Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch

Java: Promote Unsafe resource loading in Android WebView from experimental
2025-12-24 04:36:35 +01:00 · 2021-08-03 14:24:34 +02:00
parent fb9feabe64 4435853c8a
commit c0d76da1a6
35 changed files with 1203 additions and 233 deletions
--- a/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.java
+++ b/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.java
@@ -0,0 +1,83 @@
+public class UnsafeAndroidAccess extends Activity {
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(R.layout.webview);
+
+		// BAD: Have both JavaScript and cross-origin resource access enabled in webview while
+		// taking remote user inputs
+		{
+			WebView wv = (WebView) findViewById(R.id.my_webview);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+			webSettings.setAllowUniversalAccessFromFileURLs(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getExtras().getString("url"); // dangerous remote input from  the intent's Bundle of extras
+			wv.loadUrl(thisUrl);
+		}
+
+		// BAD: Have both JavaScript and cross-origin resource access enabled in webview while
+		// taking remote user inputs
+		{
+			WebView wv = (WebView) findViewById(R.id.my_webview);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+			webSettings.setAllowUniversalAccessFromFileURLs(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getStringExtra("url"); //dangerous remote input from intent extra
+			wv.loadUrl(thisUrl);
+		}
+
+		// GOOD: Have JavaScript and cross-origin resource access disabled by default on modern Android (Jellybean+) while taking remote user inputs
+		{
+			WebView wv = (WebView) findViewById(-1);
+			WebSettings webSettings = wv.getSettings();
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getExtras().getString("url"); // remote input
+			wv.loadUrl(thisUrl);
+		}
+
+		// GOOD: Have JavaScript enabled in webview but remote user input is not allowed
+		{
+			WebView wv = (WebView) findViewById(-1);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			wv.loadUrl("https://www.mycorp.com");
+		}
+	}
+}
--- a/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.qhelp
+++ b/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Android WebViews that allow externally controlled URLs to be loaded, and whose JavaScript interface is enabled, are potentially vulnerable to cross-site scripting and sensitive resource disclosure attacks.</p>
+    <p>A <code>WebView</code> whose <code>WebSettings</code> object has called <code>setAllowFileAccessFromFileURLs(true)</code> or <code>setAllowUniversalAccessFromFileURLs(true)</code> must not load any untrusted web content.</p>
+    <p>Enabling these settings allows malicious scripts loaded in a <code>file://</code> context to launch cross-site scripting attacks, accessing arbitrary local files including WebView cookies, session tokens, private app data or even credentials used on arbitrary web sites.</p>
+    <p>This query detects the following two scenarios:</p>
+    <ol>
+      <li>A vulnerability introduced by WebViews when JavaScript is enabled and remote inputs are allowed.</li>
+      <li>A more severe vulnerability when "allow cross-origin resource access" is also enabled. This setting was deprecated in API level 30 (Android 11), but most devices are still affected, especially since some Android phones are updated slowly or no longer updated at all.</li>
+    </ol>
+  </overview>
+
+  <recommendation>
+    <p>Only allow trusted web content to be displayed in WebViews when JavaScript is enabled. Disallow cross-origin resource access in WebSettings to reduce the attack surface.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, JavaScript and the allow access setting are enabled and URLs are loaded from externally controlled inputs. In the 'GOOD' configuration, JavaScript is disabled or only trusted web content is allowed to be loaded.</p>
+    <sample src="UnsafeAndroidAccess.java" />
+  </example>
+
+  <references>
+    <li>
+      Google Help: <a href="https://support.google.com/faqs/answer/7668153?hl=en">Fixing a File-based XSS Vulnerability</a>
+    </li>
+    <li>
+      OWASP: <a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5">Testing JavaScript Execution in WebViews (MSTG-PLATFORM-5)</a>
+    </li>
+    <li>
+      OWASP: <a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-webview-protocol-handlers-mstg-platform-6">Testing WebView Protocol Handlers (MSTG-PLATFORM-6)</a>
+    </li>
+  </references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
+++ b/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Unsafe resource fetching in Android WebView
+ * @description JavaScript rendered inside WebViews can access protected
+ *              application files and web resources from any origin exposing them to attack.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision medium
+ * @id java/android/unsafe-android-webview-fetch
+ * @tags security
+ *       external/cwe/cwe-749
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.security.UnsafeAndroidAccessQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, FetchUntrustedResourceConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Unsafe resource fetching in Android WebView due to $@.",
+  source.getNode(), sink.getNode().(UrlResourceSink).getSinkType()