Java: documentation for WebView#addJavascriptInterface query

Author: egregius313

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      The <code>addJavascriptInterface</code> method of
+      the <code>android.webkit.WebView</code> class allows the web pages of a
+      WebView to access methods of a Java object via JavaScript.
+    </p>
+
+    <p>
+      Objects exposed to Javascript are available in all frames of the
+      WebView.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      If you need to expose Java objects with Javascript, you should guarantee
+      that no untrusted third party content is loaded into the WebView.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the following (bad) example, a Java object is exposed to Javascript.
+    </p>
+
+    <sample src="AndroidWebViewAddJavascriptInterfaceExample.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android Documentation<a href="https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object">addJavascriptInterface</a>
+    </li>
+  </references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java

@@ -0,0 +1,11 @@
+class ExposedObject {
+    @JavascriptInterface
+    public String example() {
+        return "String from Java";
+    }
+}
+
+webview.getSettings().setJavaScriptEnabled(true);
+webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
+webview.loadData("", "text/html", null);
+webview.loadUrl("javascript:alert(exposedObject.example())");