Java: setAllowContentAccess query tests

2026-04-30 19:26:02 +02:00 · 2022-12-22 20:46:14 -05:00
parent 5265cb4b03
commit 9ef319f659
3 changed files with 52 additions and 5 deletions
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java
@@ -1,18 +1,59 @@
 package com.example.test;

+import android.app.Activity;
+
 import android.webkit.WebView;
 import android.webkit.WebSettings;

-public class WebViewContentAccess {
-    void configureWebViewUnsafe(WebView view) {
-        WebSettings settings = view.getSettings();
+/** Helper class to mock a method which returns a `WebView` */
+interface WebViewGetter {
+    WebView getAWebView();
+}

-        settings.setAllowContentAccess(true);
+public class WebViewContentAccess extends Activity {
+    void enableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(true);
    }

-    void configureWebViewSafe(WebView view) {
+    void disableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(false);
+    }
+
+    void configureWebViewSafe(WebView view, WebViewGetter getter) {
        WebSettings settings = view.getSettings();

        settings.setAllowContentAccess(false);
+
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+
+        settings.setAllowContentAccess(false);
+
+        disableContentAccess(getter.getAWebView());
+    }
+
+    void configureWebViewUnsafe(WebView view1, WebViewGetter getter) {
+        WebSettings settings;
+
+        view1.getSettings().setAllowContentAccess(true);
+
+        // Cast expression
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Constructor
+        WebView view3 = new WebView(this);
+        settings = view3.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Method access
+        WebView view4 = getter.getAWebView();
+        settings = view4.getSettings();
+        settings.setAllowContentAccess(true);
+
+        enableContentAccess(getter.getAWebView());
+
+        WebView view5 = getter.getAWebView();
    }
 }
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.expected
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.expected
@@ -0,0 +1,5 @@
+| WebViewContentAccess.java:41:25:41:49 | (...)... | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:46:25:46:41 | new WebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:51:25:51:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:55:29:55:48 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:57:25:57:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.qlref
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-200/AndroidWebViewSettingsPermitsContentAccess.ql
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-200/AndroidWebViewSettingsPermitsContentAccess.ql`