diff --git a/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll index e9107ca10b4..3b937766899 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll @@ -8,11 +8,7 @@ import semmle.code.java.security.SecurityTests /** Holds if `ex` looks like a check that this is a debug build. */ private predicate isDebugCheck(Expr ex) { exists(Expr subex, string debug | - ( - debug.toLowerCase().matches("%debug%") - or - debug.toLowerCase().matches("%test%") - ) and + debug.toLowerCase().matches(["%debug%", "%test%"]) and subex.getParent*() = ex | subex.(VarAccess).getVariable().getName() = debug diff --git a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.qhelp b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.qhelp index d8643923bca..d236556d78b 100644 --- a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.qhelp +++ b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.qhelp @@ -6,18 +6,18 @@

The WebView.setWebContentsDebuggingEnabled method enables or disables the contents of any WebView in the application to be debugged.

-

Enabling debugging featues could allow for additional entry points or leaking sensitive information. -As such, debugging should only be anabled during development, and disabled during production builds.

+

Enabling debugging features could allow for additional entry points or leaking sensitive information. +As such, debugging should only be enabled during development, and disabled in production builds.

 -

Ensure that debugging features are not enabled during production builds. +

Ensure that debugging features are not enabled in production builds. If WebView.setWebContentsDebuggingEnabled(true) is used, ensure that it is guarded by a flag indicating that this is a debug build.

 -

In the code below, the BAD case shows debugging always being enabled, -whereas the GOOD case only enables debugging if the android:debuggable attribute is set to true.

+

In the code below, the BAD case shows WebView debugging always being enabled, +whereas the GOOD case only enables it if the android:debuggable attribute is set to true.