New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Query to detect Android Webview file access #11241
base: main
Are you sure you want to change the base?
Java: Query to detect Android Webview file access #11241
Conversation
Query for Android WebView file access settings
|
QHelp previews: java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelpAndroid WebSettings file accessFile access in an Android WebView can expose the device's file system to the JavaScript running in the WebView. If there are vulnerabilities in the JavaScript or untrusted content is loaded in the WebView, file access may allow an attacker to access or steal the user's data. RecommendationWhen possible, you should disallow file access by setting the following settings to
ExampleIn the following (bad) example, the WebView is configured with the settings which would allow local file access. WebSettings settings = view.getSettings();
settings.setAllowFileAccess(true);
settings.setAllowFileAccessFromURLs(true);
settings.setAllowUniversalAccessFromURLs(true);In the following (good) example, the WebView is configured to disallow file access. WebSettings settings = view.getSettings();
settings.setAllowFileAccess(false);
settings.setAllowFileAccessFromURLs(false);
settings.setAllowUniversalAccessFromURLs(false);References
|
java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
Fixed
Show resolved
Hide resolved
java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
Outdated
Show resolved
Hide resolved
| </overview> | ||
|
|
||
| <recommendation> | ||
| <p>When possible, you should disallow file access by setting the following settings to <code>false</code>:</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would mention this is false by default, so leaving it untouched would also suffice to prevent the issue. Also, we should probably recommend the use of AssetLoader instead as well (see the note in https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)).
|
|
||
| <sample src="WebViewFileAccessUnsafe.java"/> | ||
|
|
||
| <p>In the following (good) example, the WebView is configured to disallow file access.</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think an example of how to use AssetLoader as a safe alternative would be interesting as well.
java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
Fixed
Show resolved
Hide resolved
Local file access is enabled using the `WebSettings#setAllowFileAccess` method.
java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp
Outdated
Show resolved
Hide resolved
| //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the apache-commons-lang stub needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but not for these tests. That's for a pre-existing test for another CWE-200 test: TempDirLocalInformationDisclosure.qlref
| import android.webkit.WebSettings; | ||
|
|
||
| class WebViewFileAccess { | ||
| void configure(WebView view) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a negative test case? (i.e. false being set instead)
| /** | ||
| * @name Android WebSettings file access | ||
| * @kind problem | ||
| * @description Enabling access to the file system in a WebView can enable access to sensitive information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sentence seems like it needs a little rewriting (repetition of "enable access"). We can wait for docs review though, if you prefer.
Added a query for detecting settings of Android WebViews which enable access to the file system.