Skip to content

Java: Unsafe resource loading in Android webview #3706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
luchua-bc wants to merge 8 commits into from
Closed

Java: Unsafe resource loading in Android webview #3706

luchua-bc wants to merge 8 commits into from

Conversation

@luchua-bc
Copy link
Contributor

@luchua-bc luchua-bc commented Jun 12, 2020
edited
Loading

Android WebViews that allow loading URLs controlled by external inputs and whose JavaScript interface is enabled are potentially vulnerable to cross-site scripting and sensitive resource disclosure attacks.

In addition, WebViews whose settings have setAllowFileAccessFromFileURLs or setAllowUniversalAccessFromFileURLs enabled must not load any untrusted web content since malicious scripts can launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, session tokens, and private app data or even credentials used on arbitrary web sites.

This query detects the following two scenarios:

  • Vulnerability introduced by WebViews with JavaScript enabled and remote inputs allowed
  • Severe vulnerabilities when allowing cross-origin resource access is also enabled

Please consider to merge the PR. Thanks.

@luchua-bc luchua-bc requested a review from a team as a code owner June 12, 2020 17:32
@luchua-bc luchua-bc mentioned this pull request Jun 12, 2020
Closed
1 task
@luchua-bc luchua-bc changed the title Unsafe resource loading in Android webview Java: Unsafe resource loading in Android webview Jun 12, 2020
Marcono1234
Marcono1234 reviewed Jun 15, 2020
View reviewed changes
@luchua-bc luchua-bc force-pushed the java-android-webview-loading branch from 524615f to 9030834 Compare June 16, 2020 01:48
@adityasharad adityasharad changed the base branch from master to main August 14, 2020 18:34
smowton
smowton reviewed Oct 13, 2020
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, sorry for the delay! Quite a few comments I'm afraid but they should all be quite quick and easy to apply.

@smowton smowton self-assigned this Oct 13, 2020
smowton
smowton reviewed Oct 14, 2020
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your fast response -- a few more comments to look at, but this is looking good

@smowton
Copy link
Contributor

smowton commented Oct 14, 2020

Regarding the text about two vulnerabilities, let me check my understanding:

"Vulnerability introduced by WebViews with JavaScript enabled and remote inputs allowed" I think refers to the situation where (a) the URL might be controlled by an attacker and (b) Javascript is switched on, but neither of setAllow{File,Universal}AccessFromFileURLs are set?

Then "High precision vulnerability when allowing universal resource access is also enabled" refers to the situation where additionally one of setAllow{File,Universal}AccessFromFileURLs is set?

If so then I suggest "universal" -> "cross-origin" since "Universal" is just one of the two access settings we care about, and "High precision" -> "A more severe", since we have the same imprecision level but the consequences are worse.

smowton
smowton reviewed Oct 14, 2020
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This incorporates my suggested reword (please apply it elsewhere if this text is duplicated), plus avoids the CodeQL help weighing in on Droid vs. iPhone :)

smowton
smowton previously approved these changes Oct 15, 2020
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Let's sort out the doc comments, then good to merge

@smowton
Copy link
Contributor

smowton commented Oct 15, 2020

BTW don't worry about the failing code scanning job, there was an outage recently and it should clear on your next push. Rebase on latest main to be sure we're running the latest version of the tests.

aschackmull
aschackmull requested changes Oct 15, 2020
View reviewed changes
aschackmull
aschackmull previously approved these changes Oct 15, 2020
View reviewed changes
@luchua-bc
Copy link
Contributor Author

luchua-bc commented Oct 15, 2020
edited
Loading

Thanks a lot for all the help from @smowton and @aschackmull with this PR.

@luchua-bc

@smowton
Copy link
Contributor

smowton commented Oct 15, 2020

@luchua-bc please rebase the branch on latest main to (probably) fix CI

smowton
smowton reviewed Oct 15, 2020
View reviewed changes
@smowton
Copy link
Contributor

smowton commented Oct 15, 2020

This still needs a rebase:

git fetch https://github.com/github/codeql.git main
git rebase FETCH_HEAD

@luchua-bc
Copy link
Contributor Author

luchua-bc commented Oct 15, 2020

Thanks @smowton. Probably the issue was caused by that I haven't merged with master for a long time. I will refresh my copy.

@smowton
Copy link
Contributor

smowton commented Oct 15, 2020

  1. master on this (and other Github repos) has been renamed to main
  2. A rebase is usually preferred to a merge for a PR because it produces a better Git history -- the merge will create a merge commit in the PR showing main's changes being brought in, whereas a rebase replays your commits on top of main as it stands today, similar to git cherry-pick if you've used that.

In any case, you can learn about that in your own time -- this will land in #4483.

@luchua-bc luchua-bc force-pushed the java-android-webview-loading branch from bd451fe to edba5d9 Compare October 16, 2020 02:38
@luchua-bc luchua-bc force-pushed the java-android-webview-loading branch 2 times, most recently from 2f0fea9 to bd451fe Compare October 16, 2020 04:12
@shati-patel shati-patel removed their request for review October 16, 2020 05:59
smowton added a commit that referenced this pull request Oct 19, 2020
@smowton
Merge pull request #4483 from smowton/smowton/admin/droid-webview-pr-…
3e03db1 
…rebase

Rebase of #3706
@smowton
Copy link
Contributor

smowton commented Oct 19, 2020

Merged as #4483

@smowton smowton closed this Oct 19, 2020
@smowton smowton mentioned this pull request Oct 19, 2020
Merged
@luchua-bc luchua-bc deleted the java-android-webview-loading branch October 19, 2020 12:46
@atorralba atorralba mentioned this pull request May 6, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smowton smowton smowton left review comments

@aschackmull aschackmull aschackmull left review comments

+1 more reviewer

@Marcono1234 Marcono1234 Marcono1234 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@smowton smowton

Labels

C# C++ documentation Java JS Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@luchua-bc @smowton @Marcono1234 @aschackmull