Add docs + add an additional case

joefarebrother · joefarebrother · commit f93455414301 · 2022-09-21T13:57:29.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll
@@ -8,7 +8,11 @@ import semmle.code.java.security.SecurityTests
 /** Holds if `ex` looks like a check that this is a debug build. */
 private predicate isDebugCheck(Expr ex) {
   exists(Expr subex, string debug |
-    debug.toLowerCase().matches("%debug%") and
+    (
+      debug.toLowerCase().matches("%debug%")
+      or
+      debug.toLowerCase().matches("%test%")
+    ) and
     subex.getParent*() = ex
   |
     subex.(VarAccess).getVariable().getName() = debug
diff --git a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.java b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.java
@@ -0,0 +1,7 @@
+// BAD - debugging is always enabled 
+WebView.setWebContentsDebuggingEnabled(true);
+
+// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.
+if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {
+    WebView.setWebContentsDebuggingEnabled(true);
+}
diff --git a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.qhelp b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.qhelp
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The <code>WebView.setWebContentsDebuggingEnabled</code> method enables or disables the contents of any <code>WebView</code> in the application to be debugged.</p>
+
+<p>Enabling debugging featues could allow for additional entry points or leaking sensitive information. 
+As such, debugging should only be anabled during development, and disabled during production builds.
+</overview>
+<recommendation>
+Ensure that debugging features are not enabled during production builds. 
+If <code>WebView.setWebContentsDebuggingEnabled(true)</code> is used, ensure that it is guarded by a flag indicating that this is a debug build.
+
+</recommendation>
+<example>
+
+<p>In the code below, the BAD case shows debugging always being enabled, 
+whereas the GOOD case only enables debugging if the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
+
+<sample src="WebviewDebuggingEnabled.java" />
+
+</example>
+<references>
+
+<li>
+  Android Developers: 
+  <a href="https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)">setWebContentsDebuggingEnabled</a>.
+</li>
+
+<li>
+  Android Developers: 
+  <a href="https://developer.chrome.com/docs/devtools/remote-debugging/webviews/">Remote debugging WebViews</a>.
+</li>
+
+</references>
+</qhelp>
