Merge pull request #28 from egregius313/egregisu313/webview-setAllowC…

…ontentAccess-single-query

Merge `setAllowContentAccess` queries into singular query

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsPermitsContentAccess.ql

@@ -94,7 +94,19 @@ class WebViewDisallowContentAccessConfiguration extends TaintTracking::Configura
   }
 }
 
-from WebViewSource source
-where not any(WebViewDisallowContentAccessConfiguration cfg).hasFlow(source, _)
-select source,
+from Expr e
+where
+  // explicit: setAllowContentAccess(true)
+  exists(MethodAccess ma |
+    ma = e and
+    ma.getMethod() instanceof AllowContentAccessMethod and
+    ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+  )
+  or
+  // implicit: no setAllowContentAccess(false)
+  exists(WebViewSource source |
+    source.asExpr() = e and
+    not any(WebViewDisallowContentAccessConfiguration cfg).hasFlow(source, _)
+  )
+select e,
   "Sensitive information may be exposed via a malicious link due to access of content:// links being permitted."

java/ql/src/change-notes/2022-12-21-android-allowcontentaccess-query.md

@@ -1,4 +1,4 @@
 ---
 category: newQuery
 ---
-* Added a new query `java/android/websettings-content-access` to detect Android WebViews which do not disable access to `content://` urls.
+* Added a new query `java/android/websettings-permit-contentacces` to detect Android WebViews which do not disable access to `content://` urls.

java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.expected

@@ -1,5 +1,10 @@
 | WebViewContentAccess.java:15:9:15:57 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
 | WebViewContentAccess.java:38:9:38:55 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:41:25:41:49 | (...)... | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
 | WebViewContentAccess.java:43:9:43:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:46:25:46:41 | new WebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
 | WebViewContentAccess.java:48:9:48:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:51:25:51:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
 | WebViewContentAccess.java:53:9:53:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:55:29:55:48 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:57:25:57:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |

java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.qlref

@@ -1 +1 @@
-Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.ql
+Security/CWE/CWE-200/AndroidWebViewSettingsPermitsContentAccess.ql