Java: Query for Android WebView File Access

Query for Android WebView file access settings

Author: egregius313

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.qhelp

@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      File access in an Android WebView can expose the device's file system to
+      the JavaScript running in the WebView. If there are vulnerabilities in the
+      JavaScript, file access may allow an attacker to access or steal the
+      user's data.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>When possible, you should disallow file access by setting the following settings to <code>false</code>:</p>
+
+    <ul>
+      <li><code>setAllowFileAccess</code></li>
+      <li><code>setAllowFileAccessFromFileURLs</code></li>
+      <li><code>setAllowUniversalAccessFromFileURLs</code></li>
+    </ul>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, the WebView is configured with the settings
+    which would allow local file access.</p>
+
+    <sample src="WebViewFileAccessUnsafe.java"/>
+
+    <p>In the following (good) example, the WebView is configured to disallow file access.</p>
+
+    <sample src="WebViewFileAccessSafe.java"/>
+
+  </example>
+
+  <references>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)"><code>WebSettings.setAllowFileAccess</code></a>.
+    </li>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs(boolean)"><code>WebSettings.setAllowFileAccessFromFileURLs</code></a>.
+    </li>
+    <li>
+      Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)"><code>WebSettings.setAllowUniversalAccessFromFileURLs</code></a>.
+    </li>
+    <li>
+      File access from URLs is enabled for WebView: <a href="https://oversecured.com/vulnerabilities#Android/File_access_from_file_URLs_is_enabled_for_WebView">File access for URLs is enabled for WebView</a>.
+    </li>
+    <li>
+      File access is enabled for WebView: <a href="https://oversecured.com/vulnerabilities#Android/File_access_is_enabled_for_WebView">File access is enabled for WebView</a>.
+    </li>
+    <li>
+      Universal file access from file URLs is enabled for WebView: <a href="https://oversecured.com/vulnerabilities#Android/Universal_file_access_from_file_URLs_is_enabled_for_WebView">Universal file access from file URLs is enabled for WebView</a>.
+    </li>
+  </references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Android WebSettings file access
+ * @kind problem
+ * @id java/android-websettings-file-access
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import semmle.code.java.frameworks.android.WebView
+
+from MethodAccess ma
+where ma.getMethod() instanceof CrossOriginAccessMethod
+select ma, "WebView setting $@ may allow for unauthorized access of sensitive information.", ma,
+  ma.getMethod().getName()

java/ql/src/Security/CWE/CWE-200/WebViewFileAccessSafe.java

@@ -0,0 +1,5 @@
+WebSettings settings = view.getSettings();
+
+settings.setAllowFileAccess(false);
+settings.setAllowFileAccessFromURLs(false);
+settings.setAllowUniversalAccessFromURLs(false);

java/ql/src/Security/CWE/CWE-200/WebViewFileAccessUnsafe.java

@@ -0,0 +1,5 @@
+WebSettings settings = view.getSettings();
+
+settings.setAllowFileAccess(true);
+settings.setAllowFileAccessFromURLs(true);
+settings.setAllowUniversalAccessFromURLs(true);