hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Grammar, concision, and style edits

Browse Source 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
This commit is contained in:
Edward Minnix III
2022-12-09 11:35:02 -05:00
committed by GitHub
parent 7c4bd509a7
commit 8c8e71dd82
1 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
View File

@@ -4,16 +4,16 @@
<qhelp> <qhelp>
<overview> <overview>
<p> <p>
File access in an Android WebView can expose the device's file system to Allowing file access in an Android WebView can expose a device's file system to
the JavaScript running in the WebView. If there are vulnerabilities in the the JavaScript running in that WebView. If the JavaScript contains
JavaScript or untrusted content is loaded in the WebView, file access may vulnerabilities or the WebView loads untrusted content, file access
allow an attacker to access or steal the user's data. allows an attacker to steal the user's data.
</p> </p>
</overview> </overview>
<recommendation> <recommendation>
<p>When possible, you should not allow file access. The file access settings <p>When possible, do not allow file access. The file access settings
are disabled by default. You can explicitly disbale them by setting the are disabled by default. You can explicitly disable file access by setting the
following settings to <code>false</code>:</p> following settings to <code>false</code>:</p>
<ul> <ul>
@@ -23,14 +23,14 @@
</ul> </ul>
<p>If your application requires access to the file system, it is best to <p>If your application requires access to the file system, it is best to
avoid using <code>file://</code> urls, and instead use an alternative that avoid using <code>file://</code> URLs. Instead, use an alternative that
allows loading files via https, such loads files via HTTPS, such
as <code>androidx.webkit.WebViewAssetLoader</code>.</p> as <code>androidx.webkit.WebViewAssetLoader</code>.</p>
</recommendation> </recommendation>
<example> <example>
<p>In the following (bad) example, the WebView is configured with the settings <p>In the following (bad) example, the WebView is configured with settings
which would allow local file access.</p> that allow local file access.</p>
<sample src="WebViewFileAccessUnsafe.java"/> <sample src="WebViewFileAccessUnsafe.java"/>
@@ -39,8 +39,9 @@
<sample src="WebViewFileAccessSafe.java"/> <sample src="WebViewFileAccessSafe.java"/>
<p> <p>
In the following example, an asset loader is configured so that assets can As mentioned previously, asset loaders can load files without file system
be access over <code>https</code>, and not require file system access. access. In the following (good) example, an asset loader is configured to
load assets over HTTPS.
</p> </p>
<sample src="AssetLoaderExample.java"/> <sample src="AssetLoaderExample.java"/>