Skip to content

JavaScript: Add WebView-related taint sinks for CodeInjection, DomBasedXss and ServerSideUrlRedirect. #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 13, 2018
Merged

JavaScript: Add WebView-related taint sinks for CodeInjection, DomBasedXss and ServerSideUrlRedirect. #48

merged 3 commits into from
Aug 13, 2018

Conversation

xiemaisi
Copy link

I did a small evaluation on four projects that use WebView including VSCode and TinyMCE. Performance was unchanged and there were no new results. I can run a larger-scale evaluation over the weekend if desired.

@xiemaisi xiemaisi requested a review from a team August 10, 2018 15:01
@asger-semmle
Copy link
Contributor

I was going to suggest that we check for the flag javaScriptEnabled which can be used to turn off JavaScript in the web view. On the other hand, allowing non-scripted html injection can still be pretty bad, and looking at the docs now, it seems the flag only works on Android(?!). What do you think?

Otherwise LGTM.

@xiemaisi
Copy link
Author

Yes, I saw that, but as you say it only seems to apply to Android. I didn't really understand whether it was just always enabled on iOS or whether you could turn it off there as well (in which case it would be the same as on Android, so that's probably not it). In the end, I decided to just ignore it for now.

asger-semmle
asger-semmle approved these changes Aug 10, 2018
View reviewed changes
Copy link
Contributor

@asger-semmle asger-semmle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let's wait and see if it comes up.

@semmle-qlci semmle-qlci merged commit 3d0748c into github:master Aug 13, 2018
@xiemaisi xiemaisi deleted the js/webview-sinks branch August 13, 2018 09:17
aibaars pushed a commit that referenced this pull request Oct 14, 2021
@hvitved
Merge pull request #48 from github/hvitved/ci-check-queries
0616040 
Check query compilation and formatting in `qltest.yml`
smowton pushed a commit to smowton/codeql that referenced this pull request Oct 28, 2021
@igfoo
Merge pull request github#48 from github/igfoo/files
2beb548 
Kotlin: Fix File locations, and fromSource/hasSourceLocation for Kotlin code
erik-krogh pushed a commit to erik-krogh/ql that referenced this pull request Dec 15, 2021
@geoffw0
Merge pull request github#48 from github/extractor-pack
3dab87e 
Make the create-extractor-pack.ps1 script more reliable.
erik-krogh pushed a commit to erik-krogh/ql that referenced this pull request Dec 15, 2021
@geoffw0
QL: Merge pull request github#48 from github/extractor-pack
ca81110 
Make the create-extractor-pack.ps1 script more reliable.
dbartol pushed a commit that referenced this pull request Dec 18, 2024
Merge pull request #48 from GitHubSecurityLab/new_untrusted_checkout_…
1cdcb32 
…step

new untrusted checkout step
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asger-semmle asger-semmle

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xiemaisi @asger-semmle @semmle-qlci