|
| 1 | +/** Definitions for the Android Webview Debugging Enabled query */ |
| 2 | + |
| 3 | +import java |
| 4 | +import semmle.code.java.dataflow.DataFlow |
| 5 | +import semmle.code.java.controlflow.Guards |
| 6 | +import semmle.code.java.security.SecurityTests |
| 7 | + |
| 8 | +/** Holds if `ex` looks like a check that this is a debug build. */ |
| 9 | +private predicate isDebugCheck(Expr ex) { |
| 10 | + exists(Expr subex, string debug | |
| 11 | + debug.toLowerCase().matches("%debug%") and |
| 12 | + subex.getParent*() = ex |
| 13 | + | |
| 14 | + subex.(VarAccess).getVariable().getName() = debug |
| 15 | + or |
| 16 | + subex.(MethodAccess).getMethod().hasName("getProperty") and |
| 17 | + subex.(MethodAccess).getAnArgument().(CompileTimeConstantExpr).getStringValue() = debug |
| 18 | + ) |
| 19 | +} |
| 20 | + |
| 21 | +/** Configuration to find instances of `setWebContentDebuggingEnabled` called with `true` values. */ |
| 22 | +class WebviewDebugEnabledConfig extends DataFlow::Configuration { |
| 23 | + WebviewDebugEnabledConfig() { this = "WebviewDebugEnabledConfig" } |
| 24 | + |
| 25 | + override predicate isSource(DataFlow::Node node) { |
| 26 | + node.asExpr().(BooleanLiteral).getBooleanValue() = true |
| 27 | + } |
| 28 | + |
| 29 | + override predicate isSink(DataFlow::Node node) { |
| 30 | + exists(MethodAccess ma | |
| 31 | + ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and |
| 32 | + node.asExpr() = ma.getArgument(0) |
| 33 | + ) |
| 34 | + } |
| 35 | + |
| 36 | + override predicate isBarrier(DataFlow::Node node) { |
| 37 | + not node.getType() instanceof BooleanType |
| 38 | + or |
| 39 | + exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _)) |
| 40 | + or |
| 41 | + node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass |
| 42 | + } |
| 43 | +} |
0 commit comments