Add more tests

atorralba · atorralba · commit cda54aa13c26 · 2021-09-03T12:02:40.000+02:00
Also add missing close methods
diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll
@@ -70,12 +70,13 @@ private predicate filesystemStore(DataFlow::Node file, Call store) {
 /** A method that closes a file. */
 private class CloseFileMethod extends Method {
   CloseFileMethod() {
-    this.hasQualifiedName("java.io", ["RandomAccessFile", "FileOutputStream"], "close")
+    this.hasQualifiedName("java.io", ["RandomAccessFile", "FileOutputStream", "PrintStream"],
+      "close")
     or
     this.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Writer") and
     this.hasName("close")
     or
-    this.hasQualifiedName("java.nio.file", "Files", "write")
+    this.hasQualifiedName("java.nio.file", "Files", ["write", "writeString"])
   }
 }
 
diff --git a/java/ql/test/query-tests/security/CWE-312/CleartextStorageAndroidFilesystemTest.java b/java/ql/test/query-tests/security/CWE-312/CleartextStorageAndroidFilesystemTest.java
@@ -3,10 +3,13 @@
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.FileWriter;
+import java.io.OutputStream;
 import java.io.OutputStreamWriter;
+import java.io.PrintStream;
 import java.io.PrintWriter;
 import java.io.RandomAccessFile;
 import java.io.Writer;
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -21,122 +24,249 @@
 
 public class CleartextStorageAndroidFilesystemTest extends Activity {
 
-  public void testWriteLocalFile1(String name, String password) throws Exception {
-    // FileWriter
-    FileWriter fw = new FileWriter("some_file.txt");
-    fw.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
-    fw.close();
-  }
+  public void testWriteLocalFile(Context context, String name, String password) throws Exception {
 
-  public void testWriteLocalFile2(String name, String password) throws Exception {
-    // Nested writers
-    Writer writer =
-        new BufferedWriter(new OutputStreamWriter(new FileOutputStream("some_file.txt"), "utf-8"));
-    writer.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
-    writer.close();
-  }
+    // FileOutputStream
+    {
+      // java.io;FileOutputStream;false;FileOutputStream;;;Argument[0];create-file
+      FileOutputStream os = new FileOutputStream("some_file.txt");
+      // Nested writers
+      Writer writer = new BufferedWriter(new OutputStreamWriter(os, "utf-8"));
+      // java.io;FileOutputStream;false;write;;;Argument[0];write-file
+      writer.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      writer.close();
+    }
 
-  public void testWriteLocalFile3(String name, String password) throws Exception {
-    // try-with-resources
-    try (FileWriter fw = new FileWriter("some_file.txt")) {
-      fw.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+    // RandomAccessFile
+    {
+      // java.io;RandomAccessFile;false;RandomAccessFile;;;Argument[0];create-file
+      RandomAccessFile f = new RandomAccessFile("some_file.txt", "r");
+      String contents = name + ":" + password;
+      // java.io;RandomAccessFile;false;write;;;Argument[0];write-file
+      f.write(contents.getBytes()); // $ hasCleartextStorageAndroidFilesystem
+      f.close();
+    }
+    {
+      // try-with-resources
+      try (RandomAccessFile f = new RandomAccessFile(new File("some_file.txt"), "r")) {
+        // java.io;RandomAccessFile;false;writeBytes;;;Argument[0];write-file
+        f.writeBytes(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      }
+    }
+    {
+      RandomAccessFile f = new RandomAccessFile("some_file.txt", "r");
+      // java.io;RandomAccessFile;false;writeChars;;;Argument[0];write-file
+      f.writeChars(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      f.close();
+    }
+    {
+      RandomAccessFile f = new RandomAccessFile("some_file.txt", "r");
+      // java.io;RandomAccessFile;false;writeUTF;;;Argument[0];write-file
+      f.writeUTF(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      f.close();
+    }
+
+    // FileWriter
+    {
+      // java.io;FileWriter;false;FileWriter;;;Argument[0];create-file
+      FileWriter fw = new FileWriter("some_file.txt");
+      // java.io;Writer;true;append;;;Argument[0];write-file
+      fw.append(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      fw.close();
+    }
+    {
+      // try-with-resources
+      try (FileWriter fw = new FileWriter("some_file.txt")) {
+        // java.io;Writer;true;write;;;Argument[0];write-file
+        fw.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      }
+    }
+
+    // PrintStream
+    {
+      // java.io;PrintStream;false;PrintStream;(File);;Argument[0];create-file"
+      PrintStream ps = new PrintStream(new File("some_file.txt"));
+      // java.io;PrintStream;true;append;;;Argument[0];write-file
+      ps.append(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      // java.io;PrintStream;false;PrintStream;(File,String);;Argument[0];create-file
+      PrintStream ps = new PrintStream(new File("some_file.txt"), "utf-8");
+      // java.io;PrintStream;true;format;(String,Object[]);;Argument[0..1];write-file
+      ps.format("%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      ps.format("%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      // java.io;PrintStream;false;PrintStream;(File,Charset);;Argument[0];create-file
+      PrintStream ps = new PrintStream(new File("some_file.txt"), Charset.defaultCharset());
+      // java.io;PrintStream;true;format;(Locale,String,Object[]);;Argument[1..2];write-file
+      ps.format(Locale.US, "%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      ps.format(Locale.US, "%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      // java.io;PrintStream;false;PrintStream;(String);;Argument[0];create-file
+      PrintStream ps = new PrintStream("some_file.txt");
+      // java.io;PrintStream;true;print;;;Argument[0];write-file
+      ps.print(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      // java.io;PrintStream;false;PrintStream;(String,String);;Argument[0];create-file
+      PrintStream ps = new PrintStream("some_file.txt", "utf-8");
+      // java.io;PrintStream;true;printf;(String,Object[]);;Argument[0..1];write-file
+      ps.printf("%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      ps.printf("%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      // java.io;PrintStream;false;PrintStream;(String,Charset);;Argument[0];create-file
+      PrintStream ps = new PrintStream("some_file.txt", Charset.defaultCharset());
+      // java.io;PrintStream;true;printf;(Locale,String,Object[]);;Argument[1..2];write-file
+      ps.printf(Locale.US, "%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      ps.printf(Locale.US, "%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      PrintStream ps = new PrintStream("some_file.txt");
+      // java.io;PrintStream;true;println;;;Argument[0];write-file
+      ps.println(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      PrintStream ps = new PrintStream("some_file.txt");
+      String contents = name + ":" + password;
+      // java.io;PrintStream;true;write;;;Argument[0];write-file
+      ps.write(contents.getBytes()); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
+    }
+    {
+      PrintStream ps = new PrintStream("some_file.txt");
+      String contents = name + ":" + password;
+      // java.io;PrintStream;true;writeBytes;;;Argument[0];write-file
+      ps.writeBytes(contents.getBytes()); // $ hasCleartextStorageAndroidFilesystem
+      ps.close();
     }
-  }
 
-  public void testWriteLocalFile4(String name, String password) throws Exception {
     // PrintWriter
     {
+      // java.io;PrintWriter;false;PrintWriter;(File);;Argument[0];create-file
       PrintWriter pw = new PrintWriter(new File("some_file.txt"));
-      pw.append(name);
-      pw.append(":");
-      pw.append(password); // $ hasCleartextStorageAndroidFilesystem
+      // java.io;Writer;true;append;;;Argument[0];write-file
+      pw.append(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
       pw.close();
     }
     {
+      // try-with-resources
+      try (PrintWriter pw = new PrintWriter(new File("some_file.txt"))) {
+        // java.io;PrintWriter;false;format;(String,Object[]);;Argument[0..1];write-file
+        pw.format("%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+        pw.format("%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      }
+    }
+    {
+      // java.io;PrintWriter;false;PrintWriter;(File,String);;Argument[0];create-file
       PrintWriter pw = new PrintWriter(new File("some_file.txt"), "utf-8");
-      pw.print(name);
-      pw.print(":");
-      pw.print(password); // $ hasCleartextStorageAndroidFilesystem
+      // java.io;PrintWriter;false;format;(Locale,String,Object[]);;Argument[1..2];write-file
+      pw.format(Locale.US, "%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      pw.format(Locale.US, "%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      pw.close();
+    }
+    {
+      // java.io;PrintWriter;false;PrintWriter;(File,Charset);;Argument[0];create-file
+      PrintWriter pw = new PrintWriter(new File("some_file.txt"), Charset.defaultCharset());
+      // java.io;PrintWriter;false;print;;;Argument[0];write-file
+      pw.print(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
       pw.close();
     }
+
     {
+      // java.io;PrintWriter;false;PrintWriter;(String);;Argument[0];create-file
       PrintWriter pw = new PrintWriter("some_file.txt");
-      pw.println(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      // java.io;PrintWriter;false;printf;(String,Object[]);;Argument[0..1];write-file
+      pw.printf("%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      pw.printf("%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
       pw.close();
     }
     {
+      // java.io;PrintWriter;false;PrintWriter;(String,String);;Argument[0];create-file
       PrintWriter pw = new PrintWriter("some_file.txt", "utf-8");
-      pw.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      // java.io;PrintWriter;false;printf;(Locale,String,Object[]);;Argument[1..2];write-file
+      pw.printf(Locale.US, "%s:" + password, name); // $ hasCleartextStorageAndroidFilesystem
+      pw.printf(Locale.US, "%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
       pw.close();
     }
     {
-      PrintWriter pw = new PrintWriter("some_file.txt");
-      pw.format(Locale.US, "%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
+      // java.io;PrintWriter;false;PrintWriter;(String,Charset);;Argument[0];create-file
+      PrintWriter pw = new PrintWriter("some_file.txt", Charset.defaultCharset());
+      // java.io;PrintWriter;false;println;;;Argument[0];write-file
+      pw.println(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
       pw.close();
     }
     {
-      try (PrintWriter pw = new PrintWriter("some_file.txt")) {
-        pw.format("%s:%s", name, password); // $ hasCleartextStorageAndroidFilesystem
-      }
+      PrintWriter pw = new PrintWriter("some_file.txt");
+      // java.io;Writer;true;write;;;Argument[0];write-file
+      pw.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      pw.close();
     }
-  }
 
-  public void testWriteLocalFile5(String name, String password) throws Exception {
     // java.nio.files.Files
-    String contents = name + ":" + password;
-    // @formatter:off
     {
-      Files.write(Path.of("some_file.txt"), contents.getBytes()); // $ hasCleartextStorageAndroidFilesystem
+      // java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file
+      BufferedWriter bw = Files.newBufferedWriter(Path.of("some_file.txt"));
+      bw.write(name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
+      bw.close();
     }
     {
-      Files.write(Path.of("some_file.txt"), List.of(contents)); // $ hasCleartextStorageAndroidFilesystem
+      // java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file
+      // try-with-resources
+      try (OutputStream os = Files.newOutputStream(Path.of("some_file.txt"))) {
+        String contents = name + ":" + password;
+        os.write(contents.getBytes());
+      }
     }
-    // @formatter:on
-  }
-
-  public void testWriteLocalFile6(String name, String password) throws Exception {
-    // RandomAccessFile
-    String contents = name + ":" + password;
     {
-      RandomAccessFile f = new RandomAccessFile("some_file.txt", "r");
-      f.write(contents.getBytes()); // $ hasCleartextStorageAndroidFilesystem
-      f.close();
+      Path path = Path.of("some_file.txt");
+      String contents = name + ":" + password;
+      // java.nio.file;Files;false;write;;;Argument[0];create-file
+      // java.nio.file;Files;false;write;;;Argument[1];write-file",
+      Files.write(path, contents.getBytes()); // $ hasCleartextStorageAndroidFilesystem
     }
     {
-      // @formatter:off
-      try (RandomAccessFile f = new RandomAccessFile(new File("some_file.txt"), "r")) {
-        f.write(contents.getBytes(), 0, contents.length()); // $ hasCleartextStorageAndroidFilesystem
-      }
-      // @formatter:on
+      Path path = Path.of("some_file.txt");
+      String contents = name + ":" + password;
+      Files.write(path, List.of(contents)); // $ hasCleartextStorageAndroidFilesystem
+    }
+    {
+      Path path = Path.of("some_file.txt");
+      // java.nio.file;Files;false;writeString;;;Argument[0];create-file
+      // java.nio.file;Files;false;writeString;;;Argument[1];write-file"
+      Files.writeString(path, name + ":" + password); // $ hasCleartextStorageAndroidFilesystem
     }
-  }
-
-  public void testWriteLocalFileSafe1(String name, String password) throws Exception {
-    // Using hashing
-    FileWriter fw = new FileWriter("some_file.txt");
-    fw.write(name + ":" + hash(password)); // Safe
-    fw.close();
-  }
-
-  public void testWriteLocalFileSafe2(String name, String password) throws Exception {
-    // Nested writers
-    Writer writer =
-        new BufferedWriter(new OutputStreamWriter(new ByteArrayOutputStream(), "utf-8"));
-    writer.write(name + ":" + password); // Safe - not writing to a file
-    writer.close();
-  }
 
-  public void testWriteLocalFileSafe3(Context context, String name, String password)
-      throws Exception {
-    File file = new File("some_file.txt");
-    String contents = name + ":" + password;
-    EncryptedFile encryptedFile = new EncryptedFile.Builder(file, context, "some_key",
-        FileEncryptionScheme.AES256_GCM_HKDF_4KB).build();
-    FileOutputStream encryptedOutputStream = encryptedFile.openFileOutput();
-    encryptedOutputStream.write(contents.getBytes()); // Safe
+    // Safe writes
+    {
+      FileWriter fw = new FileWriter("some_file.txt");
+      fw.write(name + ":" + hash(password)); // Safe - using a hash
+      fw.close();
+    }
+    {
+      Writer writer = new OutputStreamWriter(new ByteArrayOutputStream(), "utf-8");
+      writer.write(name + ":" + password); // Safe - not writing to a file
+      writer.close();
+    }
+    {
+      File file = new File("some_file.txt");
+      String contents = name + ":" + password;
+      EncryptedFile encryptedFile = new EncryptedFile.Builder(file, context, "some_key",
+          FileEncryptionScheme.AES256_GCM_HKDF_4KB).build();
+      FileOutputStream encryptedOutputStream = encryptedFile.openFileOutput();
+      encryptedOutputStream.write(contents.getBytes()); // Safe - using EncryptedFile
+    }
   }
 
-
   private static String hash(String cleartext) throws Exception {
     MessageDigest digest = MessageDigest.getInstance("SHA-256");
     byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
