From 30cd447f69c1bacf0451394d42c54644931167b6 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 26 Oct 2022 11:55:16 -0400 Subject: [PATCH 01/11] Java: Add class to represent `android.webkit.WebView#addJavascriptInterface` --- .../lib/semmle/code/java/frameworks/android/WebView.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/java/ql/lib/semmle/code/java/frameworks/android/WebView.qll b/java/ql/lib/semmle/code/java/frameworks/android/WebView.qll index 8dd91f73f65..cb595e19f6f 100644 --- a/java/ql/lib/semmle/code/java/frameworks/android/WebView.qll +++ b/java/ql/lib/semmle/code/java/frameworks/android/WebView.qll @@ -39,6 +39,14 @@ class WebViewGetUrlMethod extends Method { } } +/** The method `addJavascriptInterface` of the class `android.webkit.WebView` */ +class WebViewAddJavascriptInterfaceMethod extends Method { + WebViewAddJavascriptInterfaceMethod() { + this.getDeclaringType() instanceof TypeWebView and + this.hasName("addJavascriptInterface") + } +} + /** * A method allowing any-local-file and cross-origin access in the class `android.webkit.WebSettings`. */ From e1ff04cd952225bd8a9cbd8074a210b0475694a5 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 26 Oct 2022 11:55:54 -0400 Subject: [PATCH 02/11] Java: Query for `android.webkit.WebView#addJavascriptInterface` --- .../AndroidWebViewAddJavascriptInterface.ql | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql new file mode 100644 index 00000000000..59fd195d7d0 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql @@ -0,0 +1,17 @@ +/** + * @id java/android-webview-addjavascriptinterface + * @description Exposing a Javascript interface to a Java object in a WebView can lead to malicious JavaScript controlling the application. + * @kind problem + * @problem.severity warning + * @security-severity 6.1 + * @precision high + * @tags security + * external/cwe/cwe-079 + */ + +import java +import semmle.code.java.frameworks.android.WebView + +from MethodAccess ma +where ma.getMethod() instanceof WebViewAddJavascriptInterfaceMethod +select ma, "JavaScript interface to Java object added in Android WebView." From e09f0861f319e1e9acbcddebc9d137dda0a3ee1b Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Fri, 11 Nov 2022 23:00:55 -0500 Subject: [PATCH 03/11] Java: documentation for WebView#addJavascriptInterface query --- ...AndroidWebViewAddJavascriptInterface.qhelp | 40 +++++++++++++++++++ ...dWebViewAddJavascriptInterfaceExample.java | 11 +++++ 2 files changed, 51 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp create mode 100644 java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp new file mode 100644 index 00000000000..5cadc31d810 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp @@ -0,0 +1,40 @@ + + + +

+ The addJavascriptInterface method of + the android.webkit.WebView class allows the web pages of a + WebView to access methods of a Java object via JavaScript. +

+ +

+ Objects exposed to Javascript are available in all frames of the + WebView. +

+ + + +

+ If you need to expose Java objects with Javascript, you should guarantee + that no untrusted third party content is loaded into the WebView. +

+ + + +

+ In the following (bad) example, a Java object is exposed to Javascript. +

+ + + + + + +
  • + Android DocumentationaddJavascriptInterface +
    • +     + +     diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java new file mode 100644 index 00000000000..fdb1844d025 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java @@ -0,0 +1,11 @@ +class ExposedObject { + @JavascriptInterface + public String example() { + return "String from Java"; + } +} + +webview.getSettings().setJavaScriptEnabled(true); +webview.addJavaScriptInterface(new ExposedObject(), "exposedObject"); +webview.loadData("", "text/html", null); +webview.loadUrl("javascript:alert(exposedObject.example())"); From 3b96fefc71b5bbbeb044f40be6385c54c7809108 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 15 Nov 2022 23:26:49 -0500 Subject: [PATCH 04/11] Java: Add Android stubs to options file for CWE-079 test cases --- java/ql/test/query-tests/security/CWE-079/semmle/tests/options | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/options b/java/ql/test/query-tests/security/CWE-079/semmle/tests/options index 22487fb2daf..62fc56e6792 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/options +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/:${testdir}/../../../../../stubs/google-android-9.0.0 From eb8ef72e477371dbd62362757a937756ec4ee46e Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 15 Nov 2022 23:28:18 -0500 Subject: [PATCH 05/11] Java: addJavascriptInterface query test case --- .../tests/WebViewAddJavascriptInterface.expected | 1 + .../semmle/tests/WebViewAddJavascriptInterface.java | 12 ++++++++++++ .../semmle/tests/WebViewAddJavascriptInterface.qlref | 1 + 3 files changed, 14 insertions(+) create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.expected create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.expected b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.expected new file mode 100644 index 00000000000..6974a4a8511 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.expected @@ -0,0 +1 @@ +| WebViewAddJavascriptInterface.java:10:9:10:61 | addJavascriptInterface(...) | JavaScript interface to Java object added in Android WebView. | diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java new file mode 100644 index 00000000000..50fc3847705 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java @@ -0,0 +1,12 @@ +package com.example.test; + +import android.webkit.WebView; + +class WebViewAddJavascriptInterface { + class Greeter { + } + + public void addGreeter(WebView view) { + view.addJavascriptInterface(new Greeter(), "greeter"); + } +} diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref new file mode 100644 index 00000000000..1161c47dda6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref @@ -0,0 +1 @@ +Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql From 38d47d63ec92906962e25c8334ad2590d205337c Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 15 Nov 2022 23:40:03 -0500 Subject: [PATCH 06/11] Java: Add change note for `addJavascriptInterface` query --- .../2022-11-15-android-webview-addjavascript-interface.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 java/ql/src/change-notes/2022-11-15-android-webview-addjavascript-interface.md diff --git a/java/ql/src/change-notes/2022-11-15-android-webview-addjavascript-interface.md b/java/ql/src/change-notes/2022-11-15-android-webview-addjavascript-interface.md new file mode 100644 index 00000000000..ad2c46585f2 --- /dev/null +++ b/java/ql/src/change-notes/2022-11-15-android-webview-addjavascript-interface.md @@ -0,0 +1,5 @@ +--- +category: newQuery +--- +* Added a new query `java/android-webview-addjavascriptinterface` to detect the use of `addJavascriptInterface`, which can lead to cross-site scripting. + From d35321f40eb6676f3874bfd3b5531d3cec9fc1b1 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 30 Nov 2022 11:35:14 -0500 Subject: [PATCH 07/11] Java: change WebView addJavascriptInterface query precision to medium --- .../CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql index 59fd195d7d0..d481de249ca 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql @@ -4,7 +4,7 @@ * @kind problem * @problem.severity warning * @security-severity 6.1 - * @precision high + * @precision medium * @tags security * external/cwe/cwe-079 */ From 04829fc38e6de25474416cd013a64404693a657c Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 30 Nov 2022 13:32:28 -0500 Subject: [PATCH 08/11] Java: SQLInjection example for addJavaScriptInterface query --- ...dWebViewAddJavascriptInterfaceExample.java | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java index fdb1844d025..fb4e1182a5a 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java @@ -1,11 +1,23 @@ -class ExposedObject { +import android.webkit.JavascriptInterface; +import android.database.sqlite.SQLiteOpenHelper; + +class ExposedObject extends SQLiteOpenHelper { @JavascriptInterface - public String example() { - return "String from Java"; + public String studentEmail(String studentName) { + // SQL injection + String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'"; + + Cursor cursor = db.rawQuery(query, null); + cursor.moveToFirst(); + String email = cursor.getString(0); + + return email; } } webview.getSettings().setJavaScriptEnabled(true); webview.addJavaScriptInterface(new ExposedObject(), "exposedObject"); webview.loadData("", "text/html", null); -webview.loadUrl("javascript:alert(exposedObject.example())"); + +String name = "Robert'; DROP TABLE students; --"; +webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))"); From a2c886d3679023e9066a18288f09e738fca3d4c0 Mon Sep 17 00:00:00 2001 From: Edward Minnix III Date: Tue, 13 Dec 2022 11:57:46 -0500 Subject: [PATCH 09/11] Grammar and wording changes from docs review Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> --- .../AndroidWebViewAddJavascriptInterface.qhelp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp index 5cadc31d810..7917a96839d 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp @@ -4,27 +4,27 @@

    - The addJavascriptInterface method of + Calling the addJavascriptInterface method of the android.webkit.WebView class allows the web pages of a - WebView to access methods of a Java object via JavaScript. + WebView to access a Java object's methods via JavaScript.

    - Objects exposed to Javascript are available in all frames of the + Objects exposed to JavaScript are available in all frames of the WebView.

    - If you need to expose Java objects with Javascript, you should guarantee - that no untrusted third party content is loaded into the WebView. + If you need to expose Java objects to JavaScript, guarantee that no + untrusted third-party content is loaded into the WebView.

    - In the following (bad) example, a Java object is exposed to Javascript. + In the following (bad) example, a Java object is exposed to JavaScript.

    @@ -33,7 +33,7 @@
  • - Android DocumentationaddJavascriptInterface + Android Documentation: addJavascriptInterface
    • From 40c759e61a40354a4fd63ff33153057fc93cd66b Mon Sep 17 00:00:00 2001 From: Edward Minnix III Date: Tue, 13 Dec 2022 16:14:28 -0500 Subject: [PATCH 10/11] Add @name property Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> --- .../Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql index d481de249ca..4be7a15daa8 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql @@ -1,4 +1,5 @@ /** + * @name Access Java object methods through JavaScript exposure * @id java/android-webview-addjavascriptinterface * @description Exposing a Javascript interface to a Java object in a WebView can lead to malicious JavaScript controlling the application. * @kind problem From 72484b9483ce3f457134955c636f2426d5c26c65 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 14 Dec 2022 16:15:41 -0500 Subject: [PATCH 11/11] Change wording of addJavascriptInterface query description --- .../CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql index 4be7a15daa8..1b6412138b1 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql @@ -1,7 +1,7 @@ /** * @name Access Java object methods through JavaScript exposure * @id java/android-webview-addjavascriptinterface - * @description Exposing a Javascript interface to a Java object in a WebView can lead to malicious JavaScript controlling the application. + * @description Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application. * @kind problem * @problem.severity warning * @security-severity 6.1