Java: query for Android WebView setAllowContentAccess

egregius313 · egregius313 · commit e4e13d38b717 · 2022-12-31T15:00:28.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.qhelp b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>Android can provide access to content providers within a WebView using
+    the <code>setAllowContentAccess</code> setting.</p>
+
+    <p>Allowing access to content providers via <code>content://</code> URLs
+    may allow JavaScript to access protected content.</p>
+  </overview>
+
+  <recommendation>
+    <p>
+      If your app does not require access to the <code>content://</code> URL
+      functionality, you should explicitly disable the setting by
+      calling <code>setAllowContentAccess(false)</code> on the settings of the
+      WebView.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, access to <code>content://</code> URLs is explicitly allowed.</p>
+
+    <sample src="ContentAccessEnabled.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android Documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowContentAccess(boolean)">setAllowContentAccess</a>.
+    </li>
+  </references>
+
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.ql b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsContentAccess.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Android WebSettings content access
+ * @description Access to content providers in a WebView can enable JavaScript to access protected information.
+ * @kind problem
+ * @id java/android-websettings-content-access
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof AllowContentAccessMethod and
+  ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+select ma,
+  "Sensitive information may be exposed via a malicious link due to access of content:// links being permitted."
diff --git a/java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java b/java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java
@@ -0,0 +1,3 @@
+WebSettings settings = webview.getSettings();
+
+settings.setAllowContentAccess(true);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+WebSettings settings = webview.getSettings();`
	`2`	`+`
	`3`	`+settings.setAllowContentAccess(true);`