Merge pull request github#11628 from egregius313/egregius313/android-webview-addjavascriptinterface-dataflow

Java: Add parameters of methods annotated @JavascriptInterface as remote flow sources

Author: egregius313

java/ql/lib/change-notes/2022-01-13-android-javascriptinterface-parameters-remote-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added an external flow source for the parameters of methods annotated with `android.webkit.JavascriptInterface`.

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -298,3 +298,16 @@ class OnActivityResultIntentSource extends OnActivityResultIncomingIntent, Remot
 
   override string getSourceType() { result = "Android onActivityResult incoming Intent" }
 }
+
+/**
+ * A parameter of a method annotated with the `android.webkit.JavascriptInterface` annotation.
+ */
+class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource {
+  AndroidJavascriptInterfaceMethodParameter() {
+    exists(JavascriptInterfaceMethod m | this.asParameter() = m.getAParameter())
+  }
+
+  override string getSourceType() {
+    result = "Parameter of method with JavascriptInterface annotation"
+  }
+}

java/ql/lib/semmle/code/java/frameworks/android/WebView.qll

@@ -85,3 +85,10 @@ class ShouldOverrideUrlLoading extends Method {
     this.hasName("shouldOverrideUrlLoading")
   }
 }
+
+/**
+ * A method annotated with the `android.webkit.JavascriptInterface` annotation.
+ */
+class JavascriptInterfaceMethod extends Method {
+  JavascriptInterfaceMethod() { this.hasAnnotation("android.webkit", "JavascriptInterface") }
+}

java/ql/test/library-tests/dataflow/taintsources/AndroidExposedObject.java

@@ -0,0 +1,11 @@
+import android.webkit.JavascriptInterface;
+
+public class AndroidExposedObject {
+    public void sink(Object o) {
+    }
+
+    @JavascriptInterface
+    public void test(String arg) {
+        sink(arg); // $hasRemoteValueFlow
+    }
+}