Java: Convert WebViewGetUrlMethod to CSV based flow source

tamasvajk · tamasvajk · commit e0c51b510feb · 2021-03-09T11:42:40.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -162,7 +162,11 @@ private predicate sourceModelCsv(string row) {
       "android.util;AttributeSet;false;getIdAttribute;;;ReturnValue;remote",
       "android.util;AttributeSet;false;getIdAttributeResourceValue;;;ReturnValue;remote",
       "android.util;AttributeSet;false;getPositionDescription;;;ReturnValue;remote",
-      "android.util;AttributeSet;false;getStyleAttribute;;;ReturnValue;remote"
+      "android.util;AttributeSet;false;getStyleAttribute;;;ReturnValue;remote",
+      // The current URL in a browser may be untrusted or uncontrolled.
+      // WebViewGetUrlMethod
+      "android.webkit;WebView;false;getUrl;();;ReturnValue;remote",
+      "android.webkit;WebView;false;getOriginalUrl;();;ReturnValue;remote"
     ]
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -215,9 +215,7 @@ class DatabaseInput extends LocalUserInput {
 private class RemoteTaintedMethod extends Method {
   RemoteTaintedMethod() {
     this instanceof PlayRequestGetMethod or
-    this instanceof SpringRestTemplateResponseEntityMethod or
-    // The current URL in a browser may be untrusted or uncontrolled.
-    this instanceof WebViewGetUrlMethod
+    this instanceof SpringRestTemplateResponseEntityMethod
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,11 @@ private predicate sourceModelCsv(string row) {`
`162`	`162`	`"android.util;AttributeSet;false;getIdAttribute;;;ReturnValue;remote",`
`163`	`163`	`"android.util;AttributeSet;false;getIdAttributeResourceValue;;;ReturnValue;remote",`
`164`	`164`	`"android.util;AttributeSet;false;getPositionDescription;;;ReturnValue;remote",`
`165`		`- "android.util;AttributeSet;false;getStyleAttribute;;;ReturnValue;remote"`
	`165`	`+ "android.util;AttributeSet;false;getStyleAttribute;;;ReturnValue;remote",`
	`166`	`+ // The current URL in a browser may be untrusted or uncontrolled.`
	`167`	`+ // WebViewGetUrlMethod`
	`168`	`+ "android.webkit;WebView;false;getUrl;();;ReturnValue;remote",`
	`169`	`+ "android.webkit;WebView;false;getOriginalUrl;();;ReturnValue;remote"`
`166`	`170`	`]`
`167`	`171`	`}`
`168`	`172`
Original file line number	Diff line number	Diff line change
`@@ -215,9 +215,7 @@ class DatabaseInput extends LocalUserInput {`
`215`	`215`	`private class RemoteTaintedMethod extends Method {`
`216`	`216`	`RemoteTaintedMethod() {`
`217`	`217`	`this instanceof PlayRequestGetMethod or`
`218`		`- this instanceof SpringRestTemplateResponseEntityMethod or`
`219`		`- // The current URL in a browser may be untrusted or uncontrolled.`
`220`		`- this instanceof WebViewGetUrlMethod`
	`218`	`+ this instanceof SpringRestTemplateResponseEntityMethod`
`221`	`219`	`}`
`222`	`220`	`}`
`223`	`221`