Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Query for detecting enabling Javascript in Android WebSettings #11238

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Java: Query for detecting enabling Javascript in Android WebSettings #11238

wants to merge 7 commits into from
+96 −1

Conversation

egregius313
Copy link
Contributor

@egregius313 egregius313 commented Nov 12, 2022
edited by atorralba

Add a query for detecting the enabling of JavaScript execution in Android WebViews.

@egregius313 egregius313 requested a review from a team as a code owner Nov 12, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2022
edited

QHelp previews:

java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp

Android WebView JavaScript settings

Enabling JavaScript in an Android WebView allows for the running of JavaScript code in the context of the running application. This opens the possibility for cross-site scripting if the attacker can inject arbitrary JavaScript.

For example, if your application's WebView allows for visitng web pages which you do not trust, it is possible for an attacker to lead the user to a page which loads malicious JavaScript.

You can enable or disbale Javascript execution using the setJavaScriptEnabled method of the settings of a WebView.

Recommendation

If Javascript does not need to be enabled, call setJavaScriptEnabled(false) on the settings of the WebView.

If JavaScript is necessary, only load content from trusted servers using encrypted channels, such as HTTPS with certificate verification.

Example

In the following (bad) example, a WebView has JavaScript enabled in its settings.

WebSettings settings = webview.getSettings();
settings.setJavaScriptEnabled(true);

In the following (good) example, a WebView explicitly disallows JavaScript execution.

WebSettings settings = webview.getSettings();
settings.setJavaScriptEnabled(false);

References

atorralba
atorralba reviewed Nov 14, 2022
View changes
Copy link
Contributor

@atorralba atorralba left a comment

I added some comments. Also, this will need tests.

java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated
<p>
Enabling JavaScript in an Android WebView allows for the running of JavaScript
code in the context of the running application. This opens the possibility for a
man-in-the-middle attack, where the attacker can inject arbitrary JavaScript.
Copy link
Contributor

@atorralba atorralba Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The attack vector isn't only a MitM attack: if the application loads untrusted content in the WebView, attackers could provide malicious JavaScript to be executed as well.

java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql Outdated Show resolved Hide resolved
java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp Outdated
</overview>

<recommendation>
<p>If Javascript does not need to be enabled, call <code>setJavaScriptEnabled(false)</code> on the settings of the webview.</p>
Copy link
Contributor

@atorralba atorralba Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe mention that this is false by default, and thus it would also suffice to not explicitly enable it?

egregius313 and others added 4 commits Nov 14, 2022
@egregius313 @atorralba
Java: Fix typos/formatting in setJavascriptEnabled query
7e5970f 
Typos and formatting changes.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
@egregius313 @atorralba
Java: Fix description of setJavascriptEnabled query
55fad8a 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
@egregius313
Java: Documentation cleanup for setJavascriptEnabled
a7e7334
@egregius313
Java: add test cases for setJavaScriptEnabled query
1132572
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atorralba atorralba

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@egregius313 @atorralba