rspec/rules/S5326/java/rule.adoc

Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:
* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]
* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]
* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]

SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to https://www.owasp.org/index.php/Man-in-the-middle_attack[Man-in-the-middle attacks (MITM)].

This rule will raise an issue when a method named <code>onReceivedSslError</code> with first argument of type <code>android.webkit.WebView</code> is defined.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])
----
package com.example.myapplication.rspec_5326;

import android.net.http.SslError;
import android.os.Build;
import android.support.annotation.RequiresApi;
import android.webkit.SslErrorHandler;
import android.webkit.WebView;
import android.webkit.WebViewClient;

import java.util.function.Function;

public class SSLTLSValidation extends WebViewClient {
    private final Function<SslError, Boolean> acceptSslError;

    SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
        this.acceptSslError = acceptSslError;
    }

    @RequiresApi(api = Build.VERSION_CODES.N)
    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
        if (acceptSslError.apply(error)) {
            handler.proceed();
        } else {
            handler.cancel();
        }
    }
}
----

include::../see.adoc[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:`
			`* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]`
			`* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]`
			`* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]`

			`SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to https://www.owasp.org/index.php/Man-in-the-middle_attack[Man-in-the-middle attacks (MITM)].`

			`This rule will raise an issue when a method named <code>onReceivedSslError</code> with first argument of type <code>android.webkit.WebView</code> is defined.`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])`
			`----`
			`package com.example.myapplication.rspec_5326;`

			`import android.net.http.SslError;`
			`import android.os.Build;`
			`import android.support.annotation.RequiresApi;`
			`import android.webkit.SslErrorHandler;`
			`import android.webkit.WebView;`
			`import android.webkit.WebViewClient;`

			`import java.util.function.Function;`

			`public class SSLTLSValidation extends WebViewClient {`
			`private final Function<SslError, Boolean> acceptSslError;`

			`SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {`
			`this.acceptSslError = acceptSslError;`
			`}`

			`@RequiresApi(api = Build.VERSION_CODES.N)`
			`@Override`
			`public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive`
			`if (acceptSslError.apply(error)) {`
			`handler.proceed();`
			`} else {`
			`handler.cancel();`
			`}`
			`}`
			`}`
			`----`

			`include::../see.adoc[]`