Apply suggestions from code review

Co-authored-by: Chris Smowton <[email protected]>

Author: porcupineyhairs

java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp

@@ -2,29 +2,29 @@
 <qhelp>
   <overview>
     <p>
-Shared world writable storage spaces are not secure to load Dex libraries from. A malicious actor can replace a dex file with a maliciously crafted file 
+It is dangerous to load Dex libraries from shared world-writable storage spaces. A malicious actor can replace a dex file with a maliciously crafted file 
 which when loaded by the app can lead to code execution. 
 </p>
   </overview>
 
   <recommendation>
     <p>
-      Loading a file from private storage instead of a world writable one can prevent this issue.
-      As the attacker cannot access files stored by the app in its private storage. 
+      Loading a file from private storage instead of a world-writable one can prevent this issue,
+      because the attacker cannot access files stored there. 
     </p>
   </recommendation>
 
   <example>
     <p>
-      The following example loads a Dex file from a shared world writable location. in this case, 
-      since the `/sdcard` directory is on external storage, any one can read/write to the location. 
+      The following example loads a Dex file from a shared world-writable location. in this case, 
+      since the `/sdcard` directory is on external storage, anyone can read/write to the location. 
       bypassing all Android security policies. Hence, this is insecure.
     </p>
     <sample src="InsecureDexLoadingBad.java" />
 
     <p>
     The next example loads a Dex file stored inside the app's private storage. 
-    This is not exploitable as nobody else except the app can access the data stored here.
+    This is not exploitable as nobody else except the app can access the data stored there.
     </p>
     <sample src="InsecureDexLoadingGood.java" />
   </example>

java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql

@@ -1,7 +1,7 @@
 /**
  * @name Insecure loading of an Android Dex File
- * @description Loading a DEX library located in a world-readable/ writable location such as
- * a SD card can cause arbitary code execution vulnerabilities.
+ * @description Loading a DEX library located in a world-writable location such as
+ * an SD card can lead to arbitrary code execution vulnerabilities.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureDexConfiguration conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potential arbitary code execution due to $@.",
-  source.getNode(), "a value loaded from a world readable/writable source."
+select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
+  source.getNode(), "a value loaded from a world-writable source."

java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll

@@ -2,7 +2,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 
 /**
- * A taint-tracking configuration fordetecting unsafe use of a
+ * A taint-tracking configuration detecting unsafe use of a
  * `DexClassLoader` by an Android app.
  */
 class InsecureDexConfiguration extends TaintTracking::Configuration {
@@ -63,7 +63,7 @@ private class DexClassLoader extends InsecureDexSink {
 }
 
 /**
- * An `File` instance which reads from an SD card
+ * A `File` instance which reads from an SD card
  * taken as a source for insecure Dex class loading vulnerabilities.
  */
 private class ExternalFile extends InsecureDexSource {

java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java

@@ -22,11 +22,11 @@ private void updateChecker() {
 						getClassLoader());
 				int version = (int) cl.loadClass("my.package.class").getDeclaredMethod("myMethod").invoke(null);
 				if (Build.VERSION.SDK_INT < version) {
-					Toast.makeText(this, "Securely loaded Dex!", Toast.LENGTH_LONG).show();
+					Toast.makeText(this, "Loaded Dex!", Toast.LENGTH_LONG).show();
 				}
 			}
 		} catch (Exception e) {
 			// ignore
 		}
 	}
-}
+}