Add tests

java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java

@@ -0,0 +1,84 @@
+import android.app.Activity;
+import android.os.Bundle;
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+import com.android.internal.R;
+
+public class UnsafeAndroidAccess extends Activity {
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(R.layout.webview);
+		{
+			WebView wv = (WebView) findViewById(R.id.my_webview);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+			webSettings.setAllowUniversalAccessFromFileURLs(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getExtras().getString("url");
+			wv.loadUrl(thisUrl); // hasUnsafeAndroidAccess
+		}
+
+		{
+			WebView wv = (WebView) findViewById(R.id.my_webview);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+			webSettings.setAllowUniversalAccessFromFileURLs(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getStringExtra("url");
+			wv.loadUrl(thisUrl); // hasUnsafeAndroidAccess
+		}
+
+		{
+			WebView wv = (WebView) findViewById(-1);
+			WebSettings webSettings = wv.getSettings();
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getExtras().getString("url"); // remote input
+			wv.loadUrl(thisUrl); // Safe
+		}
+
+		{
+			WebView wv = (WebView) findViewById(-1);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			wv.loadUrl("https://www.mycorp.com"); // Safe
+		}
+	}
+
+}

java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql

@@ -0,0 +1,28 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.UnsafeAndroidAccess
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:cwe:jexl-injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof FetchUntrustedResourceSink }
+}
+
+class UnsafeAndroidAccessTest extends InlineExpectationsTest {
+  UnsafeAndroidAccessTest() { this = "HasUnsafeAndroidAccess" }
+
+  override string getARelevantTag() { result = "hasUnsafeAndroidAccess" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasUnsafeAndroidAccess" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-749/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/android