hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 23:35:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Add support for Kotlin's apply to java/android/unsafe-android-webview-fetch

Browse Source
This commit is contained in:
Tony Torralba
2023-07-10 17:21:56 +02:00
parent 16529cdd18
commit ce600367df
3 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/lib/ext/android.webkit.model.yml
View File

@@ -3,13 +3,13 @@ extensions:
pack: codeql/java-all
extensible: sourceModel
data:
- ["android.webkit", "WebView", False, "getOriginalUrl", "()", "", "ReturnValue", "remote", "manual"]
- ["android.webkit", "WebView", False, "getUrl", "()", "", "ReturnValue", "remote", "manual"]
- ["android.webkit", "WebView", True, "getOriginalUrl", "()", "", "ReturnValue", "remote", "manual"]
- ["android.webkit", "WebView", True, "getUrl", "()", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
# Models representing methods susceptible to XSS attacks.
- ["android.webkit", "WebView", False, "evaluateJavascript", "", "", "Argument[0]", "js-injection", "manual"]
- ["android.webkit", "WebView", False, "loadData", "", "", "Argument[0]", "html-injection", "manual"]
- ["android.webkit", "WebView", False, "loadDataWithBaseURL", "", "", "Argument[1]", "html-injection", "manual"]
- ["android.webkit", "WebView", True, "evaluateJavascript", "", "", "Argument[0]", "js-injection", "manual"]
- ["android.webkit", "WebView", True, "loadData", "", "", "Argument[0]", "html-injection", "manual"]
- ["android.webkit", "WebView", True, "loadDataWithBaseURL", "", "", "Argument[1]", "html-injection", "manual"]

19
java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
View File

@@ -5,6 +5,7 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.frameworks.android.WebView
private import semmle.code.java.frameworks.kotlin.Kotlin
/**
* A sink that represents a method that fetches a web resource in Android.
@@ -62,10 +63,26 @@ private class WebViewRef extends Element {
t.isOwnInstanceAccess() or t.getInstanceAccess().isEnclosingInstanceAccess(this)
)
or
result = DataFlow::exprNode(this.(Variable).getAnAccess())
exists(Variable v | result.asExpr() = v.getAnAccess() |
v = this
or
applyReceiverVariable(this, v)
)
}
}
/**
* Holds if `p` is the lambda parameter that holds the receiver of an `apply` expression in Kotlin,
* and `v` is the variable of the receiver in the outer scope.
*/
private predicate applyReceiverVariable(Parameter p, Variable v) {
exists(LambdaExpr lambda, KotlinApply apply |
p.getCallable() = lambda.asMethod() and
lambda = apply.getLambdaArg() and
v = apply.getReceiver().(VarAccess).getVariable()
)
}
/**
* Holds if a `WebViewLoadUrlMethod` is called on an access of `webview`
* with `urlArg` as its first argument.

4
java/ql/src/change-notes/2023-07-10-unsafe-android-access-apply.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query "Unsafe resource fetching in Android WebView" (`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where `setJavascriptEnabled`, `setAllowFileAccess`, `setAllowUniversalAccessFromFileURLs`, and/or `setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin `apply` function.