Add unit tests

joefarebrother · joefarebrother · commit 2eb93b7a3b58 · 2024-02-12T13:49:45.000Z
diff --git a/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll
@@ -43,8 +43,8 @@ class AuthenticationSuccessCallback extends Method {
 }
 
 /** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */
-class InsecureBiometricKeyParam extends MethodCall {
-  InsecureBiometricKeyParam() {
+class InsecureBiometricKeyParamCall extends MethodCall {
+  InsecureBiometricKeyParamCall() {
     exists(string name, CompileTimeConstantExpr val |
       this.getMethod()
           .hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and
@@ -59,3 +59,6 @@ class InsecureBiometricKeyParam extends MethodCall {
     )
   }
 }
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }
diff --git a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
@@ -13,9 +13,6 @@
 import java
 import semmle.code.java.security.AndroidLocalAuthQuery
 
-/** Holds if the application contains an instance of a key being used for local biometric authentication. */
-predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }
-
-from InsecureBiometricKeyParam call
+from InsecureBiometricKeyParamCall call
 where usesLocalAuth()
 select call, "This key is not secure for biometric authentication."
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.expected b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.ql b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.ql
@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java
@@ -0,0 +1,21 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        builder.setUserAuthenticationRequired(false); // $insecure-key
+        builder.setInvalidatedByBiometricEnrollment(false); // $insecure-key
+        builder.setUserAuthenticationValidityDurationSeconds(30); // $insecure-key
+    }
+}
+
+class Callback extends BiometricPrompt.AuthenticationCallback {
+    public static void useKey(BiometricPrompt.CryptoObject key) {}
+
+    @Override
+    public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+        useKey(result.getCryptoObject());
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/options b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.expected b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.ql b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.ql
@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/Test.java b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/Test.java
@@ -0,0 +1,13 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        // No alert as there is no use of biometric authentication in this application.
+        builder.setUserAuthenticationRequired(false); 
+        builder.setInvalidatedByBiometricEnrollment(false); 
+        builder.setUserAuthenticationValidityDurationSeconds(30); 
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/options b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyGenParameterSpec.java b/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyGenParameterSpec.java
diff --git a/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyProperties.java b/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyProperties.java

Original file line number	Diff line number	Diff line change
`@@ -43,8 +43,8 @@ class AuthenticationSuccessCallback extends Method {`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`/** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */`
`46`		`-class InsecureBiometricKeyParam extends MethodCall {`
`47`		`- InsecureBiometricKeyParam() {`
	`46`	`+class InsecureBiometricKeyParamCall extends MethodCall {`
	`47`	`+ InsecureBiometricKeyParamCall() {`
`48`	`48`	`exists(string name, CompileTimeConstantExpr val \|`
`49`	`49`	`this.getMethod()`
`50`	`50`	`.hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and`
`@@ -59,3 +59,6 @@ class InsecureBiometricKeyParam extends MethodCall {`
`59`	`59`	`)`
`60`	`60`	`}`
`61`	`61`	`}`
	`62`	`+`
	`63`	`+/** Holds if the application contains an instance of a key being used for local biometric authentication. */`
	`64`	`+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb \| exists(cb.getAResultUse())) }`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0`