Use more precise control flow logic

joefarebrother · joefarebrother · commit dd83c17144fc · 2022-08-05T12:56:21.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/AndroidWebViewCertificateValidationQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidWebViewCertificateValidationQuery.qll
@@ -14,13 +14,6 @@ class OnReceivedSslErrorMethod extends Method {
   Parameter handlerArg() { result = this.getParameter(1) }
 }
 
-/** A call to `SslErrorHandler.cancel` */
-private class SslCancelCall extends MethodAccess {
-  SslCancelCall() {
-    this.getMethod().hasQualifiedName("android.webkit", "SslErrorHandler", "cancel")
-  }
-}
-
 /** A call to `SslErrorHandler.proceed` */
 private class SslProceedCall extends MethodAccess {
   SslProceedCall() {
@@ -30,6 +23,7 @@ private class SslProceedCall extends MethodAccess {
 
 /** Holds if `m` trusts all certificates by calling `SslErrorHandler.proceed` unconditionally. */
 predicate trustsAllCerts(OnReceivedSslErrorMethod m) {
-  exists(SslProceedCall pr | pr.getQualifier().(VarAccess).getVariable() = m.handlerArg()) and
-  not exists(SslCancelCall ca | ca.getQualifier().(VarAccess).getVariable() = m.handlerArg())
+  exists(SslProceedCall pr | pr.getQualifier().(VarAccess).getVariable() = m.handlerArg() |
+    pr.getBasicBlock().bbPostDominates(m.getBody().getBasicBlock())
+  )
 }
