Merge pull request #11283 from egregius313/egregius313/webview-setAllowContentAccess

Java: Android WebView Content Access Query
2026-05-05 05:35:13 +02:00 · 2023-01-17 11:02:47 -05:00
parent 54b3262d9c 909b1d70d9
commit 4c018759c8
11 changed files with 243 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.expected
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.expected
@@ -0,0 +1,10 @@
+| WebViewContentAccess.java:15:9:15:57 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:38:9:38:55 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:41:25:41:49 | (...)... | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:43:9:43:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:46:25:46:41 | new WebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:48:9:48:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:51:25:51:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:53:9:53:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:55:29:55:48 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:57:25:57:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java
@@ -0,0 +1,59 @@
+package com.example.test;
+
+import android.app.Activity;
+
+import android.webkit.WebView;
+import android.webkit.WebSettings;
+
+/** Helper class to mock a method which returns a `WebView` */
+interface WebViewGetter {
+    WebView getAWebView();
+}
+
+public class WebViewContentAccess extends Activity {
+    void enableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(true);
+    }
+
+    void disableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(false);
+    }
+
+    void configureWebViewSafe(WebView view, WebViewGetter getter) {
+        WebSettings settings = view.getSettings();
+
+        settings.setAllowContentAccess(false);
+
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+
+        settings.setAllowContentAccess(false);
+
+        disableContentAccess(getter.getAWebView());
+    }
+
+    void configureWebViewUnsafe(WebView view1, WebViewGetter getter) {
+        WebSettings settings;
+
+        view1.getSettings().setAllowContentAccess(true);
+
+        // Cast expression
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Constructor
+        WebView view3 = new WebView(this);
+        settings = view3.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Method access
+        WebView view4 = getter.getAWebView();
+        settings = view4.getSettings();
+        settings.setAllowContentAccess(true);
+
+        enableContentAccess(getter.getAWebView());
+
+        WebView view5 = getter.getAWebView();
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.qlref
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
--- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql`