@@ -21,7 +21,7 @@ class AndroidNetworkSecurityConfigFile extends XmlFile {
2121predicate isAndroid ( ) { exists ( AndroidManifestXmlFile m ) }
2222
2323/** Holds if the given domain name is trusted by the Network Security Configuration XML file. */
24- predicate trustedDomain ( string domainName ) {
24+ private predicate trustedDomainViaXml ( string domainName ) {
2525 exists (
2626 AndroidNetworkSecurityConfigFile confFile , XmlElement domConf , XmlElement domain ,
2727 XmlElement trust
@@ -36,6 +36,22 @@ predicate trustedDomain(string domainName) {
3636 )
3737}
3838
39+ /** Holds if the given domain name is trusted by an OkHttp `CertificatePinner`. */
40+ private predicate trustedDomainViaOkHttp ( string domainName ) {
41+ exists ( CompileTimeConstantExpr domainExpr , MethodAccess certPinnerAdd |
42+ domainExpr .getStringValue ( ) .replaceAll ( "*." , "" ) = domainName and // strip wildcard patterns like *.example.com
43+ certPinnerAdd .getMethod ( ) .hasQualifiedName ( "okhttp3" , "CertificatePinner$Builder" , "add" ) and
44+ DataFlow:: localExprFlow ( domainExpr , certPinnerAdd .getArgument ( 0 ) )
45+ )
46+ }
47+
48+ /** Holds if the given domain name is trusted by some certifiacte pinning implementation. */
49+ predicate trustedDomain ( string domainName ) {
50+ trustedDomainViaXml ( domainName )
51+ or
52+ trustedDomainViaOkHttp ( domainName )
53+ }
54+
3955/** Configuration for finding uses of non trusted URLs. */
4056private class UntrustedUrlConfig extends TaintTracking:: Configuration {
4157 UntrustedUrlConfig ( ) { this = "UntrustedUrlConfig" }
0 commit comments