Java: test files for WebView file access query

egregius313 · egregius313 · commit 7a0544d80e27 · 2022-11-14T15:11:15.000-05:00
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewFileAccess.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewFileAccess.expected
@@ -0,0 +1,3 @@
+| WebViewFileAccess.java:8:9:8:41 | setAllowFileAccess(...) | WebView setting setAllowFileAccess may allow for unauthorized access of sensitive information. |
+| WebViewFileAccess.java:10:9:10:53 | setAllowFileAccessFromFileURLs(...) | WebView setting setAllowFileAccessFromFileURLs may allow for unauthorized access of sensitive information. |
+| WebViewFileAccess.java:12:9:12:58 | setAllowUniversalAccessFromFileURLs(...) | WebView setting setAllowUniversalAccessFromFileURLs may allow for unauthorized access of sensitive information. |
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewFileAccess.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewFileAccess.java
@@ -0,0 +1,14 @@
+import android.webkit.WebView;
+import android.webkit.WebSettings;
+
+class WebViewFileAccess {
+    void configure(WebView view) {
+        WebSettings settings = view.getSettings();
+
+        settings.setAllowFileAccess(true);
+
+        settings.setAllowFileAccessFromFileURLs(true);
+
+        settings.setAllowUniversalAccessFromFileURLs(true);
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewFileAccess.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewFileAccess.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| WebViewFileAccess.java:8:9:8:41 \| setAllowFileAccess(...) \| WebView setting setAllowFileAccess may allow for unauthorized access of sensitive information. \|`
	`2`	`+\| WebViewFileAccess.java:10:9:10:53 \| setAllowFileAccessFromFileURLs(...) \| WebView setting setAllowFileAccessFromFileURLs may allow for unauthorized access of sensitive information. \|`
	`3`	`+\| WebViewFileAccess.java:12:9:12:58 \| setAllowUniversalAccessFromFileURLs(...) \| WebView setting setAllowUniversalAccessFromFileURLs may allow for unauthorized access of sensitive information. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0`