Require JS enabled even when cross-origin access is enabled in the webviews

2026-04-30 03:05:15 +02:00 · 2021-05-10 09:45:59 +02:00
parent 6884edf52a
commit c70503142f
2 changed files with 28 additions and 6 deletions
--- a/java/ql/src/semmle/code/java/security/UnsafeAndroidAccess.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeAndroidAccess.qll
@@ -32,13 +32,11 @@ private class DefaultUrlResourceSinkModel extends SinkModelCsv {

 /**
 * Cross-origin access enabled resource fetch.
- *
- * Specifically this looks for code like
- * `webView.getSettings().setAllow[File|Universal]AccessFromFileURLs(true);`
+ * 
+ * It requires JavaScript to be enabled too to be considered a valid sink.
 */
-private class CrossOriginUrlResourceSink extends UrlResourceSink {
+private class CrossOriginUrlResourceSink extends JavaScriptEnabledUrlResourceSink {
  CrossOriginUrlResourceSink() {
-    sinkNode(this, "unsafe-android-access") and
    exists(MethodAccess ma, MethodAccess getSettingsMa |
      ma.getMethod() instanceof CrossOriginAccessMethod and
      ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
--- a/java/ql/test/query-tests/security/CWE-749/app/UnsafeAndroidAccess.java
+++ b/java/ql/test/query-tests/security/CWE-749/app/UnsafeAndroidAccess.java
@@ -15,6 +15,7 @@ public class UnsafeAndroidAccess extends Activity {
 		testUniversalFileAccessEnabledWebView();
 		testFileAccessEnabledWebView();
 		testSafeWebView();
+		testCrossOriginEnabledJsDisabledWebView();
 	}

 	private void testJavaScriptEnabledWebView() {
@@ -39,6 +40,7 @@ public class UnsafeAndroidAccess extends Activity {
 	private void testUniversalFileAccessEnabledWebView() {
 		WebView wv = (WebView) findViewById(R.id.my_webview);
 		WebSettings webSettings = wv.getSettings();
+		webSettings.setJavaScriptEnabled(true);
 		webSettings.setAllowUniversalAccessFromFileURLs(true);

 		wv.setWebViewClient(new WebViewClient() {
@@ -58,6 +60,7 @@ public class UnsafeAndroidAccess extends Activity {
 	private void testFileAccessEnabledWebView() {
 		WebView wv = (WebView) findViewById(R.id.my_webview);
 		WebSettings webSettings = wv.getSettings();
+		webSettings.setJavaScriptEnabled(true);
 		webSettings.setAllowFileAccessFromFileURLs(true);

 		wv.setWebViewClient(new WebViewClient() {
@@ -90,4 +93,25 @@ public class UnsafeAndroidAccess extends Activity {
 		wv.loadUrl("https://www.mycorp.com/" + thisUrl); // Safe
 		wv.loadUrl("https://www.mycorp.com"); // Safe
 	}
-}
+
+	private void testCrossOriginEnabledJsDisabledWebView() {
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+		webSettings.setAllowUniversalAccessFromFileURLs(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl); // Safe
+		wv.loadUrl("https://www.mycorp.com/" + thisUrl); // Safe
+		wv.loadUrl("https://www.mycorp.com"); // Safe
+	}
+}