Merge pull request #11283 from egregius313/egregius313/webview-setAllowContentAccess

Java: Android WebView Content Access Query

Author: egregius313

java/ql/lib/change-notes/2022-12-21-allowcontentaccessmethod.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `AllowContentAccessMethod` to represent the `setAllowContentAccess` method of the `android.webkit.WebSettings` class.

java/ql/lib/semmle/code/java/frameworks/android/WebView.qll

@@ -78,6 +78,14 @@ class WebViewSetWebViewClientMethod extends Method {
   }
 }
 
+/** The method `setAllowContentAccess` of the class `android.webkit.WebSettings` */
+class AllowContentAccessMethod extends Method {
+  AllowContentAccessMethod() {
+    this.getDeclaringType() instanceof TypeWebSettings and
+    this.hasName("setAllowContentAccess")
+  }
+}
+
 /** The method `shouldOverrideUrlLoading` of the class `android.webkit.WebViewClient`. */
 class ShouldOverrideUrlLoading extends Method {
   ShouldOverrideUrlLoading() {

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>Android can provide access to content providers within a WebView using
+    the <code>setAllowContentAccess</code> setting.</p>
+
+    <p>Allowing access to content providers via <code>content://</code> URLs
+    may allow JavaScript to access protected content.</p>
+  </overview>
+
+  <recommendation>
+    <p>
+      If your app does not require access to the <code>content://</code> URL
+      functionality, you should explicitly disable the setting by
+      calling <code>setAllowContentAccess(false)</code> on the settings of the
+      WebView.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, access to <code>content://</code> URLs is explicitly allowed.</p>
+
+    <sample src="ContentAccessEnabled.java"/>
+
+    <p>In the following (good) example, access to <code>content://</code> URLs is explicitly denied.</p>
+
+    <sample src="ContentAccessDisabled.java"/>
+  </example>
+
+  <references>
+    <li>
+      Android Documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowContentAccess(boolean)">setAllowContentAccess</a>.
+    </li>
+  </references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql

@@ -0,0 +1,112 @@
+/**
+ * @name Android WebView settings allows access to content links
+ * @id java/android/websettings-allow-content-access
+ * @description Access to content providers in a WebView can allow access to protected information by loading content:// links.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @security-severity 6.5
+ * @tags security
+ *      external/cwe/cwe-200
+ */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.android.WebView
+
+/** Represents `android.webkit.WebView` and its subclasses. */
+private class TypeWebViewOrSubclass extends RefType {
+  TypeWebViewOrSubclass() { this.getASupertype*() instanceof TypeWebView }
+}
+
+/**
+ * A method access to a getter method which is private.
+ *
+ * In Kotlin, member accesses are translated to getter methods.
+ */
+private class PrivateGetterMethodAccess extends MethodAccess {
+  PrivateGetterMethodAccess() {
+    this.getMethod() instanceof GetterMethod and
+    this.getMethod().isPrivate()
+  }
+}
+
+/** A source for `android.webkit.WebView` objects. */
+class WebViewSource extends DataFlow::Node {
+  WebViewSource() {
+    this.getType() instanceof TypeWebViewOrSubclass and
+    // To reduce duplicate results, we only consider WebView objects from
+    // constructor and method calls, or method accesses which are cast to WebView.
+    (
+      this.asExpr() instanceof ClassInstanceExpr or
+      this.asExpr() instanceof MethodAccess or
+      this.asExpr().(CastExpr).getAChildExpr() instanceof MethodAccess
+    ) and
+    // Avoid duplicate results from Kotlin member accesses.
+    not this.asExpr() instanceof PrivateGetterMethodAccess
+  }
+}
+
+/**
+ * A sink representing a call to `android.webkit.WebSettings.setAllowContentAccess` that
+ * disables content access.
+ */
+class WebSettingsDisallowContentAccessSink extends DataFlow::Node {
+  WebSettingsDisallowContentAccessSink() {
+    exists(MethodAccess ma |
+      ma.getQualifier() = this.asExpr() and
+      ma.getMethod() instanceof AllowContentAccessMethod and
+      ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false
+    )
+  }
+}
+
+class WebViewDisallowContentAccessConfiguration extends TaintTracking::Configuration {
+  WebViewDisallowContentAccessConfiguration() { this = "WebViewDisallowContentAccessConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof WebViewSource }
+
+  /**
+   * Holds if the step from `node1` to `node2` is a dataflow step that gets the `WebSettings` object
+   * from the `getSettings` method of a `WebView` object.
+   *
+   * This step is only valid when `state1` is empty and `state2` indicates that the `WebSettings` object
+   * has been accessed.
+   */
+  override predicate isAdditionalTaintStep(
+    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+    DataFlow::FlowState state2
+  ) {
+    state1 instanceof DataFlow::FlowStateEmpty and
+    state2 = "WebSettings" and
+    // settings = webView.getSettings()
+    // ^node2   = ^node1
+    exists(MethodAccess ma |
+      ma = node2.asExpr() and
+      ma.getQualifier() = node1.asExpr() and
+      ma.getMethod() instanceof WebViewGetSettingsMethod
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node, DataFlow::FlowState state) {
+    state = "WebSettings" and
+    node instanceof WebSettingsDisallowContentAccessSink
+  }
+}
+
+from Expr e
+where
+  // explicit: setAllowContentAccess(true)
+  exists(MethodAccess ma |
+    ma = e and
+    ma.getMethod() instanceof AllowContentAccessMethod and
+    ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+  )
+  or
+  // implicit: no setAllowContentAccess(false)
+  exists(WebViewSource source |
+    source.asExpr() = e and
+    not any(WebViewDisallowContentAccessConfiguration cfg).hasFlow(source, _)
+  )
+select e,
+  "Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."

java/ql/src/Security/CWE/CWE-200/ContentAccessDisabled.java

@@ -0,0 +1,3 @@
+WebSettings settings = webview.getSettings();
+
+settings.setAllowContentAccess(false);

java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java

@@ -0,0 +1,3 @@
+WebSettings settings = webview.getSettings();
+
+settings.setAllowContentAccess(true);

java/ql/src/change-notes/2022-12-21-android-allowcontentaccess-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `java/android/websettings-allow-content-access` to detect Android WebViews which do not disable access to `content://` urls.

java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.expected

@@ -0,0 +1,10 @@
+| WebViewContentAccess.java:15:9:15:57 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:38:9:38:55 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:41:25:41:49 | (...)... | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:43:9:43:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:46:25:46:41 | new WebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:48:9:48:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:51:25:51:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:53:9:53:44 | setAllowContentAccess(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:55:29:55:48 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |
+| WebViewContentAccess.java:57:25:57:44 | getAWebView(...) | Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView. |

java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.java

@@ -0,0 +1,59 @@
+package com.example.test;
+
+import android.app.Activity;
+
+import android.webkit.WebView;
+import android.webkit.WebSettings;
+
+/** Helper class to mock a method which returns a `WebView` */
+interface WebViewGetter {
+    WebView getAWebView();
+}
+
+public class WebViewContentAccess extends Activity {
+    void enableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(true);
+    }
+
+    void disableContentAccess(WebView webview) {
+        webview.getSettings().setAllowContentAccess(false);
+    }
+
+    void configureWebViewSafe(WebView view, WebViewGetter getter) {
+        WebSettings settings = view.getSettings();
+
+        settings.setAllowContentAccess(false);
+
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+
+        settings.setAllowContentAccess(false);
+
+        disableContentAccess(getter.getAWebView());
+    }
+
+    void configureWebViewUnsafe(WebView view1, WebViewGetter getter) {
+        WebSettings settings;
+
+        view1.getSettings().setAllowContentAccess(true);
+
+        // Cast expression
+        WebView view2 = (WebView) findViewById(0);
+        settings = view2.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Constructor
+        WebView view3 = new WebView(this);
+        settings = view3.getSettings();
+        settings.setAllowContentAccess(true);
+
+        // Method access
+        WebView view4 = getter.getAWebView();
+        settings = view4.getSettings();
+        settings.setAllowContentAccess(true);
+
+        enableContentAccess(getter.getAWebView());
+
+        WebView view5 = getter.getAWebView();
+    }
+}

java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewContentAccess.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql