Java: Add test showing missing model for thenExpand

IdrissRio · IdrissRio · commit 3aba4d3e1ebe · 2025-09-08T13:17:52.000+02:00
diff --git a/java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java b/java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java
@@ -71,4 +71,17 @@ public static void testCleanUsage() throws Exception {
         byte[] cleanResult = kdf.deriveData(spec);
         sink(cleanResult); // Safe - no taint
     }
+
+    public static void testThenExpand(byte[] cleanIKM) throws Exception {
+        String userInput = source("");
+        byte[] taintedInfo = userInput.getBytes();
+
+        HKDFParameterSpec.Builder builder = HKDFParameterSpec.ofExtract();
+        builder.addIKM(cleanIKM);
+        HKDFParameterSpec spec = builder.thenExpand(taintedInfo, 32);
+
+        KDF kdf = KDF.getInstance("HKDF-SHA256");
+        byte[] result = kdf.deriveData(spec);
+        sink(result); // $ hasTaintFlow
+    }
 }
diff --git a/java/ql/test/library-tests/dataflow/kdf/test.expected b/java/ql/test/library-tests/dataflow/kdf/test.expected
@@ -87,3 +87,4 @@ nodes
 | KDFDataflowTest.java:60:14:60:19 | result | semmle.label | result |
 subpaths
 testFailures
+| KDFDataflowTest.java:85:23:85:39 | // $ hasTaintFlow | Missing result: hasTaintFlow |
