Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch

Java: Promote Unsafe resource loading in Android WebView from experimental

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.expected

@@ -1,31 +0,0 @@
-edges
-| UnsafeActivity1.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity1.java:32:14:32:20 | thisUrl |
-| UnsafeActivity2.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity2.java:32:14:32:20 | thisUrl |
-| UnsafeActivity3.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity3.java:32:14:32:20 | thisUrl |
-| UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:32:14:32:20 | thisUrl |
-| UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:55:14:55:20 | thisUrl |
-| UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:97:14:97:20 | thisUrl |
-| UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent : Intent | UnsafeAndroidBroadcastReceiver.java:32:14:32:20 | thisUrl |
-nodes
-| UnsafeActivity1.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| UnsafeActivity1.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
-| UnsafeActivity2.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| UnsafeActivity2.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
-| UnsafeActivity3.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| UnsafeActivity3.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
-| UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| UnsafeAndroidAccess.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
-| UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| UnsafeAndroidAccess.java:55:14:55:20 | thisUrl | semmle.label | thisUrl |
-| UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| UnsafeAndroidAccess.java:97:14:97:20 | thisUrl | semmle.label | thisUrl |
-| UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent : Intent | semmle.label | intent : Intent |
-| UnsafeAndroidBroadcastReceiver.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
-#select
-| UnsafeActivity1.java:32:3:32:21 | loadUrl(...) | UnsafeActivity1.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity1.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeActivity1.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
-| UnsafeActivity2.java:32:3:32:21 | loadUrl(...) | UnsafeActivity2.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity2.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeActivity2.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
-| UnsafeActivity3.java:32:3:32:21 | loadUrl(...) | UnsafeActivity3.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity3.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeActivity3.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
-| UnsafeAndroidAccess.java:32:3:32:21 | loadUrl(...) | UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
-| UnsafeAndroidAccess.java:55:3:55:21 | loadUrl(...) | UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:55:14:55:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
-| UnsafeAndroidAccess.java:97:3:97:21 | loadUrl(...) | UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:97:14:97:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) | user input vulnerable to XSS attacks |
-| UnsafeAndroidBroadcastReceiver.java:32:3:32:21 | loadUrl(...) | UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent : Intent | UnsafeAndroidBroadcastReceiver.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent | user input vulnerable to cross-origin and sensitive resource disclosure attacks |

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

java/ql/test/experimental/query-tests/security/CWE-749/options

@@ -1 +0,0 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-749/SafeActivity1.java

@@ -9,7 +9,9 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class SafeActivity1 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras.
+	// The Activity is explicitly not exported, even though it has an intent-filter.
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,6 +31,6 @@ public class SafeActivity1 extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // Safe
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/SafeActivity2.java

@@ -9,7 +9,9 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class SafeActivity2 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras.
+	// The Activity is explicitly not exported.
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,6 +31,6 @@ public class SafeActivity2 extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // Safe
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/SafeActivity3.java

@@ -9,7 +9,9 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class SafeActivity3 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras.
+	// The Activity is implicitly not exported.
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,6 +31,6 @@ public class SafeActivity3 extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // Safe
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/UnsafeActivity1.java

@@ -9,7 +9,9 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class UnsafeActivity1 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras.
+	// The Activity is exported and has an intent-filter.
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,6 +31,6 @@ public class UnsafeActivity1 extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/UnsafeActivity2.java

@@ -9,7 +9,9 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class UnsafeActivity2 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras.
+	// The Activity is implicitly exported because it has an intent-filter.
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,6 +31,6 @@ public class UnsafeActivity2 extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/UnsafeActivity3.java

@@ -9,7 +9,9 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class UnsafeActivity3 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras.
+	// The Activity is explicitly exported.
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,6 +31,6 @@ public class UnsafeActivity3 extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/UnsafeActivity4.java

@@ -9,9 +9,15 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class UnsafeActivity4 extends Activity {
-	/** 
-	 * Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
-     * Note this case of invoking utility method that takes an Activity a then calls `a.getIntent().getStringExtra(...)` is not yet detected thus is beyond what the query is capable of.
+	/*
+	 * Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	 * remote user inputs from bundle extras.
+	 * 
+	 * The Activity is explicitly exported.
+	 * 
+	 * Note this case of invoking a utility method that takes an Activity and then calls
+	 * `a.getIntent().getStringExtra(...)` is not yet detected thus is beyond what the query is
+	 * capable of.
 	 */
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
@@ -33,6 +39,6 @@ public class UnsafeActivity4 extends Activity {
 
 		String thisUrl = IntentUtils.getIntentUrl(this);
 		thisUrl = IntentUtils.getBundleUrl(this);
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $ MISSING: hasUnsafeAndroidAccess
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java

@@ -8,8 +8,10 @@ import android.webkit.WebSettings;
 import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
+// The Activity is implicitly exported because it has an intent-filter.
 public class UnsafeAndroidAccess extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from bundle extras
 	public void testOnCreate1(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -29,10 +31,11 @@ public class UnsafeAndroidAccess extends Activity {
 		});
 
 		String thisUrl = getIntent().getExtras().getString("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
 
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from string extra
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs from string extra
 	public void testOnCreate2(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -52,10 +55,11 @@ public class UnsafeAndroidAccess extends Activity {
 		});
 
 		String thisUrl = getIntent().getStringExtra("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
 
-	//Test onCreate with both JavaScript and cross-origin resource access disabled by default while taking remote user inputs
+	// Test onCreate with both JavaScript and cross-origin resource access disabled by default while
+	// taking remote user inputs
 	public void testOnCreate3(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -72,10 +76,11 @@ public class UnsafeAndroidAccess extends Activity {
 		});
 
 		String thisUrl = getIntent().getStringExtra("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // Safe
 	}
 
-	//Test onCreate with JavaScript enabled but cross-origin resource access disabled while taking remote user inputs
+	// Test onCreate with JavaScript enabled but cross-origin resource access disabled while taking
+	// remote user inputs
 	public void testOnCreate4(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -94,10 +99,11 @@ public class UnsafeAndroidAccess extends Activity {
 		});
 
 		String thisUrl = getIntent().getStringExtra("url");
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
 
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while not taking remote user inputs
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while not taking
+	// remote user inputs
 	public void testOnCreate5(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);
@@ -116,6 +122,30 @@ public class UnsafeAndroidAccess extends Activity {
 			}
 		});
 
-		wv.loadUrl("https://www.mycorp.com");
+		wv.loadUrl("https://www.mycorp.com"); // Safe
 	}
-}
+
+	// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
+	// remote user inputs and concatenating them to a safe URL.
+	public void testOnCreate6(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getStringExtra("url");
+		wv.loadUrl("https://www.mycorp.com/" + thisUrl); // Safe
+	}
+}

java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.UnsafeAndroidAccessQuery
+import TestUtilities.InlineExpectationsTest
+
+class UnsafeAndroidAccessTest extends InlineExpectationsTest {
+  UnsafeAndroidAccessTest() { this = "HasUnsafeAndroidAccess" }
+
+  override string getARelevantTag() { result = "hasUnsafeAndroidAccess" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasUnsafeAndroidAccess" and
+    exists(DataFlow::Node src, DataFlow::Node sink, FetchUntrustedResourceConfiguration conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-749/UnsafeAndroidBroadcastReceiver.java

@@ -11,7 +11,8 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
 public class UnsafeAndroidBroadcastReceiver extends BroadcastReceiver {
-	//Test onCreate with JavaScript enabled but cross-origin resource access disabled while taking remote user inputs
+	// Test onCreate with JavaScript enabled but cross-origin resource access disabled while taking
+	// remote user inputs
 	@Override
 	public void onReceive(Context context, Intent intent) {
 		String thisUrl = intent.getStringExtra("url");
@@ -29,6 +30,6 @@ public class UnsafeAndroidBroadcastReceiver extends BroadcastReceiver {
 			}
 		});
 
-		wv.loadUrl(thisUrl);
+		wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
 	}
-}
+}

java/ql/test/query-tests/security/CWE-749/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/android

java/ql/test/stubs/android/android/app/Activity.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2006 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.app;
+
+import android.content.Intent;
+import android.os.Bundle;
+
+public class Activity {
+
+  public void onCreate(Bundle bundle) {
+  }
+
+  public Intent getIntent() {
+    return null;
+  }
+
+  public Object findViewById(int id) {
+    return null;
+  }
+
+  public void setContentView(int view) {
+  }
+
+}

java/ql/test/stubs/android/android/content/BroadcastReceiver.java

@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2006 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.content;
+
+import android.os.Bundle;
+/**
+ * Base class for code that will receive intents sent by sendBroadcast().
+ *
+ * <p>If you don't need to send broadcasts across applications, consider using
+ * this class with {@link android.support.v4.content.LocalBroadcastManager} instead
+ * of the more general facilities described below.  This will give you a much
+ * more efficient implementation (no cross-process communication needed) and allow
+ * you to avoid thinking about any security issues related to other applications
+ * being able to receive or send your broadcasts.
+ *
+ * <p>You can either dynamically register an instance of this class with
+ * {@link Context#registerReceiver Context.registerReceiver()}
+ * or statically publish an implementation through the
+ * {@link android.R.styleable#AndroidManifestReceiver &lt;receiver&gt;}
+ * tag in your <code>AndroidManifest.xml</code>.
+ * 
+ * <p><em><strong>Note:</strong></em>
+ * &nbsp;&nbsp;&nbsp;If registering a receiver in your
+ * {@link android.app.Activity#onResume() Activity.onResume()}
+ * implementation, you should unregister it in 
+ * {@link android.app.Activity#onPause() Activity.onPause()}.
+ * (You won't receive intents when paused, 
+ * and this will cut down on unnecessary system overhead). Do not unregister in 
+ * {@link android.app.Activity#onSaveInstanceState(android.os.Bundle) Activity.onSaveInstanceState()},
+ * because this won't be called if the user moves back in the history
+ * stack.
+ * 
+ * <p>There are two major classes of broadcasts that can be received:</p>
+ * <ul>
+ * <li> <b>Normal broadcasts</b> (sent with {@link Context#sendBroadcast(Intent)
+ * Context.sendBroadcast}) are completely asynchronous.  All receivers of the
+ * broadcast are run in an undefined order, often at the same time.  This is
+ * more efficient, but means that receivers cannot use the result or abort
+ * APIs included here.
+ * <li> <b>Ordered broadcasts</b> (sent with {@link Context#sendOrderedBroadcast(Intent, String)
+ * Context.sendOrderedBroadcast}) are delivered to one receiver at a time.
+ * As each receiver executes in turn, it can propagate a result to the next
+ * receiver, or it can completely abort the broadcast so that it won't be passed
+ * to other receivers.  The order receivers run in can be controlled with the
+ * {@link android.R.styleable#AndroidManifestIntentFilter_priority
+ * android:priority} attribute of the matching intent-filter; receivers with
+ * the same priority will be run in an arbitrary order.
+ * </ul>
+ * 
+ * <p>Even in the case of normal broadcasts, the system may in some
+ * situations revert to delivering the broadcast one receiver at a time.  In
+ * particular, for receivers that may require the creation of a process, only
+ * one will be run at a time to avoid overloading the system with new processes.
+ * In this situation, however, the non-ordered semantics hold: these receivers still
+ * cannot return results or abort their broadcast.</p>
+ * 
+ * <p>Note that, although the Intent class is used for sending and receiving
+ * these broadcasts, the Intent broadcast mechanism here is completely separate
+ * from Intents that are used to start Activities with
+ * {@link Context#startActivity Context.startActivity()}.
+ * There is no way for a BroadcastReceiver
+ * to see or capture Intents used with startActivity(); likewise, when
+ * you broadcast an Intent, you will never find or start an Activity.
+ * These two operations are semantically very different: starting an
+ * Activity with an Intent is a foreground operation that modifies what the
+ * user is currently interacting with; broadcasting an Intent is a background
+ * operation that the user is not normally aware of.
+ * 
+ * <p>The BroadcastReceiver class (when launched as a component through
+ * a manifest's {@link android.R.styleable#AndroidManifestReceiver &lt;receiver&gt;}
+ * tag) is an important part of an
+ * <a href="{@docRoot}guide/topics/fundamentals.html#lcycles">application's overall lifecycle</a>.</p>
+ * 
+ * <p>Topics covered here:
+ * <ol>
+ * <li><a href="#Security">Security</a>
+ * <li><a href="#ReceiverLifecycle">Receiver Lifecycle</a>
+ * <li><a href="#ProcessLifecycle">Process Lifecycle</a>
+ * </ol>
+ *
+ * <div class="special reference">
+ * <h3>Developer Guides</h3>
+ * <p>For information about how to use this class to receive and resolve intents, read the
+ * <a href="{@docRoot}guide/topics/intents/intents-filters.html">Intents and Intent Filters</a>
+ * developer guide.</p>
+ * </div>
+ *
+ * <a name="Security"></a>
+ * <h3>Security</h3>
+ *
+ * <p>Receivers used with the {@link Context} APIs are by their nature a
+ * cross-application facility, so you must consider how other applications
+ * may be able to abuse your use of them.  Some things to consider are:
+ *
+ * <ul>
+ * <li><p>The Intent namespace is global.  Make sure that Intent action names and
+ * other strings are written in a namespace you own, or else you may inadvertantly
+ * conflict with other applications.
+ * <li><p>When you use {@link Context#registerReceiver(BroadcastReceiver, IntentFilter)},
+ * <em>any</em> application may send broadcasts to that registered receiver.  You can
+ * control who can send broadcasts to it through permissions described below.
+ * <li><p>When you publish a receiver in your application's manifest and specify
+ * intent-filters for it, any other application can send broadcasts to it regardless
+ * of the filters you specify.  To prevent others from sending to it, make it
+ * unavailable to them with <code>android:exported="false"</code>.
+ * <li><p>When you use {@link Context#sendBroadcast(Intent)} or related methods,
+ * normally any other application can receive these broadcasts.  You can control who
+ * can receive such broadcasts through permissions described below.  Alternatively,
+ * starting with {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH}, you
+ * can also safely restrict the broadcast to a single application with
+ * {@link Intent#setPackage(String) Intent.setPackage}
+ * </ul>
+ *
+ * <p>None of these issues exist when using
+ * {@link android.support.v4.content.LocalBroadcastManager}, since intents
+ * broadcast it never go outside of the current process.
+ *
+ * <p>Access permissions can be enforced by either the sender or receiver
+ * of a broadcast.
+ *
+ * <p>To enforce a permission when sending, you supply a non-null
+ * <var>permission</var> argument to
+ * {@link Context#sendBroadcast(Intent, String)} or
+ * {@link Context#sendOrderedBroadcast(Intent, String, BroadcastReceiver, android.os.Handler, int, String, Bundle)}.
+ * Only receivers who have been granted this permission
+ * (by requesting it with the
+ * {@link android.R.styleable#AndroidManifestUsesPermission &lt;uses-permission&gt;}
+ * tag in their <code>AndroidManifest.xml</code>) will be able to receive
+ * the broadcast.
+ *
+ * <p>To enforce a permission when receiving, you supply a non-null
+ * <var>permission</var> when registering your receiver -- either when calling
+ * {@link Context#registerReceiver(BroadcastReceiver, IntentFilter, String, android.os.Handler)}
+ * or in the static
+ * {@link android.R.styleable#AndroidManifestReceiver &lt;receiver&gt;}
+ * tag in your <code>AndroidManifest.xml</code>.  Only broadcasters who have
+ * been granted this permission (by requesting it with the
+ * {@link android.R.styleable#AndroidManifestUsesPermission &lt;uses-permission&gt;}
+ * tag in their <code>AndroidManifest.xml</code>) will be able to send an
+ * Intent to the receiver.
+ *
+ * <p>See the <a href="{@docRoot}guide/topics/security/security.html">Security and Permissions</a>
+ * document for more information on permissions and security in general.
+ *
+ * <a name="ReceiverLifecycle"></a>
+ * <h3>Receiver Lifecycle</h3>
+ * 
+ * <p>A BroadcastReceiver object is only valid for the duration of the call
+ * to {@link #onReceive}.  Once your code returns from this function,
+ * the system considers the object to be finished and no longer active.
+ * 
+ * <p>This has important repercussions to what you can do in an
+ * {@link #onReceive} implementation: anything that requires asynchronous
+ * operation is not available, because you will need to return from the
+ * function to handle the asynchronous operation, but at that point the
+ * BroadcastReceiver is no longer active and thus the system is free to kill
+ * its process before the asynchronous operation completes.
+ * 
+ * <p>In particular, you may <i>not</i> show a dialog or bind to a service from
+ * within a BroadcastReceiver.  For the former, you should instead use the
+ * {@link android.app.NotificationManager} API.  For the latter, you can
+ * use {@link android.content.Context#startService Context.startService()} to
+ * send a command to the service.
+ *
+ * <a name="ProcessLifecycle"></a>
+ * <h3>Process Lifecycle</h3>
+ * 
+ * <p>A process that is currently executing a BroadcastReceiver (that is,
+ * currently running the code in its {@link #onReceive} method) is
+ * considered to be a foreground process and will be kept running by the
+ * system except under cases of extreme memory pressure.
+ * 
+ * <p>Once you return from onReceive(), the BroadcastReceiver is no longer
+ * active, and its hosting process is only as important as any other application
+ * components that are running in it.  This is especially important because if
+ * that process was only hosting the BroadcastReceiver (a common case for
+ * applications that the user has never or not recently interacted with), then
+ * upon returning from onReceive() the system will consider its process
+ * to be empty and aggressively kill it so that resources are available for other
+ * more important processes.
+ * 
+ * <p>This means that for longer-running operations you will often use
+ * a {@link android.app.Service} in conjunction with a BroadcastReceiver to keep
+ * the containing process active for the entire time of your operation.
+ */
+public abstract class BroadcastReceiver {
+    
+    /**
+     * State for a result that is pending for a broadcast receiver.  Returned
+     * by {@link BroadcastReceiver#goAsync() goAsync()}
+     * while in {@link BroadcastReceiver#onReceive BroadcastReceiver.onReceive()}.
+     * This allows you to return from onReceive() without having the broadcast
+     * terminate; you must call {@link #finish()} once you are done with the
+     * broadcast.  This allows you to process the broadcast off of the main
+     * thread of your app.
+     * 
+     * <p>Note on threading: the state inside of this class is not itself
+     * thread-safe, however you can use it from any thread if you properly
+     * sure that you do not have races.  Typically this means you will hand
+     * the entire object to another thread, which will be solely responsible
+     * for setting any results and finally calling {@link #finish()}.
+     */
+    
+    public BroadcastReceiver() {
+    }
+    /**
+     * This method is called when the BroadcastReceiver is receiving an Intent
+     * broadcast.  During this time you can use the other methods on
+     * BroadcastReceiver to view/modify the current result values.  This method
+     * is always called within the main thread of its process, unless you
+     * explicitly asked for it to be scheduled on a different thread using
+     * {@link android.content.Context#registerReceiver(BroadcastReceiver,
+     * IntentFilter, String, android.os.Handler)}. When it runs on the main
+     * thread you should
+     * never perform long-running operations in it (there is a timeout of
+     * 10 seconds that the system allows before considering the receiver to
+     * be blocked and a candidate to be killed). You cannot launch a popup dialog
+     * in your implementation of onReceive().
+     *
+     * <p><b>If this BroadcastReceiver was launched through a &lt;receiver&gt; tag,
+     * then the object is no longer alive after returning from this
+     * function.</b>  This means you should not perform any operations that
+     * return a result to you asynchronously -- in particular, for interacting
+     * with services, you should use
+     * {@link Context#startService(Intent)} instead of
+     * {@link Context#bindService(Intent, ServiceConnection, int)}.  If you wish
+     * to interact with a service that is already running, you can use
+     * {@link #peekService}.
+     * 
+     * <p>The Intent filters used in {@link android.content.Context#registerReceiver}
+     * and in application manifests are <em>not</em> guaranteed to be exclusive. They
+     * are hints to the operating system about how to find suitable recipients. It is
+     * possible for senders to force delivery to specific recipients, bypassing filter
+     * resolution.  For this reason, {@link #onReceive(Context, Intent) onReceive()}
+     * implementations should respond only to known actions, ignoring any unexpected
+     * Intents that they may receive.
+     * 
+     * @param context The Context in which the receiver is running.
+     * @param intent The Intent being received.
+     */
+    public abstract void onReceive(Context context, Intent intent);
+}

java/ql/test/stubs/android/android/content/Intent.java

@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2006 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.content;
+
+import android.net.Uri;
+import android.os.Bundle;
+
+import java.io.PrintWriter;
+import java.net.URISyntaxException;
+import java.util.Set;
+
+public class Intent implements Cloneable {
+
+  public static Intent createChooser(Intent target, CharSequence title) {
+    return null;
+  }
+
+  public Intent() {
+  }
+
+  public Intent(Intent o) {
+  }
+
+  @Override
+  public Object clone() {
+    return null;
+  }
+
+  public Intent(String action) {
+  }
+
+  public Intent(String action, Uri uri) {
+  }
+
+  public Intent(Context packageContext, Class<?> cls) {
+  }
+
+  public Intent(String action, Uri uri, Context packageContext, Class<?> cls) {
+  }
+
+  public static Intent makeMainSelectorActivity(String selectorAction, String selectorCategory) {
+    return null;
+  }
+
+  public static Intent getIntent(String uri) throws URISyntaxException {
+    return null;
+  }
+
+  public static Intent getIntentOld(String uri) throws URISyntaxException {
+    return null;
+  }
+
+  public static void printIntentArgsHelp(PrintWriter pw, String prefix) {
+  }
+
+  public boolean hasCategory(String category) {
+    return false;
+  }
+
+  public Set<String> getCategories() {
+    return null;
+  }
+
+  public int getContentUserHint() {
+    return 0;
+  }
+
+  public String getLaunchToken() {
+    return null;
+  }
+
+  public void setLaunchToken(String launchToken) {
+  }
+
+  public boolean hasExtra(String name) {
+    return false;
+  }
+
+  public boolean hasFileDescriptors() {
+    return false;
+  }
+
+  public void setAllowFds(boolean allowFds) {
+  }
+
+  public void setDefusable(boolean defusable) {
+  }
+
+  public Object getExtra(String name) {
+    return null;
+  }
+
+  public boolean getBooleanExtra(String name, boolean defaultValue) {
+    return false;
+  }
+
+  public byte getByteExtra(String name, byte defaultValue) {
+    return 0;
+  }
+
+  public short getShortExtra(String name, short defaultValue) {
+    return 0;
+  }
+
+  public char getCharExtra(String name, char defaultValue) {
+    return '0';
+  }
+
+  public int getIntExtra(String name, int defaultValue) {
+    return 0;
+  }
+
+  public long getLongExtra(String name, long defaultValue) {
+    return 0;
+  }
+
+  public float getFloatExtra(String name, float defaultValue) {
+    return 0;
+  }
+
+  public double getDoubleExtra(String name, double defaultValue) {
+    return 0;
+  }
+
+  public String getStringExtra(String string) {
+    return null;
+  }
+
+  public void removeUnsafeExtras() {
+  }
+
+  public boolean canStripForHistory() {
+    return false;
+  }
+
+  public Intent maybeStripForHistory() {
+    return null;
+  }
+
+  public boolean isExcludingStopped() {
+    return false;
+  }
+
+  public void removeCategory(String category) {
+  }
+
+  public void prepareToLeaveUser(int userId) {
+  }
+
+  public boolean filterEquals(Intent other) {
+    return false;
+  }
+
+  public int filterHashCode() {
+    return 0;
+  }
+
+  @Override
+  public String toString() {
+    return null;
+  }
+
+  public String toInsecureString() {
+    return null;
+  }
+
+  public String toInsecureStringWithClip() {
+    return null;
+  }
+
+  public String toShortString(boolean secure, boolean comp, boolean extras, boolean clip) {
+    return null;
+  }
+
+  public void toShortString(StringBuilder b, boolean secure, boolean comp, boolean extras, boolean clip) {
+  }
+
+  public Bundle getExtras() {
+    return null;
+  }
+
+}

java/ql/test/stubs/android/android/os/Bundle.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2007 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.os;
+
+public final class Bundle {
+  public Bundle() {
+  }
+
+  public Bundle(ClassLoader loader) {
+  }
+
+  public Bundle(int capacity) {
+  }
+
+  public Bundle(Bundle b) {
+  }
+
+  public static Bundle forPair(String key, String value) {
+    return null;
+  }
+
+  public boolean setAllowFds(boolean allowFds) {
+    return false;
+  }
+
+  public void setDefusable(boolean defusable) {
+  }
+
+  public static Bundle setDefusable(Bundle bundle, boolean defusable) {
+    return null;
+  }
+
+  @Override
+  public Object clone() {
+    return null;
+  }
+
+  public Bundle deepCopy() {
+    return null;
+  }
+
+  public void remove(String key) {
+  }
+
+  public void putAll(Bundle bundle) {
+  }
+
+  public int getSize() {
+    return 0;
+  }
+
+  public boolean hasFileDescriptors() {
+    return false;
+  }
+
+  public Bundle filterValues() {
+    return null;
+  }
+
+  @Override
+  public synchronized String toString() {
+    return null;
+  }
+
+  public synchronized String toShortString() {
+    return null;
+  }
+
+  public String getString(String string) {
+    return null;
+  }
+
+}

java/ql/test/stubs/android/android/util/AttributeSet.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2006 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.util;
+
+public interface AttributeSet {
+    public int getAttributeCount();
+
+    default String getAttributeNamespace (int index) {
+      return null;
+    }
+
+    public String getAttributeName(int index);
+
+    public String getAttributeValue(int index);
+
+    public String getAttributeValue(String namespace, String name);
+
+    public String getPositionDescription();
+
+    public int getAttributeNameResource(int index);
+
+    public int getAttributeListValue(String namespace, String attribute,
+                                     String[] options, int defaultValue);
+
+    public boolean getAttributeBooleanValue(String namespace, String attribute,
+                                            boolean defaultValue);
+
+    public int getAttributeResourceValue(String namespace, String attribute,
+                                         int defaultValue);
+
+    public int getAttributeIntValue(String namespace, String attribute,
+                                    int defaultValue);
+
+    public int getAttributeUnsignedIntValue(String namespace, String attribute,
+                                            int defaultValue);
+
+    public float getAttributeFloatValue(String namespace, String attribute,
+                                        float defaultValue);
+
+    public int getAttributeListValue(int index, String[] options, int defaultValue);
+
+    public boolean getAttributeBooleanValue(int index, boolean defaultValue);
+
+    public int getAttributeResourceValue(int index, int defaultValue);
+
+    public int getAttributeIntValue(int index, int defaultValue);
+
+    public int getAttributeUnsignedIntValue(int index, int defaultValue);
+
+    public float getAttributeFloatValue(int index, float defaultValue);
+
+    public String getIdAttribute();
+
+    public String getClassAttribute();
+
+    public int getIdAttributeResourceValue(int defaultValue);
+
+    public int getStyleAttribute();
+
+}

java/ql/test/stubs/android/android/webkit/WebSettings.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2007 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.webkit;
+
+// create a class derived from this, and return an instance of it in the
+// WebViewProvider.getWebSettingsProvider() method implementation.
+public abstract class WebSettings {
+
+  public @interface CacheMode {
+  }
+
+  public void setJavaScriptEnabled(boolean b) {
+  }
+
+  public void setAllowUniversalAccessFromFileURLs(boolean b) {
+  }
+
+  public void setAllowFileAccessFromFileURLs(boolean b) {
+  }
+}

java/ql/test/stubs/android/android/webkit/WebView.java

@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.webkit;
+
+import android.content.Context;
+import android.util.AttributeSet;
+
+public class WebView {
+  public WebView(Context context) {
+  }
+
+  public WebView(Context context, AttributeSet attrs) {
+  }
+
+  public WebView(Context context, AttributeSet attrs, int defStyle) {
+  }
+
+  public void setHorizontalScrollbarOverlay(boolean overlay) {
+  }
+
+  public void setVerticalScrollbarOverlay(boolean overlay) {
+  }
+
+  public boolean overlayHorizontalScrollbar() {
+    return false;
+  }
+
+  public boolean overlayVerticalScrollbar() {
+    return false;
+  }
+
+  public void savePassword(String host, String username, String password) {
+  }
+
+  public void setHttpAuthUsernamePassword(String host, String realm, String username, String password) {
+  }
+
+  public String[] getHttpAuthUsernamePassword(String host, String realm) {
+    return null;
+  }
+
+  public void destroy() {
+  }
+
+  public static void enablePlatformNotifications() {
+  }
+
+  public static void disablePlatformNotifications() {
+  }
+
+  public void loadUrl(String url) {
+  }
+
+  public void loadData(String data, String mimeType, String encoding) {
+  }
+
+  public void loadDataWithBaseURL(String baseUrl, String data, String mimeType, String encoding, String failUrl) {
+  }
+
+  public void stopLoading() {
+  }
+
+  public void reload() {
+  }
+
+  public boolean canGoBack() {
+    return false;
+  }
+
+  public void goBack() {
+  }
+
+  public boolean canGoForward() {
+    return false;
+  }
+
+  public void goForward() {
+  }
+
+  public boolean canGoBackOrForward(int steps) {
+    return false;
+  }
+
+  public void goBackOrForward(int steps) {
+  }
+
+  public boolean pageUp(boolean top) {
+    return false;
+  }
+
+  public boolean pageDown(boolean bottom) {
+    return false;
+  }
+
+  public void clearView() {
+  }
+
+  public float getScale() {
+    return 0;
+  }
+
+  public void setInitialScale(int scaleInPercent) {
+  }
+
+  public void invokeZoomPicker() {
+  }
+
+  public String getUrl() {
+    return null;
+  }
+
+  public String getTitle() {
+    return null;
+  }
+
+  public int getProgress() {
+    return 0;
+  }
+
+  public int getContentHeight() {
+    return 0;
+  }
+
+  public void pauseTimers() {
+  }
+
+  public void resumeTimers() {
+  }
+
+  public void clearCache() {
+  }
+
+  public void clearFormData() {
+  }
+
+  public void clearHistory() {
+  }
+
+  public void clearSslPreferences() {
+  }
+
+  public static String findAddress(String addr) {
+    return null;
+  }
+
+  public void addJavascriptInterface(Object obj, String interfaceName) {
+  }
+
+  public boolean zoomIn() {
+    return false;
+  }
+
+  public boolean zoomOut() {
+    return false;
+  }
+
+  public WebSettings getSettings() {
+    return null;
+  }
+
+  public void setWebViewClient(WebViewClient webViewClient) {
+  }
+
+}

java/ql/test/stubs/android/android/webkit/WebViewClient.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.webkit;
+
+public class WebViewClient {
+  public boolean shouldOverrideUrlLoading(WebView view, String url) {
+    return false;
+  }
+
+  public void onPageFinished(WebView view, String url) {
+  }
+
+  public void onLoadResource(WebView view, String url) {
+  }
+
+  public void onPageCommitVisible(WebView view, String url) {
+  }
+
+  public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {
+  }
+
+  public void onScaleChanged(WebView view, float oldScale, float newScale) {
+  }
+
+}

java/ql/test/stubs/android/com/android/internal/R.java

@@ -0,0 +1,13 @@
+package com.android.internal;
+
+public class R {
+
+    public static class id {
+        public static int my_webview;
+    }
+
+    public static class layout {
+        public static int webview;
+    }
+
+}