hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor UnsafeAndroidAccess

Browse Source
This commit is contained in:
Ed Minnix
2023-03-21 16:36:26 -04:00
parent 807588a031
commit 1e0c6811a4
3 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll
View File

@@ -7,9 +7,11 @@ import semmle.code.java.security.RequestForgery
import semmle.code.java.security.UnsafeAndroidAccess import semmle.code.java.security.UnsafeAndroidAccess
/** /**
* DEPRECATED: Use `FetchUntrustedResourceFlow` instead.
*
* A taint configuration tracking flow from untrusted inputs to a resource fetching call. * A taint configuration tracking flow from untrusted inputs to a resource fetching call.
*/ */
class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration { deprecated class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" } FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -20,3 +22,13 @@ class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
sanitizer instanceof RequestForgerySanitizer sanitizer instanceof RequestForgerySanitizer
} }
} }
private module FetchUntrustedResourceConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof RequestForgerySanitizer }
}
module FetchUntrustedResourceFlow = TaintTracking::Make<FetchUntrustedResourceConfig>;

6
java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
View File

@@ -14,9 +14,9 @@
import java import java
import semmle.code.java.security.UnsafeAndroidAccessQuery import semmle.code.java.security.UnsafeAndroidAccessQuery
import DataFlow::PathGraph import FetchUntrustedResourceFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, FetchUntrustedResourceConfiguration conf from FetchUntrustedResourceFlow::PathNode source, FetchUntrustedResourceFlow::PathNode sink
where conf.hasFlowPath(source, sink) where FetchUntrustedResourceFlow::hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Unsafe resource fetching in Android WebView due to $@.", select sink.getNode(), source, sink, "Unsafe resource fetching in Android WebView due to $@.",
source.getNode(), sink.getNode().(UrlResourceSink).getSinkType() source.getNode(), sink.getNode().(UrlResourceSink).getSinkType()

2
java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql
View File

@@ -9,7 +9,7 @@ class UnsafeAndroidAccessTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) { override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasUnsafeAndroidAccess" and tag = "hasUnsafeAndroidAccess" and
exists(DataFlow::Node sink, FetchUntrustedResourceConfiguration conf | conf.hasFlowTo(sink) | exists(DataFlow::Node sink | FetchUntrustedResourceFlow::hasFlowTo(sink) |
sink.getLocation() = location and sink.getLocation() = location and
element = sink.toString() and element = sink.toString() and
value = "" value = ""