hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-09 19:51:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch

Browse Source 
Java: Promote Unsafe resource loading in Android WebView from experimental
This commit is contained in:
Anders Schack-Mulligen
2021-08-03 14:24:34 +02:00
committed by GitHub
parent fb9feabe64 4435853c8a
commit c0d76da1a6
35 changed files with 1203 additions and 233 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.java
View File

@@ -1,83 +0,0 @@
public class UnsafeAndroidAccess extends Activity {
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.webview);
// BAD: Have both JavaScript and cross-origin resource access enabled in webview while
// taking remote user inputs
{
WebView wv = (WebView) findViewById(R.id.my_webview);
WebSettings webSettings = wv.getSettings();
webSettings.setJavaScriptEnabled(true);
webSettings.setAllowUniversalAccessFromFileURLs(true);
wv.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
view.loadUrl(url);
return true;
}
});
String thisUrl = getIntent().getExtras().getString("url"); // dangerous remote input from the intent's Bundle of extras
wv.loadUrl(thisUrl);
}
// BAD: Have both JavaScript and cross-origin resource access enabled in webview while
// taking remote user inputs
{
WebView wv = (WebView) findViewById(R.id.my_webview);
WebSettings webSettings = wv.getSettings();
webSettings.setJavaScriptEnabled(true);
webSettings.setAllowUniversalAccessFromFileURLs(true);
wv.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
view.loadUrl(url);
return true;
}
});
String thisUrl = getIntent().getStringExtra("url"); //dangerous remote input from intent extra
wv.loadUrl(thisUrl);
}
// GOOD: Have JavaScript and cross-origin resource access disabled by default on modern Android (Jellybean+) while taking remote user inputs
{
WebView wv = (WebView) findViewById(-1);
WebSettings webSettings = wv.getSettings();
wv.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
view.loadUrl(url);
return true;
}
});
String thisUrl = getIntent().getExtras().getString("url"); // remote input
wv.loadUrl(thisUrl);
}
// GOOD: Have JavaScript enabled in webview but remote user input is not allowed
{
WebView wv = (WebView) findViewById(-1);
WebSettings webSettings = wv.getSettings();
webSettings.setJavaScriptEnabled(true);
wv.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
view.loadUrl(url);
return true;
}
});
wv.loadUrl("https://www.mycorp.com");
}
}
}

31
java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.qhelp
View File

@@ -1,31 +0,0 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>Android WebViews that allow loading URLs controlled by external inputs and whose JavaScript interface is enabled are potentially vulnerable to cross-site scripting and sensitive resource disclosure attacks.</p>
<p>A <code>WebView</code> whose <code>WebSettings</code> object has <code>setAllowFileAccessFromFileURLs(true)</code> or <code>setAllowUniversalAccessFromFileURLs(true)</code> called must not load any untrusted web content.</p>
<p>Enabling these settings allows malicious scripts loaded in a <code>file://</code> context to launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, session tokens, private app data or even credentials used on arbitrary web sites.</p>
<p>This query detects the following two scenarios:</p>
<ol>
<li>Vulnerability introduced by WebViews with JavaScript enabled and remote inputs allowed.</li>
<li>A more severe vulnerability when allowing cross-origin resource access is also enabled. The setting was deprecated in API level 30 (Android 11), but most devices are still affected, especially given that some Android phones are updated slowly or no longer updated at all.</li>
</ol>
</overview>
<recommendation>
<p>Only allow trusted web content to be displayed in WebViews when JavaScript is enabled. Disallow cross-origin resource access in WebSetting to reduce the attack surface.</p>
</recommendation>
<example>
<p>The following example shows both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, setting is enabled and JavaScript is enabled while URLs are loaded from externally controlled inputs. In the 'GOOD' configuration, JavaScript is disabled or only trusted web content is allowed to be loaded.</p>
<sample src="UnsafeAndroidAccess.java" />
</example>
<references>
<li>
<a href="https://cwe.mitre.org/data/definitions/749.html">CWE-749</a>
<a href="https://support.google.com/faqs/answer/7668153?hl=en">Fixing a File-based XSS Vulnerability</a>
<a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md">OWASP - Testing WebView Protocol Handlers (MSTG-PLATFORM-5 and MSTG-PLATFORM-6)</a>
</li>
</references>
</qhelp>

130
java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
View File

@@ -1,130 +0,0 @@
/**
* @name Unsafe resource fetching in Android webview
* @description JavaScript rendered inside WebViews can access any protected
* application file and web resource from any origin
* @kind path-problem
* @problem.severity warning
* @precision medium
* @id java/android/unsafe-android-webview-fetch
* @tags security
* external/cwe/cwe-749
* external/cwe/cwe-079
*/
import java
import semmle.code.java.frameworks.android.Intent
import semmle.code.java.frameworks.android.WebView
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
/**
* Methods allowing any-local-file and cross-origin access in the WebSettings class
*/
class CrossOriginAccessMethod extends Method {
CrossOriginAccessMethod() {
this.getDeclaringType() instanceof TypeWebSettings and
(
this.hasName("setAllowUniversalAccessFromFileURLs") or
this.hasName("setAllowFileAccessFromFileURLs")
)
}
}
/**
* `setJavaScriptEnabled` method for the webview
*/
class AllowJavaScriptMethod extends Method {
AllowJavaScriptMethod() {
this.getDeclaringType() instanceof TypeWebSettings and
this.hasName("setJavaScriptEnabled")
}
}
/**
* Holds if a call to `v.setJavaScriptEnabled(true)` exists
*/
predicate isJSEnabled(Variable v) {
exists(MethodAccess jsa |
v.getAnAccess() = jsa.getQualifier() and
jsa.getMethod() instanceof AllowJavaScriptMethod and
jsa.getArgument(0).(BooleanLiteral).getBooleanValue() = true
)
}
/**
* Fetch URL method call on the `android.webkit.WebView` object
*/
class FetchResourceMethodAccess extends MethodAccess {
FetchResourceMethodAccess() {
this.getMethod().getDeclaringType() instanceof TypeWebView and
this.getMethod().hasName(["loadUrl", "postUrl"])
}
}
/**
* Holds if `ma` loads URL `sink`
*/
predicate fetchResource(FetchResourceMethodAccess ma, Expr sink) { sink = ma.getArgument(0) }
/**
* A URL argument to a `loadUrl` or `postUrl` call, considered as a sink.
*/
class UrlResourceSink extends DataFlow::ExprNode {
UrlResourceSink() { fetchResource(_, this.getExpr()) }
/** Gets the fetch method that fetches this sink URL. */
FetchResourceMethodAccess getMethodAccess() { fetchResource(result, this.getExpr()) }
/**
* Holds if cross-origin access is enabled for this resource fetch.
*
* Specifically this looks for code like
* `webView.getSettings().setAllow[File|Universal]AccessFromFileURLs(true);`
*/
predicate crossOriginAccessEnabled() {
exists(MethodAccess ma, MethodAccess getSettingsMa |
ma.getMethod() instanceof CrossOriginAccessMethod and
ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
ma.getQualifier().(VarAccess).getVariable().getAnAssignedValue() = getSettingsMa and
getSettingsMa.getMethod() instanceof WebViewGetSettingsMethod and
getSettingsMa.getQualifier().(VarAccess).getVariable().getAnAccess() =
getMethodAccess().getQualifier()
)
}
/**
* Returns a description of this vulnerability, assuming Javascript is enabled and
* the fetched URL is attacker-controlled.
*/
string getSinkType() {
if crossOriginAccessEnabled()
then result = "user input vulnerable to cross-origin and sensitive resource disclosure attacks"
else result = "user input vulnerable to XSS attacks"
}
}
/**
* Taint configuration tracking flow from untrusted inputs to `loadUrl` or `postUrl` calls.
*/
class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
sink instanceof UrlResourceSink and
exists(VarAccess webviewVa, MethodAccess getSettingsMa, Variable v |
sink.(UrlResourceSink).getMethodAccess().getQualifier() = webviewVa and
getSettingsMa.getMethod() instanceof WebViewGetSettingsMethod and
webviewVa.getVariable().getAnAccess() = getSettingsMa.getQualifier() and
v.getAnAssignedValue() = getSettingsMa and
isJSEnabled(v)
)
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, FetchUntrustedResourceConfiguration conf
where conf.hasFlowPath(source, sink)
select sink.getNode().(UrlResourceSink).getMethodAccess(), source, sink,
"Unsafe resource fetching in Android webview due to $@.", source.getNode(),
sink.getNode().(UrlResourceSink).getSinkType()