Merge pull request github#11238 from egregius313/egregius313/webview-setjavascriptenabled

egregius313 · web-flow · commit 170c9af9e873 · 2022-12-07T09:31:58.000-05:00
Java: Query for detecting enabling Javascript in Android WebSettings
diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp
@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Enabling JavaScript in an Android WebView allows the execution of
+      JavaScript code in the context of the running application. This creates a
+      cross-site scripting vulnerability.
+    </p>
+
+    <p>
+      For example, if your application's WebView allows for visiting web pages
+      that you do not trust, it is possible for an attacker to lead the user to
+      a page which loads malicious JavaScript.
+    </p>
+
+    <p>
+      You can enable or disable Javascript execution using
+      the <code>setJavaScriptEnabled</code> method of the settings of a WebView.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>JavaScript execution is disabled by default. You can explicitly disable
+    it by calling <code>setJavaScriptEnabled(false)</code> on the settings of
+    the WebView.</p>
+
+    <p>If JavaScript is necessary, only load content from trusted servers using encrypted channels, such as HTTPS with certificate verification.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, a WebView has JavaScript enabled in its settings:</p>
+
+    <sample src="WebSettingsEnableJavascript.java"/>
+
+    <p>In the following (good) example, a WebView explicitly disallows JavaScript execution:</p>
+
+    <sample src="WebSettingsDisableJavascript.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setJavaScriptEnabled(boolean)">setJavaScriptEnabled</a>
+    </li>
+  </references>
+
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Android WebView JavaScript settings
+ * @description Enabling JavaScript execution in a WebView can result in cross-site scripting attacks.
+ * @kind problem
+ * @id java/android-websettings-javascript-enabled
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof AllowJavaScriptMethod and
+  ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
+select ma, "JavaScript execution enabled in WebView."
diff --git a/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java b/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java
@@ -0,0 +1,2 @@
+WebSettings settings = webview.getSettings();
+settings.setJavaScriptEnabled(false);
diff --git a/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java b/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java
@@ -0,0 +1,2 @@
+WebSettings settings = webview.getSettings();
+settings.setJavaScriptEnabled(true);
diff --git a/java/ql/src/change-notes/2022-11-12-websettings-setjavascript-enabled.md b/java/ql/src/change-notes/2022-11-12-websettings-setjavascript-enabled.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java
@@ -0,0 +1,18 @@
+package com.example.test;
+
+import android.webkit.WebView;
+import android.webkit.WebSettings;
+
+public class SetJavascriptEnabled {
+    public static void configureWebViewUnsafe(WebView view) {
+        WebSettings settings = view.getSettings();
+        settings.setJavaScriptEnabled(true); // $javascriptEnabled
+    }
+
+    public static void configureWebViewSafe(WebView view) {
+        WebSettings settings = view.getSettings();
+
+        // Safe: Javascript disabled
+        settings.setJavaScriptEnabled(false);
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.expected b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.expected
@@ -0,0 +1 @@
+| SetJavascriptEnabled.java:9:9:9:43 | setJavaScriptEnabled(...) | JavaScript execution enabled in WebView. |
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/options b/java/ql/test/query-tests/security/CWE-079/semmle/tests/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/:${testdir}/../../../../../stubs/google-android-9.0.0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+WebSettings settings = webview.getSettings();`
	`2`	`+settings.setJavaScriptEnabled(false);`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+WebSettings settings = webview.getSettings();`
	`2`	`+settings.setJavaScriptEnabled(true);`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: newQuery
 +---
 +* Added a new query, `java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| SetJavascriptEnabled.java:9:9:9:43 \| setJavaScriptEnabled(...) \| JavaScript execution enabled in WebView. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/:${testdir}/../../../../../stubs/google-android-9.0.0`