Java: query for detecting enabling Javascript in Android WebSettings

2026-04-30 11:15:13 +02:00 · 2022-11-08 19:20:43 -05:00
parent 8b11e98d42
commit 4d3a837310
4 changed files with 70 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+<p>
+  Enabling JavaScript in an Android WebView allows for the running of JavaScript
+code in the context of the running application. This opens the possibility for a
+man-in-the-middle attack, where the attacker can inject arbitrary JavaScript.
+</p>
+
+<p>
+  You can enable or disbale Javascript execution using
+  the <code>setJavaScriptEnabled</code> method of the settings of a webview.
+</p>
+  </overview>
+
+  <recommendation>
+    <p>If Javascript does not need to be enabled, call <code>setJavaScriptEnabled(false)</code> on the settings of the webview.</p>
+
+    <p>If JavaScript is necessary, only load content from trusted servers using encrypted channels, such as https with certificate verification.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, a webview has JavaScript enabled in its settings.</p>
+
+    <sample src="WebSettingsEnableJavascript.java"/>
+
+    <p>In the following (good) example, a webview explicitly disallows JavaScript execution.</p>
+
+    <sample src="WebSettingsDisableJavascript.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Oversecured Android Vulnerabilities Guide: <a href="https://oversecured.com/vulnerabilities#Android/Enabled_JavaScript">Enabled JavaScript</a>
+    </li>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setJavaScriptEnabled(boolean)">setJavaScriptEnabled</a>
+    </li>
+
+  </references>
+
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Android WebView JavaScript settings
+ * @kind problem
+ * @id java/android-websettings-javascript
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where
+  (
+    ma.getMethod() instanceof AllowJavaScriptMethod and
+    ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+  )
+select ma, "JavaScript execution enabled in WebView."
--- a/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java
+++ b/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java
@@ -0,0 +1,2 @@
+WebSettings settings = webview.getSettings();
+settings.setJavaScriptEnabled(false);
--- a/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java
+++ b/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java
@@ -0,0 +1,2 @@
+WebSettings settings = webview.getSettings();
+settings.setJavaScriptEnabled(true);