From ed8e5d2f0a3367dfb8df1aad2990bf3e4372a754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=82=A8=E3=83=AA=E3=82=B9?= Date: Mon, 13 May 2024 10:24:04 +0900 Subject: [PATCH] ci: Set up CodeQL analysis w/ fixes (#1711) * ci: Set up CodeQL analysis * spec: disable allowBackup in testing * ci: do not check cordova.js - convered in cordova-js repo * chore: add missing @Override annotation --- .github/workflows/ci.yml | 26 ++++++++++++++----- .../org/apache/cordova/CordovaActivity.java | 5 ++++ .../cordova/CordovaClientCertRequest.java | 7 +++++ .../apache/cordova/CordovaDialogsHelper.java | 9 +++++++ .../cordova/CordovaHttpAuthHandler.java | 2 ++ .../apache/cordova/CordovaInterfaceImpl.java | 5 +++- .../apache/cordova/CordovaWebViewImpl.java | 5 ++++ .../src/org/apache/cordova/CoreAndroid.java | 6 +++++ .../cordova/NativeToJsMessageQueue.java | 4 +++ .../cordova/engine/SystemCookieManager.java | 5 ++++ .../cordova/engine/SystemExposedJsApi.java | 3 +++ .../cordova/engine/SystemWebChromeClient.java | 1 + .../app/src/main/AndroidManifest.xml | 2 +- .../unittests/BackButtonMultipageTest.java | 12 +++++++++ .../cordova/unittests/ErrorUrlTest.java | 1 + .../MessageChannelMultipageTest.java | 1 + .../androidx/app/src/main/AndroidManifest.xml | 2 +- .../unittests/EmbeddedWebViewActivity.java | 1 + 18 files changed, 88 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 281635bb..70796c47 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,15 +31,12 @@ jobs: os: [ubuntu-latest, windows-latest, macos-latest] steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} - - name: set up JDK 11 - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '11' @@ -50,6 +47,21 @@ jobs: npm --version gradle --version + # "bin/templates/platform_www/cordova.js" is ignored because it is a generated file. + # It contains mixed content from the npm package "cordova-js" and "./cordova-js-src". + # The report might not be resolvable because of the external package. + # If the report is related to this repository, it would be detected when scanning "./cordova-js-src". + - uses: github/codeql-action/init@v3 + with: + languages: javascript, java-kotlin + queries: security-and-quality + config: | + paths-ignore: + - coverage + - node_modules + - templates/project/assets/www/cordova.js + - test/androidx/app/src/main/assets/www/cordova.js + - name: npm install and test run: | npm i @@ -57,6 +69,8 @@ jobs: env: CI: true + - uses: github/codeql-action/analyze@v3 + - uses: codecov/codecov-action@v4 if: success() with: diff --git a/framework/src/org/apache/cordova/CordovaActivity.java b/framework/src/org/apache/cordova/CordovaActivity.java index ef6ae5e5..325e9e9d 100755 --- a/framework/src/org/apache/cordova/CordovaActivity.java +++ b/framework/src/org/apache/cordova/CordovaActivity.java @@ -391,6 +391,7 @@ public class CordovaActivity extends AppCompatActivity { if ((errorUrl != null) && (!failingUrl.equals(errorUrl)) && (appView != null)) { // Load URL on UI thread me.runOnUiThread(new Runnable() { + @Override public void run() { me.appView.showWebPage(errorUrl, false, true, null); } @@ -400,6 +401,7 @@ public class CordovaActivity extends AppCompatActivity { else { final boolean exit = !(errorCode == WebViewClient.ERROR_HOST_LOOKUP); me.runOnUiThread(new Runnable() { + @Override public void run() { if (exit) { me.appView.getView().setVisibility(View.GONE); @@ -416,6 +418,7 @@ public class CordovaActivity extends AppCompatActivity { public void displayError(final String title, final String message, final String button, final boolean exit) { final CordovaActivity me = this; me.runOnUiThread(new Runnable() { + @Override public void run() { try { AlertDialog.Builder dlg = new AlertDialog.Builder(me); @@ -424,6 +427,7 @@ public class CordovaActivity extends AppCompatActivity { dlg.setCancelable(false); dlg.setPositiveButton(button, new AlertDialog.OnClickListener() { + @Override public void onClick(DialogInterface dialog, int which) { dialog.dismiss(); if (exit) { @@ -488,6 +492,7 @@ public class CordovaActivity extends AppCompatActivity { return null; } + @Override protected void onSaveInstanceState(Bundle outState) { cordovaInterface.onSaveInstanceState(outState); super.onSaveInstanceState(outState); diff --git a/framework/src/org/apache/cordova/CordovaClientCertRequest.java b/framework/src/org/apache/cordova/CordovaClientCertRequest.java index ad7c588a..a7889341 100644 --- a/framework/src/org/apache/cordova/CordovaClientCertRequest.java +++ b/framework/src/org/apache/cordova/CordovaClientCertRequest.java @@ -41,6 +41,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * Cancel this request */ @SuppressLint("NewApi") + @Override public void cancel() { request.cancel(); @@ -50,6 +51,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * Returns the host name of the server requesting the certificate. */ @SuppressLint("NewApi") + @Override public String getHost() { return request.getHost(); @@ -59,6 +61,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * Returns the acceptable types of asymmetric keys (can be null). */ @SuppressLint("NewApi") + @Override public String[] getKeyTypes() { return request.getKeyTypes(); @@ -68,6 +71,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * Returns the port number of the server requesting the certificate. */ @SuppressLint("NewApi") + @Override public int getPort() { return request.getPort(); @@ -77,6 +81,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * Returns the acceptable certificate issuers for the certificate matching the private key (can be null). */ @SuppressLint("NewApi") + @Override public Principal[] getPrincipals() { return request.getPrincipals(); @@ -86,6 +91,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * Ignore the request for now. Do not remember user's choice. */ @SuppressLint("NewApi") + @Override public void ignore() { request.ignore(); @@ -98,6 +104,7 @@ public class CordovaClientCertRequest implements ICordovaClientCertRequest { * @param chain The certificate chain */ @SuppressLint("NewApi") + @Override public void proceed(PrivateKey privateKey, X509Certificate[] chain) { request.proceed(privateKey, chain); diff --git a/framework/src/org/apache/cordova/CordovaDialogsHelper.java b/framework/src/org/apache/cordova/CordovaDialogsHelper.java index a219c992..a4c7ceb7 100644 --- a/framework/src/org/apache/cordova/CordovaDialogsHelper.java +++ b/framework/src/org/apache/cordova/CordovaDialogsHelper.java @@ -43,18 +43,21 @@ public class CordovaDialogsHelper { dlg.setCancelable(true); dlg.setPositiveButton(android.R.string.ok, new AlertDialog.OnClickListener() { + @Override public void onClick(DialogInterface dialog, int which) { result.gotResult(true, null); } }); dlg.setOnCancelListener( new DialogInterface.OnCancelListener() { + @Override public void onCancel(DialogInterface dialog) { result.gotResult(false, null); } }); dlg.setOnKeyListener(new DialogInterface.OnKeyListener() { //DO NOTHING + @Override public boolean onKey(DialogInterface dialog, int keyCode, KeyEvent event) { if (keyCode == KeyEvent.KEYCODE_BACK) { @@ -75,24 +78,28 @@ public class CordovaDialogsHelper { dlg.setCancelable(true); dlg.setPositiveButton(android.R.string.ok, new DialogInterface.OnClickListener() { + @Override public void onClick(DialogInterface dialog, int which) { result.gotResult(true, null); } }); dlg.setNegativeButton(android.R.string.cancel, new DialogInterface.OnClickListener() { + @Override public void onClick(DialogInterface dialog, int which) { result.gotResult(false, null); } }); dlg.setOnCancelListener( new DialogInterface.OnCancelListener() { + @Override public void onCancel(DialogInterface dialog) { result.gotResult(false, null); } }); dlg.setOnKeyListener(new DialogInterface.OnKeyListener() { //DO NOTHING + @Override public boolean onKey(DialogInterface dialog, int keyCode, KeyEvent event) { if (keyCode == KeyEvent.KEYCODE_BACK) { @@ -126,6 +133,7 @@ public class CordovaDialogsHelper { dlg.setCancelable(false); dlg.setPositiveButton(android.R.string.ok, new DialogInterface.OnClickListener() { + @Override public void onClick(DialogInterface dialog, int which) { String userText = input.getText().toString(); result.gotResult(true, userText); @@ -133,6 +141,7 @@ public class CordovaDialogsHelper { }); dlg.setNegativeButton(android.R.string.cancel, new DialogInterface.OnClickListener() { + @Override public void onClick(DialogInterface dialog, int which) { result.gotResult(false, null); } diff --git a/framework/src/org/apache/cordova/CordovaHttpAuthHandler.java b/framework/src/org/apache/cordova/CordovaHttpAuthHandler.java index a2692f8c..aecf200c 100644 --- a/framework/src/org/apache/cordova/CordovaHttpAuthHandler.java +++ b/framework/src/org/apache/cordova/CordovaHttpAuthHandler.java @@ -35,6 +35,7 @@ public class CordovaHttpAuthHandler implements ICordovaHttpAuthHandler { /** * Instructs the WebView to cancel the authentication request. */ + @Override public void cancel () { this.handler.cancel(); } @@ -45,6 +46,7 @@ public class CordovaHttpAuthHandler implements ICordovaHttpAuthHandler { * @param username * @param password */ + @Override public void proceed (String username, String password) { this.handler.proceed(username, password); } diff --git a/framework/src/org/apache/cordova/CordovaInterfaceImpl.java b/framework/src/org/apache/cordova/CordovaInterfaceImpl.java index eccc9663..649dd573 100644 --- a/framework/src/org/apache/cordova/CordovaInterfaceImpl.java +++ b/framework/src/org/apache/cordova/CordovaInterfaceImpl.java @@ -223,18 +223,21 @@ public class CordovaInterfaceImpl implements CordovaInterface { } } + @Override public void requestPermission(CordovaPlugin plugin, int requestCode, String permission) { String[] permissions = new String [1]; permissions[0] = permission; requestPermissions(plugin, requestCode, permissions); } - @SuppressLint("NewApi") + @SuppressLint("NewApi") + @Override public void requestPermissions(CordovaPlugin plugin, int requestCode, String [] permissions) { int mappedRequestCode = permissionResultCallbacks.registerCallback(plugin, requestCode); getActivity().requestPermissions(permissions, mappedRequestCode); } + @Override public boolean hasPermission(String permission) { return PackageManager.PERMISSION_GRANTED == activity.checkSelfPermission(permission); diff --git a/framework/src/org/apache/cordova/CordovaWebViewImpl.java b/framework/src/org/apache/cordova/CordovaWebViewImpl.java index 1a48f8b1..4d5221e2 100644 --- a/framework/src/org/apache/cordova/CordovaWebViewImpl.java +++ b/framework/src/org/apache/cordova/CordovaWebViewImpl.java @@ -149,6 +149,7 @@ public class CordovaWebViewImpl implements CordovaWebView { // Timeout error method final Runnable loadError = new Runnable() { + @Override public void run() { stopLoading(); LOG.e(TAG, "CordovaWebView: TIMEOUT ERROR!"); @@ -168,6 +169,7 @@ public class CordovaWebViewImpl implements CordovaWebView { // Timeout timer method final Runnable timeoutCheck = new Runnable() { + @Override public void run() { try { synchronized (this) { @@ -189,6 +191,7 @@ public class CordovaWebViewImpl implements CordovaWebView { if (cordova.getActivity() != null) { final boolean _recreatePlugins = recreatePlugins; cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { if (loadUrlTimeoutValue > 0) { cordova.getThreadPool().execute(timeoutCheck); @@ -579,11 +582,13 @@ public class CordovaWebViewImpl implements CordovaWebView { // Make app visible after 2 sec in case there was a JS error and Cordova JS never initialized correctly if (engine.getView().getVisibility() != View.VISIBLE) { Thread t = new Thread(new Runnable() { + @Override public void run() { try { Thread.sleep(2000); if (cordova.getActivity() != null) { cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { pluginManager.postMessage("spinner", "stop"); } diff --git a/framework/src/org/apache/cordova/CoreAndroid.java b/framework/src/org/apache/cordova/CoreAndroid.java index ea04ca4d..36b28b2d 100755 --- a/framework/src/org/apache/cordova/CoreAndroid.java +++ b/framework/src/org/apache/cordova/CoreAndroid.java @@ -73,6 +73,7 @@ public class CoreAndroid extends CordovaPlugin { * @param callbackContext The callback context from which we were invoked. * @return A PluginResult object with a status and message. */ + @Override public boolean execute(String action, JSONArray args, CallbackContext callbackContext) throws JSONException { PluginResult.Status status = PluginResult.Status.OK; String result = ""; @@ -86,6 +87,7 @@ public class CoreAndroid extends CordovaPlugin { // I recommend we change the name of the Message as spinner/stop is not // indicative of what this actually does (shows the webview). cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { webView.getPluginManager().postMessage("spinner", "stop"); } @@ -144,6 +146,7 @@ public class CoreAndroid extends CordovaPlugin { */ public void clearCache() { cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { webView.clearCache(); } @@ -215,6 +218,7 @@ public class CoreAndroid extends CordovaPlugin { */ public void clearHistory() { cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { webView.clearHistory(); } @@ -227,6 +231,7 @@ public class CoreAndroid extends CordovaPlugin { */ public void backHistory() { cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { webView.backHistory(); } @@ -353,6 +358,7 @@ public class CoreAndroid extends CordovaPlugin { * Unregister the receiver * */ + @Override public void onDestroy() { webView.getContext().unregisterReceiver(this.telephonyReceiver); diff --git a/framework/src/org/apache/cordova/NativeToJsMessageQueue.java b/framework/src/org/apache/cordova/NativeToJsMessageQueue.java index 311ba444..6e6f2a73 100755 --- a/framework/src/org/apache/cordova/NativeToJsMessageQueue.java +++ b/framework/src/org/apache/cordova/NativeToJsMessageQueue.java @@ -302,6 +302,7 @@ public class NativeToJsMessageQueue { @Override public void onNativeToJsMessageAvailable(final NativeToJsMessageQueue queue) { cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { String js = queue.popAndEncodeAsJs(); if (js != null) { @@ -330,6 +331,7 @@ public class NativeToJsMessageQueue { @Override public void reset() { delegate.runOnUiThread(new Runnable() { + @Override public void run() { online = false; // If the following call triggers a notifyOfFlush, then ignore it. @@ -342,6 +344,7 @@ public class NativeToJsMessageQueue { @Override public void onNativeToJsMessageAvailable(final NativeToJsMessageQueue queue) { delegate.runOnUiThread(new Runnable() { + @Override public void run() { if (!queue.isEmpty()) { ignoreNextFlush = false; @@ -372,6 +375,7 @@ public class NativeToJsMessageQueue { @Override public void onNativeToJsMessageAvailable(final NativeToJsMessageQueue queue) { cordova.getActivity().runOnUiThread(new Runnable() { + @Override public void run() { String js = queue.popAndEncodeAsJs(); if (js != null) { diff --git a/framework/src/org/apache/cordova/engine/SystemCookieManager.java b/framework/src/org/apache/cordova/engine/SystemCookieManager.java index bc980356..16cf5482 100644 --- a/framework/src/org/apache/cordova/engine/SystemCookieManager.java +++ b/framework/src/org/apache/cordova/engine/SystemCookieManager.java @@ -41,22 +41,27 @@ class SystemCookieManager implements ICordovaCookieManager { cookieManager.setAcceptFileSchemeCookies(true); } + @Override public void setCookiesEnabled(boolean accept) { cookieManager.setAcceptCookie(accept); } + @Override public void setCookie(final String url, final String value) { cookieManager.setCookie(url, value); } + @Override public String getCookie(final String url) { return cookieManager.getCookie(url); } + @Override public void clearCookies() { cookieManager.removeAllCookies(null); } + @Override public void flush() { cookieManager.flush(); } diff --git a/framework/src/org/apache/cordova/engine/SystemExposedJsApi.java b/framework/src/org/apache/cordova/engine/SystemExposedJsApi.java index 94c3d934..c37d4558 100755 --- a/framework/src/org/apache/cordova/engine/SystemExposedJsApi.java +++ b/framework/src/org/apache/cordova/engine/SystemExposedJsApi.java @@ -37,16 +37,19 @@ class SystemExposedJsApi implements ExposedJsApi { } @JavascriptInterface + @Override public String exec(int bridgeSecret, String service, String action, String callbackId, String arguments) throws JSONException, IllegalAccessException { return bridge.jsExec(bridgeSecret, service, action, callbackId, arguments); } @JavascriptInterface + @Override public void setNativeToJsBridgeMode(int bridgeSecret, int value) throws IllegalAccessException { bridge.jsSetNativeToJsBridgeMode(bridgeSecret, value); } @JavascriptInterface + @Override public String retrieveJsMessages(int bridgeSecret, boolean fromOnlineEvent) throws IllegalAccessException { return bridge.jsRetrieveJsMessages(bridgeSecret, fromOnlineEvent); } diff --git a/framework/src/org/apache/cordova/engine/SystemWebChromeClient.java b/framework/src/org/apache/cordova/engine/SystemWebChromeClient.java index da3ed931..8a48e351 100755 --- a/framework/src/org/apache/cordova/engine/SystemWebChromeClient.java +++ b/framework/src/org/apache/cordova/engine/SystemWebChromeClient.java @@ -321,6 +321,7 @@ public class SystemWebChromeClient extends WebChromeClient { return uri; } + @Override public void onPermissionRequest(final PermissionRequest request) { LOG.d(LOG_TAG, "onPermissionRequest: " + Arrays.toString(request.getResources())); request.grant(request.getResources()); diff --git a/spec/fixtures/android_studio_project/app/src/main/AndroidManifest.xml b/spec/fixtures/android_studio_project/app/src/main/AndroidManifest.xml index b9140cde..940ecc81 100644 --- a/spec/fixtures/android_studio_project/app/src/main/AndroidManifest.xml +++ b/spec/fixtures/android_studio_project/app/src/main/AndroidManifest.xml @@ -3,7 +3,7 @@ package="com.example.anis.myapplication">