Add declaring type to the res.getString(R.string.key) call

luchua-bc · web-flow · commit 7a9381f1fbd8 · 2020-05-18T07:59:38.000-04:00
diff --git a/java/ql/src/experimental/CWE-939/IncorrectURLVerification.ql b/java/ql/src/experimental/CWE-939/IncorrectURLVerification.ql
@@ -63,9 +63,11 @@ class HostVerificationMethodAccess extends MethodAccess {
           .getRepresentedString()
           .charAt(0) != "." //"."+var2, check string constant "." e.g. String domainName = "example.com";  Uri.parse(url).getHost().endsWith("www."+domainName)
       or
-      exists(MethodAccess ma |
+      exists(MethodAccess ma, Method m |
         this.getArgument(0) = ma and
-        ma.getMethod().hasName("getString") and
+        ma.getMethod() = m and
+        m.hasName("getString") and
+        m.getDeclaringType().getQualifiedName() = "android.content.res.Resources" and
         ma.getArgument(0).toString().indexOf("R.string") = 0
       ) //Check resource properties in /res/values/strings.xml in Android mobile applications using res.getString(R.string.key)
       or
