Add webview cert validation query

2026-04-28 02:05:14 +02:00 · 2022-06-17 14:14:58 +01:00
parent a779f0e376
commit 16e16f08dc
2 changed files with 44 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/AndroidWebViewCertificateValidationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidWebViewCertificateValidationQuery.qll
@@ -0,0 +1,26 @@
+import java
+
+class OnReceivedSslErrorMethod extends Method {
+  OnReceivedSslErrorMethod() {
+    this.hasQualifiedName("android.webkit", "WebViewClient", "onReceivedSslError")
+  }
+
+  Parameter handlerArg() { result = this.getParameter(1) }
+}
+
+private class SslCancelCall extends MethodAccess {
+  SslCancelCall() {
+    this.getMethod().hasQualifiedName("android.webkit", "SslErrorHandler", "cancel")
+  }
+}
+
+private class SslProceedCall extends MethodAccess {
+  SslProceedCall() {
+    this.getMethod().hasQualifiedName("android.webkit", "SslErrorHandler", "proceed")
+  }
+}
+
+predicate trustsAllCerts(OnReceivedSslErrorMethod m) {
+  exists(SslProceedCall pr | pr.getQualifier().(VarAccess).getVariable() = m.handlerArg()) and
+  not exists(SslCancelCall ca | ca.getQualifier().(VarAccess).getVariable() = m.handlerArg())
+}
--- a/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Android `WebVeiw` that accepts all certificates
+ * @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id java/improper-webview-certificate-validation
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import java
+import semmle.code.java.security.AndroidWebViewCertificateValidationQuery
+
+from OnReceivedSslErrorMethod m
+where trustsAllCerts(m)
+select m, "This handler accepts all SSL certificates."