installation. |
+edges
+nodes
+| ApkInstallation.java:14:31:14:58 | fromFile(...) | semmle.label | fromFile(...) |
+| ApkInstallation.java:22:24:22:51 | fromFile(...) | semmle.label | fromFile(...) |
+| ApkInstallation.java:30:31:30:48 | fromFile(...) | semmle.label | fromFile(...) |
+| ApkInstallation.java:38:24:38:41 | fromFile(...) | semmle.label | fromFile(...) |
+| ApkInstallation.java:45:24:45:41 | fromFile(...) | semmle.label | fromFile(...) |
+| ApkInstallation.java:53:24:53:41 | fromFile(...) | semmle.label | fromFile(...) |
+subpaths

java/ql/test/query-tests/security/CWE-094/ApkInstallation.java renamed to java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-094/ArbitraryApkInstallation.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallationTest.expected

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0