Java: query for Android WebView setAllowContentAccess

2025-12-24 04:36:35 +01:00 · 2022-11-11 22:34:39 -05:00
parent e259ef5d1d
commit e4e13d38b7
3 changed files with 59 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.qhelp
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>Android can provide access to content providers within a WebView using
+    the <code>setAllowContentAccess</code> setting.</p>
+
+    <p>Allowing access to content providers via <code>content://</code> URLs
+    may allow JavaScript to access protected content.</p>
+  </overview>
+
+  <recommendation>
+    <p>
+      If your app does not require access to the <code>content://</code> URL
+      functionality, you should explicitly disable the setting by
+      calling <code>setAllowContentAccess(false)</code> on the settings of the
+      WebView.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, access to <code>content://</code> URLs is explicitly allowed.</p>
+
+    <sample src="ContentAccessEnabled.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android Documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowContentAccess(boolean)">setAllowContentAccess</a>.
+    </li>
+  </references>
+
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.ql
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Android WebSettings content access
+ * @description Access to content providers in a WebView can enable JavaScript to access protected information.
+ * @kind problem
+ * @id java/android-websettings-content-access
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof AllowContentAccessMethod and
+  ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+select ma,
+  "Sensitive information may be exposed via a malicious link due to access of content:// links being permitted."
--- a/java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java
+++ b/java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java
@@ -0,0 +1,3 @@
+WebSettings settings = webview.getSettings();
+
+settings.setAllowContentAccess(true);