SONARKT-619 Rule S7409: Exposing Java interfaces in WebViews is security-sensitive (#591)

Author: antonioaversa

kotlin-checks-test-sources/src/main/java/android/annotation/JavascriptInterface.java

@@ -0,0 +1,4 @@
+package android.annotation;
+
+public @interface JavascriptInterface {
+}

kotlin-checks-test-sources/src/main/java/android/webkit/WebView.java

@@ -3,4 +3,7 @@
 public class WebView {
   public static void setWebContentsDebuggingEnabled(boolean enabled) {
   }
+
+  public void addJavascriptInterface(Object object, String name) {
+  }
 }

kotlin-checks-test-sources/src/main/kotlin/checks/AndroidWebViewJavascriptInterfaceCheckSample.kt

@@ -0,0 +1,103 @@
+package checks
+
+import android.annotation.JavascriptInterface
+import android.webkit.WebView
+
+class AndroidWebViewJavascriptInterfaceCheck {
+    private val valWebViewProperty: WebView = WebView()
+    private var varWebViewProperty: WebView = WebView()
+
+    class JsObject {
+        @JavascriptInterface
+        override fun toString(): String {
+            return "injectedObject"
+        }
+    }
+
+    class NotAWebView {
+        fun addJavascriptInterface(obj: Any?, name: String?) {
+        }
+    }
+
+    open class WebViewChild : WebView() {
+    }
+
+    class WebViewGrandChild : WebViewChild() {
+        override fun addJavascriptInterface(obj: Any?, name: String?) {
+        }
+    }
+
+    fun nonCompliantScenarios(webViewParam: WebView) {
+        webViewParam.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant {{Exposing a Javascript interface can expose sensitive information to attackers. Make sure it is safe here.}}
+//                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        WebView().addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        valWebViewProperty.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        varWebViewProperty.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        val valWebViewLocal = WebView()
+        valWebViewLocal.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        var varWebViewLocal = WebView()
+        varWebViewLocal.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+
+        val valJsObjectLocal = JsObject()
+        webViewParam.addJavascriptInterface(valJsObjectLocal, "injectedObject") // Noncompliant
+        val valInjectedName = "injectedObject"
+        webViewParam.addJavascriptInterface(JsObject(), valInjectedName) // Noncompliant
+        webViewParam.addJavascriptInterface(valJsObjectLocal, valInjectedName) // Noncompliant
+
+        val valWebViewClosure = WebView()
+        val valInjectedNameClosure = "injectedObject"
+        val valJsObjectLocalClosure = JsObject()
+        fun closure() {
+            valWebViewClosure.addJavascriptInterface(valJsObjectLocalClosure, valInjectedNameClosure) // Noncompliant
+        }
+
+        // Complex expressions as parameters
+        webViewParam.addJavascriptInterface(if (true) JsObject() else JsObject(), "injectedObject") // Noncompliant
+        webViewParam.addJavascriptInterface(valJsObjectLocal, valInjectedName.toString()) // Noncompliant
+        webViewParam.addJavascriptInterface(JsObject(), valInjectedName + "suffix") // Noncompliant
+        webViewParam.let {
+            it.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        }
+        webViewParam.let { theWebView ->
+            theWebView.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        }
+        webViewParam?.let {
+            it.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+            it?.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        }
+        webViewParam.run {
+            addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        }
+        webViewParam.apply {
+            addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+            this.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        }
+        with(webViewParam) {
+            addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+            this.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+        }
+
+        val derivedFromWebView = WebViewChild()
+        derivedFromWebView.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+
+        val derivedFromWebViewBaseType: WebView = WebViewChild()
+        derivedFromWebViewBaseType.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+
+        val derivedFromWebViewGrandChild = WebViewGrandChild()
+        derivedFromWebViewGrandChild.addJavascriptInterface(JsObject(), "injectedObject") // Noncompliant
+    }
+
+    fun compliantScenarios(webView: WebView, notAWebView: NotAWebView) {
+        WebView() // Compliant, no method invoked on the WebView
+        WebView().hashCode() // Compliant, different method invoked on the WebView
+        notAWebView.addJavascriptInterface(JsObject(), "injectedObject") // Compliant, not a WebView
+        notAWebView.let {
+            it.addJavascriptInterface(JsObject(), "injectedObject") // Compliant, not a WebView
+            it?.addJavascriptInterface(JsObject(), "injectedObject") // Compliant, not a WebView
+        }
+        with(notAWebView) {
+            addJavascriptInterface(JsObject(), "injectedObject") // Compliant, not a WebView
+            this.addJavascriptInterface(JsObject(), "injectedObject") // Compliant, not a WebView
+        }
+    }
+}

sonar-kotlin-checks/src/main/java/org/sonarsource/kotlin/checks/AndroidWebViewJavascriptInterfaceCheck.kt

@@ -0,0 +1,49 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.checks
+
+import org.jetbrains.kotlin.analysis.api.resolution.KaFunctionCall
+import org.jetbrains.kotlin.psi.KtCallExpression
+import org.sonar.check.Rule
+import org.sonarsource.kotlin.api.checks.ANY_TYPE
+import org.sonarsource.kotlin.api.checks.CallAbstractCheck
+import org.sonarsource.kotlin.api.checks.FunMatcher
+import org.sonarsource.kotlin.api.checks.STRING_TYPE
+import org.sonarsource.kotlin.api.frontend.KotlinFileContext
+import org.sonarsource.kotlin.api.visiting.withKaSession
+
+private const val MESSAGE = "Exposing a Javascript interface can expose sensitive information to attackers. Make sure it is safe here."
+
+@Rule(key = "S7409")
+class AndroidWebViewJavascriptInterfaceCheck : CallAbstractCheck() {
+
+    override val functionsToVisit = listOf(
+        FunMatcher {
+            definingSupertype = "android.webkit.WebView"
+            withNames("addJavascriptInterface")
+            withArguments(ANY_TYPE, STRING_TYPE)
+        },
+    )
+
+    override fun visitFunctionCall(
+        callExpression: KtCallExpression,
+        resolvedCall: KaFunctionCall<*>,
+        kotlinFileContext: KotlinFileContext
+    ) = withKaSession {
+        kotlinFileContext.reportIssue(callExpression, MESSAGE)
+    }
+}

sonar-kotlin-checks/src/test/java/org/sonarsource/kotlin/checks/AndroidWebViewJavascriptInterfaceCheckTest.kt

@@ -0,0 +1,19 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.checks
+
+class AndroidWebViewJavascriptInterfaceCheckTest : CheckTest(AndroidWebViewJavascriptInterfaceCheck())

sonar-kotlin-plugin/src/main/java/org/sonarsource/kotlin/plugin/KotlinCheckList.kt

@@ -20,6 +20,7 @@ import org.sonarsource.kotlin.checks.AbstractClassShouldBeInterfaceCheck
 import org.sonarsource.kotlin.checks.AllBranchesIdenticalCheck
 import org.sonarsource.kotlin.checks.AnchorPrecedenceCheck
 import org.sonarsource.kotlin.checks.AndroidBroadcastingCheck
+import org.sonarsource.kotlin.checks.AndroidWebViewJavascriptInterfaceCheck
 import org.sonarsource.kotlin.checks.ArrayHashCodeAndToStringCheck
 import org.sonarsource.kotlin.checks.AuthorisingNonAuthenticatedUsersCheck
 import org.sonarsource.kotlin.checks.BadClassNameCheck
@@ -154,6 +155,7 @@ val KOTLIN_CHECKS = listOf(
     AllBranchesIdenticalCheck::class.java,
     AnchorPrecedenceCheck::class.java,
     AndroidBroadcastingCheck::class.java,
+    AndroidWebViewJavascriptInterfaceCheck::class.java,
     ArrayHashCodeAndToStringCheck::class.java,
     AuthorisingNonAuthenticatedUsersCheck::class.java,
     BadClassNameCheck::class.java,

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.html

@@ -0,0 +1,116 @@
+<p>Using Javascript interfaces in WebViews is unsafe as it allows JavaScript to invoke Java methods, potentially giving attackers access to data or
+sensitive app functionality. WebViews might include untrusted sources such as third-party iframes, making this functionality particularly risky. As
+Javascript interfaces are passed to every frame in the WebView, those iframes are also able to access the exposed Java methods.</p>
+<h2>Ask Yourself Whether</h2>
+<ul>
+  <li> The content in the WebView is fully trusted and secure. </li>
+  <li> Potentially untrusted iframes could be loaded in the WebView. </li>
+  <li> The Javascript interface has to be exposed for the entire lifecycle of the WebView. </li>
+  <li> The exposed Java methods will accept input from potentially untrusted sources. </li>
+</ul>
+<p>There is a risk if you answered yes to any of these questions.</p>
+<h2>Recommended Secure Coding Practices</h2>
+<h3>Disable JavaScript</h3>
+<p>If it is possible to disable JavaScript in the WebView, this is the most secure option. By default, JavaScript is disabled in a WebView, so you do
+not need to explicitly call <code>webSettings.setJavaScriptEnabled(true)</code> in your <code>WebSettings</code> configuration. Of course, sometimes
+it is necessary to enable JavaScript, in which case the following recommendations should be considered.</p>
+<h3>Remove JavaScript interface when loading untrusted content</h3>
+<p>JavaScript interfaces can be removed at a later point. It is recommended to remove the JavaScript interface when it is no longer needed. If it is
+needed for a longer time, consider removing it before loading untrusted content. This can be done by calling
+<code>webView.removeJavascriptInterface("interfaceName")</code>.</p>
+<p>A good place to do this is inside the <code>shouldInterceptRequest</code> method of a <code>WebViewClient</code>, where you can check the URL or
+resource being loaded and remove the interface if the content is untrusted.</p>
+<h3>Alternative methods to implement native bridges</h3>
+<p>If a native bridge has to be added to the WebView, and it is impossible to remove it at a later point, consider using an alternative method that
+offers more control over the communication flow. <code>WebViewCompat.postWebMessage</code>/<code>WebViewCompat.addWebMessageListener</code> and
+<code>WebMessagePort.postMessage</code> offer more ways to validate incoming and outgoing messages, such as by being able to restrict the origins that
+can send messages to the JavaScript bridge.</p>
+<h2>Sensitive Code Example</h2>
+<pre>
+class ExampleActivity : AppCompatActivity() {
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+
+        val webView = WebView(this)
+        webView.settings.javaScriptEnabled = true
+        webView.addJavascriptInterface(JavaScriptBridge(), "androidBridge")  // Sensitive
+    }
+
+    inner class JavaScriptBridge {
+        @JavascriptInterface
+        fun accessUserData(userId): String {
+            return getUserData(userId)
+        }
+    }
+}
+</pre>
+<h2>Compliant Solution</h2>
+<p>The most secure option is to disable JavaScript entirely.</p>
+<pre>
+class ExampleActivity : AppCompatActivity() {
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+
+        val webView = WebView(this)
+        webView.settings.javaScriptEnabled = false
+    }
+}
+</pre>
+<p>If possible, remove the JavaScript interface after it is no longer needed, or before loading any untrusted content.</p>
+<pre>
+class ExampleActivity : AppCompatActivity() {
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+
+        val webView = WebView(this)
+        webView.settings.javaScriptEnabled = true
+
+        webView.addJavascriptInterface(JavaScriptBridge(), "androidBridge")
+
+        // Sometime later, before unsafe content is loaded, remove the JavaScript interface
+        webView.removeJavascriptInterface("androidBridge")
+    }
+}
+</pre>
+<p>If a JavaScript bridge must be used, consider using <code>WebViewCompat.addWebMessageListener</code> instead. This allows you to restrict the
+origins that can send messages to the JavaScript bridge.</p>
+<pre>
+class ExampleActivity : AppCompatActivity() {
+    private val ALLOWED_ORIGINS = setOf("https://example.com")
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+
+        val webView = WebView(this)
+        webView.settings.javaScriptEnabled = true
+
+        WebViewCompat.addWebMessageListener(
+            webView, "androidBridge", ALLOWED_ORIGINS,  // Only allow messages from these origins
+            object : WebViewCompat.WebMessageListener {
+                override fun onPostMessage(
+                    view: WebView,
+                    message: WebMessageCompat,
+                    sourceOrigin: Uri,
+                    isMainFrame: Boolean,
+                    replyProxy: JavaScriptReplyProxy
+                ) {
+                    // Handle the message
+                }
+            }
+        )
+    }
+}
+</pre>
+<h2>See</h2>
+<ul>
+  <li> Android Documentation - <a href="https://developer.android.com/privacy-and-security/risks/insecure-webview-native-bridges">Insecure WebView
+  native bridges</a> </li>
+  <li> Android Documentation - <a href="https://developer.android.com/reference/androidx/webkit/WebViewCompat">WebViewCompat API reference</a> </li>
+  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation.html">Mobile Top 10 2024
+  Category M4 - Insufficient Input/Output Validation</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration.html">Mobile Top 10 2024 Category M8 -
+  Security Misconfiguration</a> </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/79">CWE-79 - Improper Neutralization of Input During Web Page Generation</a> </li>
+</ul>
+

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.json

@@ -0,0 +1,39 @@
+{
+  "title": "Exposing Java interfaces in WebViews is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "android"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7409",
+  "sqKey": "S7409",
+  "scope": "All",
+  "securityStandards": {
+    "OWASP Mobile": [
+      "M1"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4",
+      "M8"
+    ],
+    "OWASP Top 10 2021": [
+      "A5"
+    ],
+    "CWE": [
+      79
+    ]
+  },
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "TRUSTWORTHY"
+  }
+}

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/Sonar_way_profile.json

@@ -127,6 +127,7 @@
     "S6631",
     "S6634",
     "S7204",
+    "S7409",
     "S7416"
   ]
 }