hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add declaring type to the res.getString(R.string.key) call

Browse Source
This commit is contained in:
Bt2018
2020-05-18 07:59:38 -04:00
committed by GitHub
parent 819a599e2c
commit 7a9381f1fb
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/experimental/CWE-939/IncorrectURLVerification.ql
View File

@@ -63,9 +63,11 @@ class HostVerificationMethodAccess extends MethodAccess {
.getRepresentedString()
.charAt(0) != "." //"."+var2, check string constant "." e.g. String domainName = "example.com"; Uri.parse(url).getHost().endsWith("www."+domainName)
or
exists(MethodAccess ma |
exists(MethodAccess ma, Method m |
this.getArgument(0) = ma and
ma.getMethod().hasName("getString") and
ma.getMethod() = m and
m.hasName("getString") and
m.getDeclaringType().getQualifiedName() = "android.content.res.Resources" and
ma.getArgument(0).toString().indexOf("R.string") = 0
) //Check resource properties in /res/values/strings.xml in Android mobile applications using res.getString(R.string.key)
or