Skip to content

Commit c705031

Browse files
committed
Require JS enabled even when cross-origin access is enabled in the webviews
1 parent 6884edf commit c705031

File tree

2 files changed

+28
-6
lines changed

2 files changed

+28
-6
lines changed

java/ql/src/semmle/code/java/security/UnsafeAndroidAccess.qll

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,13 +32,11 @@ private class DefaultUrlResourceSinkModel extends SinkModelCsv {
3232

3333
/**
3434
* Cross-origin access enabled resource fetch.
35-
*
36-
* Specifically this looks for code like
37-
* `webView.getSettings().setAllow[File|Universal]AccessFromFileURLs(true);`
35+
*
36+
* It requires JavaScript to be enabled too to be considered a valid sink.
3837
*/
39-
private class CrossOriginUrlResourceSink extends UrlResourceSink {
38+
private class CrossOriginUrlResourceSink extends JavaScriptEnabledUrlResourceSink {
4039
CrossOriginUrlResourceSink() {
41-
sinkNode(this, "unsafe-android-access") and
4240
exists(MethodAccess ma, MethodAccess getSettingsMa |
4341
ma.getMethod() instanceof CrossOriginAccessMethod and
4442
ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true and

java/ql/test/query-tests/security/CWE-749/app/UnsafeAndroidAccess.java

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ public void onCreate(Bundle savedInstanceState) {
1515
testUniversalFileAccessEnabledWebView();
1616
testFileAccessEnabledWebView();
1717
testSafeWebView();
18+
testCrossOriginEnabledJsDisabledWebView();
1819
}
1920

2021
private void testJavaScriptEnabledWebView() {
@@ -39,6 +40,7 @@ public boolean shouldOverrideUrlLoading(WebView view, String url) {
3940
private void testUniversalFileAccessEnabledWebView() {
4041
WebView wv = (WebView) findViewById(R.id.my_webview);
4142
WebSettings webSettings = wv.getSettings();
43+
webSettings.setJavaScriptEnabled(true);
4244
webSettings.setAllowUniversalAccessFromFileURLs(true);
4345

4446
wv.setWebViewClient(new WebViewClient() {
@@ -58,6 +60,7 @@ public boolean shouldOverrideUrlLoading(WebView view, String url) {
5860
private void testFileAccessEnabledWebView() {
5961
WebView wv = (WebView) findViewById(R.id.my_webview);
6062
WebSettings webSettings = wv.getSettings();
63+
webSettings.setJavaScriptEnabled(true);
6164
webSettings.setAllowFileAccessFromFileURLs(true);
6265

6366
wv.setWebViewClient(new WebViewClient() {
@@ -90,4 +93,25 @@ public boolean shouldOverrideUrlLoading(WebView view, String url) {
9093
wv.loadUrl("https://www.mycorp.com/" + thisUrl); // Safe
9194
wv.loadUrl("https://www.mycorp.com"); // Safe
9295
}
93-
}
96+
97+
private void testCrossOriginEnabledJsDisabledWebView() {
98+
WebView wv = (WebView) findViewById(-1);
99+
WebSettings webSettings = wv.getSettings();
100+
webSettings.setAllowUniversalAccessFromFileURLs(true);
101+
webSettings.setAllowFileAccessFromFileURLs(true);
102+
103+
wv.setWebViewClient(new WebViewClient() {
104+
@Override
105+
public boolean shouldOverrideUrlLoading(WebView view, String url) {
106+
view.loadUrl(url);
107+
return true;
108+
}
109+
110+
});
111+
112+
String thisUrl = getIntent().getExtras().getString("url");
113+
wv.loadUrl(thisUrl); // Safe
114+
wv.loadUrl("https://www.mycorp.com/" + thisUrl); // Safe
115+
wv.loadUrl("https://www.mycorp.com"); // Safe
116+
}
117+
}

0 commit comments

Comments
 (0)