Java: setAllowContentAccess query tests

egregius313 · egregius313 · commit 9ef319f65989 · 2022-12-31T15:00:28.000-05:00
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java
@@ -1,18 +1,59 @@
 package com.example.test;
 
+import android.app.Activity;
+
 import android.webkit.WebView;
 import android.webkit.WebSettings;
 
-public class WebViewContentAccess {
-    void configureWebViewUnsafe(WebView view) {
-        WebSettings settings = view.getSettings();
+/** Helper class to mock a method which returns a `WebView` */
+interface WebViewGetter {
+    WebView getAWebView();
+}
 
-        settings.setAllowContentAccess(true);
+public class WebViewContentAccess extends Activity {
+    void enableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(true);
+    }
+
+    void disableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(false);
     }
 
-    void configureWebViewSafe(WebView view) {
+    void configureWebViewSafe(WebView view, WebViewGetter getter) {
         WebSettings settings = view.getSettings();
 
         settings.setAllowContentAccess(false);
+
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+
+        settings.setAllowContentAccess(false);
+
+        disableContentAccess(getter.getAWebView());
+    }
+
+    void configureWebViewUnsafe(WebView view1, WebViewGetter getter) {
+        WebSettings settings;
+
+        view1.getSettings().setAllowContentAccess(true);
+
+        // Cast expression
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Constructor
+        WebView view3 = new WebView(this);
+        settings = view3.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Method access
+        WebView view4 = getter.getAWebView();
+        settings = view4.getSettings();
+        settings.setAllowContentAccess(true);
+
+        enableContentAccess(getter.getAWebView());
+
+        WebView view5 = getter.getAWebView();
     }
 }
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.expected
@@ -0,0 +1,5 @@
+| WebViewContentAccess.java:41:25:41:49 | (...)... | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:46:25:46:41 | new WebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:51:25:51:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:55:29:55:48 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
+| WebViewContentAccess.java:57:25:57:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access of content:// links being permitted. |
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccessDataFlow.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-200/AndroidWebViewSettingsPermitsContentAccess.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-200/AndroidWebViewSettingsPermitsContentAccess.ql`