Merge pull request #11282 from egregius313/egregiu313/webview-addjavascriptinterface

Java: Query for detecting addJavascriptInterface method calls
2025-12-24 04:36:35 +01:00 · 2022-12-19 11:28:45 -05:00
parent 016c7a8ca7 72484b9483
commit 39a7c7bb12
8 changed files with 108 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp
@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Calling the <code>addJavascriptInterface</code> method of
+      the <code>android.webkit.WebView</code> class allows the web pages of a
+      WebView to access a Java object's methods via JavaScript.
+    </p>
+
+    <p>
+      Objects exposed to JavaScript are available in all frames of the
+      WebView.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      If you need to expose Java objects to JavaScript, guarantee that no
+      untrusted third-party content is loaded into the WebView.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the following (bad) example, a Java object is exposed to JavaScript.
+    </p>
+
+    <sample src="AndroidWebViewAddJavascriptInterfaceExample.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android Documentation: <a href="https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)">addJavascriptInterface</a>
+    </li>
+  </references>
+
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Access Java object methods through JavaScript exposure
+ * @id java/android-webview-addjavascriptinterface
+ * @description Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where ma.getMethod() instanceof WebViewAddJavascriptInterfaceMethod
+select ma, "JavaScript interface to Java object added in Android WebView."
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
@@ -0,0 +1,23 @@
+import android.webkit.JavascriptInterface;
+import android.database.sqlite.SQLiteOpenHelper;
+
+class ExposedObject extends SQLiteOpenHelper {
+    @JavascriptInterface
+    public String studentEmail(String studentName) {
+        // SQL injection
+        String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";
+
+        Cursor cursor = db.rawQuery(query, null);
+        cursor.moveToFirst();
+        String email = cursor.getString(0);
+
+        return email;
+    }
+}
+
+webview.getSettings().setJavaScriptEnabled(true);
+webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
+webview.loadData("", "text/html", null);
+
+String name = "Robert'; DROP TABLE students; --";
+webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");