Address improper URL authorization

luchua-bc · luchua-bc · commit b7f2d32fb0a3 · 2020-04-08T22:41:11.000-04:00
diff --git a/java/ql/src/experimental/CWE-939/IncorrectURLVerification.java b/java/ql/src/experimental/CWE-939/IncorrectURLVerification.java
@@ -1,17 +1,17 @@
 public boolean shouldOverrideUrlLoading(WebView view, String url) {
-	{
-		Uri uri = Uri.parse(url);
-		// BAD: partial domain match, which allows an attacker to register a domain like myexample.com to circumvent the verification
-		if (uri.getHost() != null && uri.getHost().endsWith("example.com")) {
-			return false;
-		}
-	}
+    {
+        Uri uri = Uri.parse(url);
+        // BAD: partial domain match, which allows an attacker to register a domain like myexample.com to circumvent the verification
+        if (uri.getHost() != null && uri.getHost().endsWith("example.com")) {
+            return false;
+        }
+    }
 
-	{
-		Uri uri = Uri.parse(url);
-		// GOOD: full domain match
-		if (uri.getHost() != null && uri.getHost().endsWith(".example.com")) {
-			return false;
-		}
-	}
-}
+    {
+        Uri uri = Uri.parse(url);
+        // GOOD: full domain match
+        if (uri.getHost() != null && uri.getHost().endsWith(".example.com")) {
+            return false;
+        }
+    }
+}
