Split Android XSS sink defintions out of XSS.qll

smowton · smowton · commit e661fc08d381 · 2021-07-02T10:02:25.000+01:00
This removes one of the routes by which XSS.qll is always in scope, and so its dataflow configuration is too -- however it is still always in scope because JaxWS.qll imports it.
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -77,6 +77,7 @@ private import FlowSummary
  */
 private module Frameworks {
   private import internal.ContainerFlow
+  private import semmle.code.java.frameworks.android.XssSinks
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Collections
   private import semmle.code.java.frameworks.apache.Lang
@@ -92,7 +93,6 @@ private module Frameworks {
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.JexlInjectionSinkModels
-  private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.XPath
   private import semmle.code.java.frameworks.android.SQLite
diff --git a/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll b/java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll
@@ -0,0 +1,16 @@
+/** Provides XSS sink models relating to the `android.webkit.WebView` class. */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/** CSV sink models representing methods susceptible to XSS attacks. */
+private class DefaultXssSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "android.webkit;WebView;false;loadData;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"
+      ]
+  }
+}
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -29,18 +29,6 @@ class XssAdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
 
-/** CSV sink models representing methods susceptible to XSS attacks. */
-private class DefaultXssSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "android.webkit;WebView;false;loadData;;;Argument[0];xss",
-        "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
-        "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"
-      ]
-  }
-}
-
 /** A default sink representing methods susceptible to XSS attacks. */
 private class DefaultXssSink extends XssSink {
   DefaultXssSink() {
