hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 05:24:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix typos

Browse Source
This commit is contained in:
Joe Farebrother
2022-06-29 13:57:51 +01:00
parent 03c2a0e818
commit abf894a64c
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/semmle/code/java/security/AndroidWebViewCertificateValidationQuery.qll
View File

@@ -1,4 +1,4 @@
/** Defintions for the web view certificate validation query */
/** Definitions for the web view certificate validation query */
import java
@@ -28,7 +28,7 @@ private class SslProceedCall extends MethodAccess {
}
}
/** Holds if `m` trusts all certifiates by calling `SslErrorHandler.proceed` unconditionally. */
/** Holds if `m` trusts all certificates by calling `SslErrorHandler.proceed` unconditionally. */
predicate trustsAllCerts(OnReceivedSslErrorMethod m) {
exists(SslProceedCall pr | pr.getQualifier().(VarAccess).getVariable() = m.handlerArg()) and
not exists(SslCancelCall ca | ca.getQualifier().(VarAccess).getVariable() = m.handlerArg())

2
java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertifiacteValidation.qhelp → java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.qhelp
View File

@@ -24,7 +24,7 @@ An attack might look like this:
<recommendation>
<p>
Do not use a call <code>SslerrorHandler.proceed</code> unconditonally.
Do not use a call <code>SslerrorHandler.proceed</code> unconditionally.
If you have to use a self-signed certificate, only accept that certificate, not all certificates.
</p>

2
java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
View File

@@ -1,5 +1,5 @@
/**
* @name Android `WebVeiw` that accepts all certificates
* @name Android `WebView` that accepts all certificates
* @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
* @kind problem
* @problem.severity error

2
java/ql/src/change-notes/2022-06-22-improper-webview-certificate-validation.md
View File

@@ -1,4 +1,4 @@
---
category: newQuery
---
* A new query "Android `WebVeiw` that accepts all certificates" (`java/improper-webview-certificate-validation`) has been added. This query finds implementations of `WebViewClient`s that accept all certificates in the case of an SSL error.
* A new query "Android `WebView` that accepts all certificates" (`java/improper-webview-certificate-validation`) has been added. This query finds implementations of `WebViewClient`s that accept all certificates in the case of an SSL error.