Merge pull request github#11282 from egregius313/egregiu313/webview-addjavascriptinterface

Java: Query for detecting addJavascriptInterface method calls

Author: egregius313

java/ql/lib/semmle/code/java/frameworks/android/WebView.qll

@@ -39,6 +39,14 @@ class WebViewGetUrlMethod extends Method {
   }
 }
 
+/** The method `addJavascriptInterface` of the class `android.webkit.WebView` */
+class WebViewAddJavascriptInterfaceMethod extends Method {
+  WebViewAddJavascriptInterfaceMethod() {
+    this.getDeclaringType() instanceof TypeWebView and
+    this.hasName("addJavascriptInterface")
+  }
+}
+
 /**
  * A method allowing any-local-file and cross-origin access in the class `android.webkit.WebSettings`.
  */

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Calling the <code>addJavascriptInterface</code> method of
+      the <code>android.webkit.WebView</code> class allows the web pages of a
+      WebView to access a Java object's methods via JavaScript.
+    </p>
+
+    <p>
+      Objects exposed to JavaScript are available in all frames of the
+      WebView.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      If you need to expose Java objects to JavaScript, guarantee that no
+      untrusted third-party content is loaded into the WebView.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the following (bad) example, a Java object is exposed to JavaScript.
+    </p>
+
+    <sample src="AndroidWebViewAddJavascriptInterfaceExample.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android Documentation: <a href="https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)">addJavascriptInterface</a>
+    </li>
+  </references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Access Java object methods through JavaScript exposure
+ * @id java/android-webview-addjavascriptinterface
+ * @description Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where ma.getMethod() instanceof WebViewAddJavascriptInterfaceMethod
+select ma, "JavaScript interface to Java object added in Android WebView."

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java

@@ -0,0 +1,23 @@
+import android.webkit.JavascriptInterface;
+import android.database.sqlite.SQLiteOpenHelper;
+
+class ExposedObject extends SQLiteOpenHelper {
+    @JavascriptInterface
+    public String studentEmail(String studentName) {
+        // SQL injection
+        String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";
+
+        Cursor cursor = db.rawQuery(query, null);
+        cursor.moveToFirst();
+        String email = cursor.getString(0);
+
+        return email;
+    }
+}
+
+webview.getSettings().setJavaScriptEnabled(true);
+webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
+webview.loadData("", "text/html", null);
+
+String name = "Robert'; DROP TABLE students; --";
+webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");

java/ql/src/change-notes/2022-11-15-android-webview-addjavascript-interface.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* Added a new query `java/android-webview-addjavascriptinterface` to detect the use of `addJavascriptInterface`, which can lead to cross-site scripting.
+

java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.expected

@@ -0,0 +1 @@
+| WebViewAddJavascriptInterface.java:10:9:10:61 | addJavascriptInterface(...) | JavaScript interface to Java object added in Android WebView. |

java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java

@@ -0,0 +1,12 @@
+package com.example.test;
+
+import android.webkit.WebView;
+
+class WebViewAddJavascriptInterface {
+    class Greeter {
+    }
+
+    public void addGreeter(WebView view) {
+        view.addJavascriptInterface(new Greeter(), "greeter");
+    }
+}

java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql