From 113257262055ffdaa6191bb92cab839a7f17280f Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Mon, 14 Nov 2022 14:33:12 -0500 Subject: [PATCH] Java: add test cases for setJavaScriptEnabled query --- .../semmle/tests/SetJavascriptEnabled.java | 18 ++++++++++++++++++ .../tests/WebViewSetEnabledJavaScript.expected | 1 + .../tests/WebViewSetEnabledJavaScript.qlref | 1 + .../security/CWE-079/semmle/tests/options | 2 +- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.expected create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java new file mode 100644 index 00000000000..d5593e38678 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java @@ -0,0 +1,18 @@ +package com.example.test; + +import android.webkit.WebView; +import android.webkit.WebSettings; + +public class SetJavascriptEnabled { + public static void configureWebViewUnsafe(WebView view) { + WebSettings settings = view.getSettings(); + settings.setJavaScriptEnabled(true); // $javascriptEnabled + } + + public static void configureWebViewSafe(WebView view) { + WebSettings settings = view.getSettings(); + + // Safe: Javascript disabled + settings.setJavaScriptEnabled(false); + } +} diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.expected b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.expected new file mode 100644 index 00000000000..22cb40574f4 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.expected @@ -0,0 +1 @@ +| SetJavascriptEnabled.java:9:9:9:43 | setJavaScriptEnabled(...) | JavaScript execution enabled in WebView. | diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref new file mode 100644 index 00000000000..e9e8006886d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref @@ -0,0 +1 @@ +Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/options b/java/ql/test/query-tests/security/CWE-079/semmle/tests/options index 22487fb2daf..62fc56e6792 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/options +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/:${testdir}/../../../../../stubs/google-android-9.0.0