Move things around

atorralba · atorralba · commit b678467e9dff · 2022-05-04T10:53:30.000+02:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/WebView.qll b/java/ql/lib/semmle/code/java/frameworks/android/WebView.qll
@@ -77,35 +77,6 @@ class ShouldOverrideUrlLoading extends Method {
   }
 }
 
-/**
- * Holds if `webview` is a `WebView` and its option `setJavascriptEnabled`
- * has been set to `true` via a `WebSettings` object obtained from it.
- */
-predicate isJSEnabled(DataFlow::Node webview) {
-  webview.getType().(RefType).getASupertype*() instanceof TypeWebView and
-  exists(MethodAccess allowJs, MethodAccess settings |
-    allowJs.getMethod() instanceof AllowJavaScriptMethod and
-    allowJs.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true and
-    settings.getMethod() instanceof WebViewGetSettingsMethod and
-    DataFlow::localExprFlow(settings, allowJs.getQualifier()) and
-    DataFlow::localFlow(webview, DataFlow::getInstanceArgument(settings))
-  )
-}
-
-/**
- * Holds if `webview` is a `WebView` and its options `setAllowUniversalAccessFromFileURLs` or
- * `setAllowFileAccessFromFileURLs` have been set to `true`.
- */
-predicate isAllowFileAccessEnabled(DataFlow::Node webview) {
-  exists(MethodAccess allowFileAccess, MethodAccess settings |
-    allowFileAccess.getMethod() instanceof CrossOriginAccessMethod and
-    allowFileAccess.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true and
-    settings.getMethod() instanceof WebViewGetSettingsMethod and
-    DataFlow::localExprFlow(settings, allowFileAccess.getQualifier()) and
-    DataFlow::localFlow(webview, DataFlow::getInstanceArgument(settings))
-  )
-}
-
 private class WebkitSourceModels extends SourceModelCsv {
   override predicate row(string row) {
     row =
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
@@ -43,8 +43,8 @@ private class CrossOriginUrlResourceSink extends JavaScriptEnabledUrlResourceSin
 private class JavaScriptEnabledUrlResourceSink extends UrlResourceSink {
   JavaScriptEnabledUrlResourceSink() {
     exists(WebViewRef webview |
-      isJSEnabled(webview.getAnAccess()) and
-      webViewLoadUrl(this.asExpr(), webview.getAnAccess())
+      webViewLoadUrl(this.asExpr(), webview.getAnAccess()) and
+      isJSEnabled(webview.getAnAccess())
     )
   }
 
@@ -102,6 +102,35 @@ private predicate webViewLoadUrl(Argument urlArg, DataFlow::Node webview) {
   )
 }
 
+/**
+ * Holds if `webview` is a `WebView` and its option `setJavascriptEnabled`
+ * has been set to `true` via a `WebSettings` object obtained from it.
+ */
+private predicate isJSEnabled(DataFlow::Node webview) {
+  webview.getType().(RefType).getASupertype*() instanceof TypeWebView and
+  exists(MethodAccess allowJs, MethodAccess settings |
+    allowJs.getMethod() instanceof AllowJavaScriptMethod and
+    allowJs.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true and
+    settings.getMethod() instanceof WebViewGetSettingsMethod and
+    DataFlow::localExprFlow(settings, allowJs.getQualifier()) and
+    DataFlow::localFlow(webview, DataFlow::getInstanceArgument(settings))
+  )
+}
+
+/**
+ * Holds if `webview` is a `WebView` and its options `setAllowUniversalAccessFromFileURLs` or
+ * `setAllowFileAccessFromFileURLs` have been set to `true`.
+ */
+private predicate isAllowFileAccessEnabled(DataFlow::Node webview) {
+  exists(MethodAccess allowFileAccess, MethodAccess settings |
+    allowFileAccess.getMethod() instanceof CrossOriginAccessMethod and
+    allowFileAccess.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true and
+    settings.getMethod() instanceof WebViewGetSettingsMethod and
+    DataFlow::localExprFlow(settings, allowFileAccess.getQualifier()) and
+    DataFlow::localFlow(webview, DataFlow::getInstanceArgument(settings))
+  )
+}
+
 /** A method of the class `WebViewClient` that handles an event. */
 private class WebViewClientEventMethod extends Method {
   WebViewClientEventMethod() {
