SONARKT-569 Modify rule S4830: add support for WebViews (#4673)

* SONARKT-569 Modify rule S4830: add support for WebViews * Fix list of allowed frameworks * Add Google Support link * Have non-compliant and compliant code examples next to each other and in diff * Update rules/S4830/kotlin/how-to-fix-it/android-webview.adoc Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Update rules/S4830/kotlin/how-to-fix-it/android-webview.adoc Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2025-03-19 16:31:02 +01:00 · 2025-03-19 16:31:02 +01:00 · 1a1a60f52d
commit 1a1a60f52d
parent d41b77b623
3 changed files with 50 additions and 2 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -27,6 +27,7 @@
 * libxml2
 // Java
 * Android
 * Android WebView
 * Apache Commons
 * Apache Commons
 * Apache Commons Email
@ -48,7 +49,6 @@
 * Legacy Mongo Java API
 * OkHttp
 * Realm
 * Java Cryptography Extension
 * Apache HttpClient
 * Couchbase
 * SAX
--- a/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc
+++ b/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc
@ -0,0 +1,44 @@
 == How to fix it in Android WebView
 === Code examples
 include::../../common/fix/code-rationale.adoc[]
 The certificate validation gets disabled by overriding the `onReceivedSslError` method of the `WebViewClient` class with an implementation that calls `SslErrorHandler.proceed()` unconditionally, and that never calls `SslErrorHandler.cancel()`.
 This means that a certificate initially rejected by the system will be accepted by the `WebViewClient`, regardless of its origin.
 ==== Noncompliant code example
 [source,kotlin,diff-id=101,diff-type=noncompliant]
 ----
 class MyWebViewClient : WebViewClient() {
    override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) =
        handler.proceed() // Noncompliant
 }
 ----
 ==== Compliant solution
 You need to implement a validation of the server certificate received in the `SslErrorHandler` object, calling `proceed` and `cancel` appropriately.
 [source,kotlin,diff-id=101,diff-type=compliant]
 ----
 class MyWebViewClient : WebViewClient() {
    override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) {
        if (error.certificate.isServerCertificateValid()) {
            handler.proceed()
        } else {
            handler.cancel()
        }
    }
    private fun SslCertificate.isServerCertificateValid(): Boolean {
        // Implement the server certificate validation logic here ...
    }
 }
 ----
 === How does this work?
 include::../../common/fix/validation.adoc[]
--- a/rules/S4830/kotlin/rule.adoc
+++ b/rules/S4830/kotlin/rule.adoc
@ -10,11 +10,15 @@ include::../impact.adoc[]
 include::how-to-fix-it/java-cryptography-extension.adoc[]
 include::how-to-fix-it/android-webview.adoc[]
 == Resources
 include::../common/resources/standards-mobile.adoc[]
-* https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
+* CERT - https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
 * Google Support - https://support.google.com/faqs/answer/7071387?hl=en[How to address WebView SSL Error Handler alerts in your apps]
 * Android Documentation - https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)[WebViewClient.onReceivedSslError] method
 ifdef::env-github,rspecator-view[]