rspec/rules/S7409/kotlin/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

:setJavaScriptEnabledSnippet: webSettings.javaScriptEnabled = false

include::../recommended.adoc[]

== Sensitive Code Example

[source,kotlin]
----
class ExampleActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val webView = WebView(this)
        webView.settings.javaScriptEnabled = true
        webView.addJavascriptInterface(JavaScriptBridge(), "androidBridge")  // Sensitive
    }

    inner class JavaScriptBridge {
        @JavascriptInterface
        fun accessUserData(userId): String {
            return getUserData(userId)
        }
    }
}
----

== Compliant Solution

The most secure option is to disable JavaScript entirely. S6362 further explains why it should not be enabled
unless absolutely necessary.

[source,kotlin]
----
class ExampleActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val webView = WebView(this)
        webView.settings.javaScriptEnabled = false
    }
}
----

If possible, remove the JavaScript interface after it is no longer needed, or before loading any untrusted content.

[source,kotlin]
----
class ExampleActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val webView = WebView(this)
        webView.settings.javaScriptEnabled = true

        webView.addJavascriptInterface(JavaScriptBridge(), "androidBridge")

        // Sometime later, before unsafe content is loaded, remove the JavaScript interface
        webView.removeJavascriptInterface("androidBridge")
    }
}
----

If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict
the origins that can send messages to the JavaScript bridge.

[source,kotlin]
----
class ExampleActivity : AppCompatActivity() {
    private val ALLOWED_ORIGINS = setOf("https://example.com")

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val webView = WebView(this)
        webView.settings.javaScriptEnabled = true

        WebViewCompat.addWebMessageListener(
            webView, 
            "androidBridge", 
            ALLOWED_ORIGINS,  // Only allow messages from these origins
            object : WebViewCompat.WebMessageListener {
                override fun onPostMessage(
                    view: WebView,
                    message: WebMessageCompat,
                    sourceOrigin: Uri,
                    isMainFrame: Boolean,
                    replyProxy: JavaScriptReplyProxy
                ) {
                    // Handle the message
                }
            }
        )
    }
}
----

include::../see.adoc[]
SONARJAVA-5412 Modify rule S7409: Add Java language 2025-03-28 20:51:38 +01:00			`include::../description.adoc[]`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00
SONARJAVA-5412 Modify rule S7409: Add Java language 2025-03-28 20:51:38 +01:00			`include::../ask-yourself.adoc[]`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00
SONARJAVA-5412 Modify rule S7409: Add Java language 2025-03-28 20:51:38 +01:00			`:setJavaScriptEnabledSnippet: webSettings.javaScriptEnabled = false`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00
SONARJAVA-5412 Modify rule S7409: Add Java language 2025-03-28 20:51:38 +01:00			`include::../recommended.adoc[]`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00
			`== Sensitive Code Example`

			`[source,kotlin]`
			`----`
			`class ExampleActivity : AppCompatActivity() {`
			`override fun onCreate(savedInstanceState: Bundle?) {`
			`super.onCreate(savedInstanceState)`

			`val webView = WebView(this)`
			`webView.settings.javaScriptEnabled = true`
			`webView.addJavascriptInterface(JavaScriptBridge(), "androidBridge") // Sensitive`
			`}`

			`inner class JavaScriptBridge {`
			`@JavascriptInterface`
			`fun accessUserData(userId): String {`
			`return getUserData(userId)`
			`}`
			`}`
			`}`
			`----`

			`== Compliant Solution`

Update rule S7409: Clarify rule title and rule text (SONARKT-637) (#4826) * Update rule title and text according to previous discussion * Fix typo * Add references to S6362 and S7409 in both rules' descriptions 2025-03-28 13:55:14 +01:00			`The most secure option is to disable JavaScript entirely. S6362 further explains why it should not be enabled`
			`unless absolutely necessary.`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00
			`[source,kotlin]`
			`----`
			`class ExampleActivity : AppCompatActivity() {`
			`override fun onCreate(savedInstanceState: Bundle?) {`
			`super.onCreate(savedInstanceState)`

			`val webView = WebView(this)`
			`webView.settings.javaScriptEnabled = false`
			`}`
			`}`
			`----`

			`If possible, remove the JavaScript interface after it is no longer needed, or before loading any untrusted content.`

			`[source,kotlin]`
			`----`
			`class ExampleActivity : AppCompatActivity() {`
			`override fun onCreate(savedInstanceState: Bundle?) {`
			`super.onCreate(savedInstanceState)`

			`val webView = WebView(this)`
			`webView.settings.javaScriptEnabled = true`

			`webView.addJavascriptInterface(JavaScriptBridge(), "androidBridge")`

			`// Sometime later, before unsafe content is loaded, remove the JavaScript interface`
			`webView.removeJavascriptInterface("androidBridge")`
			`}`
			`}`
			`----`

Update rule S7409: Clarify rule title and rule text (SONARKT-637) (#4826) * Update rule title and text according to previous discussion * Fix typo * Add references to S6362 and S7409 in both rules' descriptions 2025-03-28 13:55:14 +01:00			If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict
			`the origins that can send messages to the JavaScript bridge.`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00
			`[source,kotlin]`
			`----`
			`class ExampleActivity : AppCompatActivity() {`
			`private val ALLOWED_ORIGINS = setOf("https://example.com")`

			`override fun onCreate(savedInstanceState: Bundle?) {`
			`super.onCreate(savedInstanceState)`

			`val webView = WebView(this)`
			`webView.settings.javaScriptEnabled = true`

			`WebViewCompat.addWebMessageListener(`
SONARJAVA-5412 Modify rule S7409: Add Java language 2025-03-28 20:51:38 +01:00			`webView,`
			`"androidBridge",`
			`ALLOWED_ORIGINS, // Only allow messages from these origins`
Create rule S7409: Exposing Java interfaces in WebViews is security-sensitive (SONARKT-571) (#4721) * Create rule S7409 * Initial commit * Use double code tags everywhere * Rephrase the Ask Yourself Whether section --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2025-03-12 10:05:03 +01:00			`object : WebViewCompat.WebMessageListener {`
			`override fun onPostMessage(`
			`view: WebView,`
			`message: WebMessageCompat,`
			`sourceOrigin: Uri,`
			`isMainFrame: Boolean,`
			`replyProxy: JavaScriptReplyProxy`
			`) {`
			`// Handle the message`
			`}`
			`}`
			`)`
			`}`
			`}`
			`----`

SONARJAVA-5412 Modify rule S7409: Add Java language 2025-03-28 20:51:38 +01:00			`include::../see.adoc[]`