Merge branch 'main' into henrymercer/check-query-ids

2026-04-28 10:15:14 +02:00 · 2022-12-08 13:05:46 +00:00
parent 5674251839 280bb6864f
commit 3036b15af2
682 changed files with 14110 additions and 4191 deletions
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.5
+
+No user-facing changes.
+
 ## 0.4.4

 ### New Queries
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp
@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Enabling JavaScript in an Android WebView allows the execution of
+      JavaScript code in the context of the running application. This creates a
+      cross-site scripting vulnerability.
+    </p>
+
+    <p>
+      For example, if your application's WebView allows for visiting web pages
+      that you do not trust, it is possible for an attacker to lead the user to
+      a page which loads malicious JavaScript.
+    </p>
+
+    <p>
+      You can enable or disable Javascript execution using
+      the <code>setJavaScriptEnabled</code> method of the settings of a WebView.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>JavaScript execution is disabled by default. You can explicitly disable
+    it by calling <code>setJavaScriptEnabled(false)</code> on the settings of
+    the WebView.</p>
+
+    <p>If JavaScript is necessary, only load content from trusted servers using encrypted channels, such as HTTPS with certificate verification.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, a WebView has JavaScript enabled in its settings:</p>
+
+    <sample src="WebSettingsEnableJavascript.java"/>
+
+    <p>In the following (good) example, a WebView explicitly disallows JavaScript execution:</p>
+
+    <sample src="WebSettingsDisableJavascript.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setJavaScriptEnabled(boolean)">setJavaScriptEnabled</a>
+    </li>
+  </references>
+
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Android WebView JavaScript settings
+ * @description Enabling JavaScript execution in a WebView can result in cross-site scripting attacks.
+ * @kind problem
+ * @id java/android-websettings-javascript-enabled
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof AllowJavaScriptMethod and
+  ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+select ma, "JavaScript execution enabled in WebView."
--- a/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java
+++ b/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java
@@ -0,0 +1,2 @@
+WebSettings settings = webview.getSettings();
+settings.setJavaScriptEnabled(false);
--- a/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java
+++ b/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java
@@ -0,0 +1,2 @@
+WebSettings settings = webview.getSettings();
+settings.setJavaScriptEnabled(true);
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -26,18 +26,31 @@ predicate isSafeSecureCookieSetting(Expr e) {
  )
 }

+class SecureCookieConfiguration extends DataFlow::Configuration {
+  SecureCookieConfiguration() { this = "SecureCookieConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.getDeclaringType() instanceof TypeCookie and
+      m.getName() = "setSecure" and
+      source.asExpr() = ma.getQualifier() and
+      forex(DataFlow::Node argSource |
+        DataFlow::localFlow(argSource, DataFlow::exprNode(ma.getArgument(0))) and
+        not DataFlow::localFlowStep(_, argSource)
+      |
+        isSafeSecureCookieSetting(argSource.asExpr())
+      )
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess add | add.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
+  }
+}
+
 from MethodAccess add
 where
  add.getMethod() instanceof ResponseAddCookieMethod and
-  not exists(Variable cookie, MethodAccess m |
-    add.getArgument(0) = cookie.getAnAccess() and
-    m.getMethod().getName() = "setSecure" and
-    forex(DataFlow::Node argSource |
-      DataFlow::localFlow(argSource, DataFlow::exprNode(m.getArgument(0))) and
-      not DataFlow::localFlowStep(_, argSource)
-    |
-      isSafeSecureCookieSetting(argSource.asExpr())
-    ) and
-    m.getQualifier() = cookie.getAnAccess()
-  )
+  not any(SecureCookieConfiguration df).hasFlowToExpr(add.getArgument(0))
 select add, "Cookie is added to response without the 'secure' flag being set."
--- a/java/ql/src/change-notes/2022-11-12-websettings-setjavascript-enabled.md
+++ b/java/ql/src/change-notes/2022-11-12-websettings-setjavascript-enabled.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
--- a/java/ql/src/change-notes/released/0.4.5.md
+++ b/java/ql/src/change-notes/released/0.4.5.md
@@ -0,0 +1,3 @@
+## 0.4.5
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.4
+lastReleaseVersion: 0.4.5
--- a/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll
@@ -1,5 +1,4 @@
 import java
-private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources

 /** The class `com.jfinal.core.Controller`. */
--- a/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll
@@ -3,7 +3,6 @@
 */

 import java
-private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources

 /** A utility class for resolving resource locations to files in the file system in the Spring framework. */
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.4.5-dev
+version: 0.4.6-dev
 groups: 
  - java
  - queries
--- a/java/ql/src/utils/flowtestcasegenerator/FlowTestCaseSupportMethods.qll
+++ b/java/ql/src/utils/flowtestcasegenerator/FlowTestCaseSupportMethods.qll
@@ -4,7 +4,6 @@

 import java
 private import semmle.code.java.dataflow.internal.DataFlowUtil
-private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSummary
 private import semmle.code.java.dataflow.internal.FlowSummaryImpl
 private import FlowTestCaseUtils
--- a/java/ql/src/utils/model-generator/GenerateFlowModelExtensions.py
+++ b/java/ql/src/utils/model-generator/GenerateFlowModelExtensions.py
@@ -1,15 +0,0 @@
-#!/usr/bin/python3
-
-import sys
-import os.path
-import subprocess
-
-# Add Model as Data script directory to sys.path.
-gitroot = subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode("utf-8").strip()
-madpath = os.path.join(gitroot, "misc/scripts/models-as-data/")
-sys.path.append(madpath)
-
-import generate_flow_model_extensions as model
-
-language = "java"
-model.Generator.make(language).run()
--- a/java/ql/src/utils/model-generator/RegenerateModels.py
+++ b/java/ql/src/utils/model-generator/RegenerateModels.py
@@ -5,19 +5,17 @@
 from pathlib import Path
 import json
 import os
-import requests
 import shutil
 import subprocess
 import tempfile
 import sys


-defaultModelPath = "java/ql/lib/semmle/code/java/frameworks"
 lgtmSlugToModelFile = {
    # "apache/commons-beanutils": "apache/BeanUtilsGenerated.qll",
    # "apache/commons-codec": "apache/CodecGenerated.qll",
    # "apache/commons-lang": "apache/Lang3Generated.qll",
-    "apache/commons-io": "apache/IOGenerated.qll",
+    "apache/commons-io": "org.apache.commons.io",
 }


@@ -36,13 +34,12 @@ def regenerateModel(lgtmSlug, extractedDb):
        print("ERROR: slug " + lgtmSlug +
              " is not mapped to a model file in script " + sys.argv[0])
        sys.exit(1)
-    modelFile = defaultModelPath + "/" + lgtmSlugToModelFile[lgtmSlug]
+    modelFile = lgtmSlugToModelFile[lgtmSlug]
    codeQlRoot = findGitRoot()
-    targetModel = codeQlRoot + "/" + modelFile
    subprocess.check_call([codeQlRoot + "/java/ql/src/utils/model-generator/GenerateFlowModel.py",
-                           "--with-summaries", "--with-sinks",
-                           extractedDb, targetModel])
-    print("Regenerated " + targetModel)
+                           "--with-summaries", "--with-sinks", "--with-negative-summaries",
+                           extractedDb, modelFile])
+    print("Regenerated " + modelFile)
    shutil.rmtree(tmpDir)