From e661fc08d381e022ba53117cba5f82d3baf1ce08 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Thu, 1 Jul 2021 17:40:25 +0100 Subject: [PATCH] Split Android XSS sink defintions out of XSS.qll This removes one of the routes by which XSS.qll is always in scope, and so its dataflow configuration is too -- however it is still always in scope because JaxWS.qll imports it. --- .../semmle/code/java/dataflow/ExternalFlow.qll | 2 +- .../code/java/frameworks/android/XssSinks.qll | 16 ++++++++++++++++ java/ql/src/semmle/code/java/security/XSS.qll | 12 ------------ 3 files changed, 17 insertions(+), 13 deletions(-) create mode 100644 java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll index 27deb63f731..d078328e4c0 100644 --- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll @@ -77,6 +77,7 @@ private import FlowSummary */ private module Frameworks { private import internal.ContainerFlow + private import semmle.code.java.frameworks.android.XssSinks private import semmle.code.java.frameworks.ApacheHttp private import semmle.code.java.frameworks.apache.Collections private import semmle.code.java.frameworks.apache.Lang @@ -92,7 +93,6 @@ private module Frameworks { private import semmle.code.java.security.ResponseSplitting private import semmle.code.java.security.InformationLeak private import semmle.code.java.security.JexlInjectionSinkModels - private import semmle.code.java.security.XSS private import semmle.code.java.security.LdapInjection private import semmle.code.java.security.XPath private import semmle.code.java.frameworks.android.SQLite diff --git a/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll b/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll new file mode 100644 index 00000000000..720e936b844 --- /dev/null +++ b/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll @@ -0,0 +1,16 @@ +/** Provides XSS sink models relating to the `android.webkit.WebView` class. */ + +import java +private import semmle.code.java.dataflow.ExternalFlow + +/** CSV sink models representing methods susceptible to XSS attacks. */ +private class DefaultXssSinkModel extends SinkModelCsv { + override predicate row(string row) { + row = + [ + "android.webkit;WebView;false;loadData;;;Argument[0];xss", + "android.webkit;WebView;false;loadUrl;;;Argument[0];xss", + "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss" + ] + } +} diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll index 14f10cad9c8..9e27e9186b0 100644 --- a/java/ql/src/semmle/code/java/security/XSS.qll +++ b/java/ql/src/semmle/code/java/security/XSS.qll @@ -29,18 +29,6 @@ class XssAdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -/** CSV sink models representing methods susceptible to XSS attacks. */ -private class DefaultXssSinkModel extends SinkModelCsv { - override predicate row(string row) { - row = - [ - "android.webkit;WebView;false;loadData;;;Argument[0];xss", - "android.webkit;WebView;false;loadUrl;;;Argument[0];xss", - "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss" - ] - } -} - /** A default sink representing methods susceptible to XSS attacks. */ private class DefaultXssSink extends XssSink { DefaultXssSink() {