Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Query to detect Android Webview file access #11241

Open
wants to merge 12 commits into
base: main
Choose a base branch
from

Conversation

egregius313
Copy link
Contributor

@egregius313 egregius313 commented Nov 12, 2022

Added a query for detecting settings of Android WebViews which enable access to the file system.

@egregius313 egregius313 requested a review from a team as a code owner Nov 12, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2022

QHelp previews:

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp

Android WebSettings file access

File access in an Android WebView can expose the device's file system to the JavaScript running in the WebView. If there are vulnerabilities in the JavaScript or untrusted content is loaded in the WebView, file access may allow an attacker to access or steal the user's data.

Recommendation

When possible, you should disallow file access by setting the following settings to false:

  • setAllowFileAccess
  • setAllowFileAccessFromFileURLs
  • setAllowUniversalAccessFromFileURLs

Example

In the following (bad) example, the WebView is configured with the settings which would allow local file access.

WebSettings settings = view.getSettings();

settings.setAllowFileAccess(true);
settings.setAllowFileAccessFromURLs(true);
settings.setAllowUniversalAccessFromURLs(true);

In the following (good) example, the WebView is configured to disallow file access.

WebSettings settings = view.getSettings();

settings.setAllowFileAccess(false);
settings.setAllowFileAccessFromURLs(false);
settings.setAllowUniversalAccessFromURLs(false);

References

Copy link
Contributor

@atorralba atorralba left a comment

I added some comments. Also, this will need tests.

</overview>

<recommendation>
<p>When possible, you should disallow file access by setting the following settings to <code>false</code>:</p>
Copy link
Contributor

@atorralba atorralba Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would mention this is false by default, so leaving it untouched would also suffice to prevent the issue. Also, we should probably recommend the use of AssetLoader instead as well (see the note in https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)).


<sample src="WebViewFileAccessUnsafe.java"/>

<p>In the following (good) example, the WebView is configured to disallow file access.</p>
Copy link
Contributor

@atorralba atorralba Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think an example of how to use AssetLoader as a safe alternative would be interesting as well.

//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7/:${testdir}/../../../../../stubs/google-android-9.0.0
Copy link
Contributor

@atorralba atorralba Nov 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the apache-commons-lang stub needed?

Copy link
Contributor Author

@egregius313 egregius313 Nov 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but not for these tests. That's for a pre-existing test for another CWE-200 test: TempDirLocalInformationDisclosure.qlref

import android.webkit.WebSettings;

class WebViewFileAccess {
void configure(WebView view) {
Copy link
Contributor

@atorralba atorralba Nov 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a negative test case? (i.e. false being set instead)

/**
* @name Android WebSettings file access
* @kind problem
* @description Enabling access to the file system in a WebView can enable access to sensitive information.
Copy link
Contributor

@atorralba atorralba Nov 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence seems like it needs a little rewriting (repetition of "enable access"). We can wait for docs review though, if you prefer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants