More precise layout xml handling

2026-04-28 18:25:24 +02:00 · 2022-10-28 16:07:35 +01:00
parent f48b57c95a
commit 359d703ded
3 changed files with 31 additions and 12 deletions
--- a/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
@@ -9,24 +9,40 @@ private class AndroidLayoutXmlFile extends XmlFile {
  AndroidLayoutXmlFile() { this.getRelativePath().matches("%/res/layout/%.xml") }
 }

-/** An XML element that represents an editable text field. */
-class AndroidEditableXmlElement extends XmlElement {
-  AndroidXmlAttribute inputType;
+/** A component declared in an Android layout file. */
+class AndroidLayoutXmlElement extends XmlElement {
  AndroidXmlAttribute id;

-  AndroidEditableXmlElement() {
+  AndroidLayoutXmlElement() {
    this.getFile() instanceof AndroidLayoutXmlFile and
-    inputType = this.getAnAttribute() and
-    inputType.getName() = "inputType" and
-    id = this.getAnAttribute() and
-    id.getName() = "id"
+    id = this.getAttribute("id")
  }

-  /** Gets the input type of this field. */
-  string getInputType() { result = inputType.getValue() }
-
-  /** Gets the ID of this field. */
+  /** Gets the ID of this component. */
  string getId() { result = id.getValue() }
+
+  /** Gets the class of this component. */
+  Class getClass() {
+    this.getName() = "view" and
+    this.getAttribute("class").getValue() = result.getQualifiedName()
+    or
+    this.getName() = result.getQualifiedName()
+    or
+    result.hasQualifiedName(["android.widget", "android.view"], this.getName())
+  }
+}
+
+/** An XML element that represents an editable text field. */
+class AndroidEditableXmlElement extends AndroidLayoutXmlElement {
+  AndroidEditableXmlElement() {
+    exists(Class editText |
+      editText.hasQualifiedName("android.widget", "EditText") and
+      editText = this.getClass().getASourceSupertype*()
+    )
+  }
+
+  /** Gets the input type of this field, if any. */
+  string getInputType() { result = this.getAttribute("inputType").(AndroidXmlAttribute).getValue() }
 }

 /** Gets a regex indicating that an input field may contain sensitive data. */
--- a/java/ql/test/query-tests/security/CWE-524/Test.java
+++ b/java/ql/test/query-tests/security/CWE-524/Test.java
@@ -1 +1,3 @@
+import android.widget.EditText;
+
 class Test {}
--- a/java/ql/test/query-tests/security/CWE-524/options
+++ b/java/ql/test/query-tests/security/CWE-524/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0`