Unsafe resource loading in Android webview

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.java

@@ -0,0 +1,66 @@
+public class UnsafeAndroidAccess extends Activity {
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(R.layout.webview);
+
+		// BAD: Have both JavaScript and universal resource access enabled in webview while
+		// taking remote user inputs
+		{
+			WebView wv = (WebView) findViewById(R.id.my_webview);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+			webSettings.setAllowUniversalAccessFromFileURLs(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getExtras().getString("url"); // dangerous remote input
+			//String thisUrl = getIntent().getStringExtra("url"); //An alternative way to load dangerous remote input
+			wv.loadUrl(thisUrl);
+		}
+
+		// GOOD: Have JavaScript and universal resource access disabled while taking
+		// remote user inputs
+		{
+			WebView wv = (WebView) findViewById(-1);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(false);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			String thisUrl = getIntent().getExtras().getString("url"); // remote input
+			wv.loadUrl(thisUrl);
+		}
+
+		// GOOD: Have JavaScript enabled in webview but remote user input is not allowed
+		{
+			WebView wv = (WebView) findViewById(-1);
+			WebSettings webSettings = wv.getSettings();
+
+			webSettings.setJavaScriptEnabled(true);
+
+			wv.setWebViewClient(new WebViewClient() {
+				@Override
+				public boolean shouldOverrideUrlLoading(WebView view, String url) {
+					view.loadUrl(url);
+					return true;
+				}
+			});
+
+			wv.loadUrl("https://www.mycorp.com");
+		}
+	}
+}

java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Android WebViews that allow loading urls controlled by external inputs and whose JavaScript interface is enabled are potentially vulnerable to cross-site scripting and sensitive resource disclosure attacks.</p>
+    <p>WebSettings of WebViews with setAllowFileAccessFromFileURLs or setAllowUniversalAccessFromFileURLs enabled must not load any untrusted web content.</p>
+    <p>Enabling this setting allows malicious scripts loaded in a file:// context to launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, session tokens, private app data or even credentials used on arbitrary web sites.</p>
+    <p>This query detects the following two scenarios:</p>
+    <ol>
+      <li>Vulnerability introduced by WebViews with JavaScript enabled and remote inputs allowed.</li>
+      <li>High precision vulnerability when allowing universal resource access is also enabled. The setting was just deprecated in API level 30 (Android 11) thus most devices are still affected given that Android phones don't get timely version updates like iPhones.</li>
+    </ol>
+  </overview>
+
+  <recommendation>
+    <p>Only allow trusted web contents to be displayed in WebViews when JavaScript is enabled. And disallow universal resource access in WebSetting to reduce the attack surface .</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, setting is enabled and JavaScript is enabled while urls are loaded from externally controlled inputs. In the 'GOOD' configuration, JavaScript is disabled or only trusted web contents are allowed to be loaded.</p>
+    <sample src="UnsafeAndroidAccess.java" />
+  </example>
+
+  <references>
+    <li>
+      <a href="https://cwe.mitre.org/data/definitions/749.html">CWE-749</a>
+      <a href="https://support.google.com/faqs/answer/7668153?hl=en">Fixing a File-based XSS Vulnerability</a>
+      <a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md">OWASP - Testing WebView Protocol Handlers (MSTG-PLATFORM-5 and MSTG-PLATFORM-6)</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

@@ -0,0 +1,139 @@
+/**
+ * @name Unsafe resource loading in Android webview
+ * @description JavaScript rendered inside WebViews can access any protected application file and web resource from any origin
+ * @kind path-problem
+ * @tags security
+ *       external/cwe/cwe-749
+ *       external/cwe/cwe-079
+ */
+
+import java
+import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.frameworks.android.WebView
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * Allow universal access methods in the WebSettings class
+ */
+class AllowUniversalAccessMethod extends Method {
+  AllowUniversalAccessMethod() {
+    this.getDeclaringType() instanceof TypeWebSettings and
+    (
+      this.hasName("setAllowUniversalAccessFromFileURLs") or
+      this.hasName("setAllowFileAccessFromFileURLs")
+    )
+  }
+}
+
+/**
+ * `setJavaScriptEnabled` method for the webview
+ */
+class AllowJavaScriptMethod extends Method {
+  AllowJavaScriptMethod() {
+    this.getDeclaringType() instanceof TypeWebSettings and
+    this.hasName("setJavaScriptEnabled")
+  }
+}
+
+/**
+ * Check whether JavaScript is enabled in the webview with universal resource access
+ */
+predicate isJSEnabled(MethodAccess ma) {
+  exists(VarAccess va, MethodAccess jsa |
+    ma.getQualifier() = va and
+    jsa.getQualifier() = va.getVariable().getAnAccess() and
+    jsa.getMethod() instanceof AllowJavaScriptMethod and
+    jsa.getArgument(0).(BooleanLiteral).getBooleanValue() = true
+  )
+}
+
+/**
+ * Load URL method call on the `android.webkit.WebView` object
+ */
+class LoadResourceMethodAccess extends MethodAccess {
+  LoadResourceMethodAccess() {
+    this.getMethod().getDeclaringType() instanceof TypeWebView and
+    (
+      this.getMethod().hasName("loadUrl") or
+      this.getMethod().hasName("postUrl")
+    )
+  }
+}
+
+/**
+ * Method access to external inputs of `android.content.Intent` object
+ */
+class IntentGetExtraMethodAccess extends MethodAccess {
+  IntentGetExtraMethodAccess() {
+    this.getMethod().getName().regexpMatch("get\\w+Extra") and
+    this.getMethod().getDeclaringType() instanceof TypeIntent
+    or
+    this.getMethod().getName().regexpMatch("get\\w+") and
+    this.getQualifier().(MethodAccess).getMethod().hasName("getExtras") and
+    this.getQualifier().(MethodAccess).getMethod().getDeclaringType() instanceof TypeIntent
+  }
+}
+
+/**
+ * Source of loading urls
+ */
+class UntrustedResourceSource extends RemoteFlowSource {
+  UntrustedResourceSource() {
+    exists(MethodAccess ma |
+      ma instanceof IntentGetExtraMethodAccess and
+      this.asExpr().(VarAccess).getVariable().getAnAssignedValue() = ma
+    )
+  }
+
+  override string getSourceType() {
+    result = "user input vulnerable to XSS and sensitive resource disclosure attacks" and
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof AllowUniversalAccessMethod and //High precision match of unsafe resource loading
+      ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true
+    )
+    or
+    result = "user input potentially vulnerable to XSS and sensitive resource disclosure attacks" and
+    not exists(MethodAccess ma |
+      ma.getMethod() instanceof AllowUniversalAccessMethod and //High precision match of unsafe resource loading
+      ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true
+    )
+  }
+}
+
+/**
+ * load externally controlled data from loadUntrustedResource
+ */
+predicate loadUntrustedResource(MethodAccess ma, Expr sink) {
+  ma instanceof LoadResourceMethodAccess and
+  sink = ma.getArgument(0)
+}
+
+/**
+ * Sink of loading urls
+ */
+class UntrustedResourceSink extends DataFlow::ExprNode {
+  UntrustedResourceSink() { loadUntrustedResource(_, this.getExpr()) }
+
+  MethodAccess getMethodAccess() { loadUntrustedResource(result, this.getExpr()) }
+}
+
+class LoadUntrustedResourceConfiguration extends TaintTracking::Configuration {
+  LoadUntrustedResourceConfiguration() { this = "LoadUntrustedResourceConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedResourceSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UntrustedResourceSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, LoadUntrustedResourceConfiguration conf
+where
+  exists(VarAccess webviewVa, MethodAccess getSettingsMa, MethodAccess ma |
+    conf.hasFlowPath(source, sink) and
+    sink.getNode().(UntrustedResourceSink).getMethodAccess().getQualifier() = webviewVa and
+    webviewVa.getVariable().getAnAccess() = getSettingsMa.getQualifier() and
+    ma.getQualifier().(VarAccess).getVariable().getAnAssignedValue() = getSettingsMa and
+    isJSEnabled(ma)
+  )
+select sink.getNode().(UntrustedResourceSink).getMethodAccess(), source, sink,
+  "Unsafe resource loading in Android webview due to $@.", source.getNode(),
+  source.getNode().(UntrustedResourceSource).getSourceType()

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.expected

@@ -0,0 +1 @@
+| UnsafeAndroidAccess.java:29:3:29:21 | loadUrl(...) | UnsafeAndroidAccess.java:29:14:29:20 | thisUrl | UnsafeAndroidAccess.java:29:14:29:20 | thisUrl | Unsafe resource loading in Android webview due to $@. | UnsafeAndroidAccess.java:29:14:29:20 | thisUrl | user input vulnerable to XSS and sensitive resource disclosure attacks |

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.java

@@ -0,0 +1,31 @@
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class UnsafeAndroidAccess extends Activity {
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

java/ql/test/experimental/query-tests/security/CWE-749/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0