Split Android XSS sink defintions out of XSS.qll

This removes one of the routes by which XSS.qll is always in scope, and so its dataflow configuration is too -- however it is still always in scope because JaxWS.qll imports it.
2025-12-24 04:36:35 +01:00 · 2021-07-01 17:40:25 +01:00
parent 747a8e4157
commit e661fc08d3
3 changed files with 17 additions and 13 deletions
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -77,6 +77,7 @@ private import FlowSummary
 */
 private module Frameworks {
  private import internal.ContainerFlow
+  private import semmle.code.java.frameworks.android.XssSinks
  private import semmle.code.java.frameworks.ApacheHttp
  private import semmle.code.java.frameworks.apache.Collections
  private import semmle.code.java.frameworks.apache.Lang
@@ -92,7 +93,6 @@ private module Frameworks {
  private import semmle.code.java.security.ResponseSplitting
  private import semmle.code.java.security.InformationLeak
  private import semmle.code.java.security.JexlInjectionSinkModels
-  private import semmle.code.java.security.XSS
  private import semmle.code.java.security.LdapInjection
  private import semmle.code.java.security.XPath
  private import semmle.code.java.frameworks.android.SQLite
--- a/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll
@@ -0,0 +1,16 @@
+/** Provides XSS sink models relating to the `android.webkit.WebView` class. */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/** CSV sink models representing methods susceptible to XSS attacks. */
+private class DefaultXssSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "android.webkit;WebView;false;loadData;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"
+      ]
+  }
+}
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -29,18 +29,6 @@ class XssAdditionalTaintStep extends Unit {
  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }

-/** CSV sink models representing methods susceptible to XSS attacks. */
-private class DefaultXssSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "android.webkit;WebView;false;loadData;;;Argument[0];xss",
-        "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
-        "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"
-      ]
-  }
-}
-
 /** A default sink representing methods susceptible to XSS attacks. */
 private class DefaultXssSink extends XssSink {
  DefaultXssSink() {