Add webview debugging query

2025-12-24 04:36:35 +01:00 · 2022-08-26 16:34:06 +01:00
parent 82c3e53694
commit 20b2956322
2 changed files with 63 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll
@@ -0,0 +1,43 @@
+/** Definitions for the Android Webview Debugging Enabled query */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.controlflow.Guards
+import semmle.code.java.security.SecurityTests
+
+/** Holds if `ex` looks like a check that this is a debug build. */
+private predicate isDebugCheck(Expr ex) {
+  exists(Expr subex, string debug |
+    debug.toLowerCase().matches("%debug%") and
+    subex.getParent*() = ex
+  |
+    subex.(VarAccess).getVariable().getName() = debug
+    or
+    subex.(MethodAccess).getMethod().hasName("getProperty") and
+    subex.(MethodAccess).getAnArgument().(CompileTimeConstantExpr).getStringValue() = debug
+  )
+}
+
+/** Configuration to find instances of `setWebContentDebuggingEnabled` called with `true` values. */
+class WebviewDebugEnabledConfig extends DataFlow::Configuration {
+  WebviewDebugEnabledConfig() { this = "WebviewDebugEnabledConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.asExpr().(BooleanLiteral).getBooleanValue() = true
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and
+      node.asExpr() = ma.getArgument(0)
+    )
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    not node.getType() instanceof BooleanType
+    or
+    exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _))
+    or
+    node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
+  }
+}
--- a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+++ b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Android Webview debugging enabled
+ * @description Webview debugging should not be enabled in production builds.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.2
+ * @id java/android/webview-debugging-enabled
+ * @tags security
+ *       external/cwe/cwe-489
+ * @precision high
+ */
+
+import java
+import semmle.code.java.security.WebviewDubuggingEnabledQuery
+import semmle.code.java.dataflow.DataFlow
+import DataFlow::PathGraph
+
+from WebviewDebugEnabledConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Webview debugging is enabled here."