Remove unnecessary taint step and update qldoc

java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll

@@ -20,7 +20,7 @@ class WebResourceResponse extends RefType {
   WebResourceResponse() { this.hasQualifiedName("android.webkit", "WebResourceResponse") }
 }
 
-/** The `shouldInterceptRequest` method of Android's `WebViewClient` class. */
+/** The `shouldInterceptRequest` method of a class implementing `WebViewClient`. */
 class ShouldInterceptRequestMethod extends Method {
   ShouldInterceptRequestMethod() {
     this.hasName("shouldInterceptRequest") and
@@ -28,7 +28,7 @@ class ShouldInterceptRequestMethod extends Method {
   }
 }
 
-/** A method call to `setWebViewClient` of `WebView`. */
+/** A method call to `WebView.setWebViewClient`. */
 class SetWebViewClientMethodAccess extends MethodAccess {
   SetWebViewClientMethodAccess() {
     this.getMethod().hasName("setWebViewClient") and
@@ -75,7 +75,6 @@ private class LoadUrlSummaries extends SummaryModelCsv {
     row =
       [
         "java.io;FileInputStream;true;FileInputStream;;;Argument[0];Argument[-1];taint",
-        "android.net;Uri;false;getPath;;;Argument[0];ReturnValue;taint",
         "android.webkit;WebResourceRequest;false;getUrl;;;Argument[-1];ReturnValue;taint"
       ]
   }

java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.qhelp

@@ -5,7 +5,7 @@
 <overview>
 <p>Android provides a <code>WebResourceResponse</code> class, which allows an Android application to behave
 as a web server by handling requests of popular protocols such as <code>http(s)</code>, <code>file</code>,
-as well as <code>javascript</code>; and returning a response (including status code, content type, content
+as well as <code>javascript</code> and returning a response (including status code, content type, content
 encoding, headers and the response body). Improper implementation with insufficient input validation can lead
 to leakage of sensitive configuration files or user data because requests could refer to paths intended to be
 application-private.

java/ql/src/experimental/semmle/code/java/PathSanitizer.qll

@@ -21,12 +21,12 @@ private class ExactStringPathMatchGuard extends PathTraversalBarrierGuard instan
 }
 
 /**
- * Returns the qualifier of a method call if it's a variable access, or the qualifier of the qualifier
+ * Given input `e` = `v.method1(...).method2(...)...`, returns `v` where `v` is a `VarAccess`.
- * if the qualifier itself is a method call, which helps to reduce FPs by handling scenarios such as
+ *
- * `!uri.getPath().contains("..")`.
+ * This is used to look through field accessors such as `uri.getPath()`.
  */
-private Expr getRealQualifier(Expr e) {
+private Expr getUnderlyingVarAccess(Expr e) {
-  result = getRealQualifier(e.(MethodAccess).getQualifier())
+  result = getUnderlyingVarAccess(e.(MethodAccess).getQualifier())
   or
   result = e.(VarAccess)
 }
@@ -37,7 +37,7 @@ private class AllowListGuard extends Guard instanceof MethodAccess {
     not isDisallowedWord(super.getAnArgument())
   }
 
-  Expr getCheckedExpr() { result = getRealQualifier(super.getQualifier()) }
+  Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }
 }
 
 /**
@@ -84,7 +84,7 @@ private class BlockListGuard extends Guard instanceof MethodAccess {
     isDisallowedWord(super.getAnArgument())
   }
 
-  Expr getCheckedExpr() { result = getRealQualifier(super.getQualifier()) }
+  Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }
 }
 
 /**
@@ -155,7 +155,7 @@ class PathTraversalGuard extends Guard instanceof MethodAccess {
     super.getAnArgument().(CompileTimeConstantExpr).getStringValue() = ".."
   }
 
-  Expr getCheckedExpr() { result = getRealQualifier(super.getQualifier()) }
+  Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }
 }
 
 /** A complementary sanitizer that protects against path traversal using path normalization. */