SONARKT-569 Modify rule S4830: add support for WebViews (#4673)

* SONARKT-569 Modify rule S4830: add support for WebViews * Fix list of allowed frameworks * Add Google Support link * Have non-compliant and compliant code examples next to each other and in diff * Update rules/S4830/kotlin/how-to-fix-it/android-webview.adoc Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Update rules/S4830/kotlin/how-to-fix-it/android-webview.adoc Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2025-03-19 16:31:02 +01:00 · 2025-03-19 16:31:02 +01:00 · 1a1a60f52d
commit 1a1a60f52d
parent d41b77b623
3 changed files with 50 additions and 2 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -27,6 +27,7 @@
 * libxml2
 // Java
 * Android
+* Android WebView
 * Apache Commons
 * Apache Commons
 * Apache Commons Email
@ -48,7 +49,6 @@
 * Legacy Mongo Java API
 * OkHttp
 * Realm
-* Java Cryptography Extension
 * Apache HttpClient
 * Couchbase
 * SAX
--- a/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc
+++ b/rules/S4830/kotlin/how-to-fix-it/android-webview.adoc
@ -0,0 +1,44 @@
+== How to fix it in Android WebView
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+The certificate validation gets disabled by overriding the `onReceivedSslError` method of the `WebViewClient` class with an implementation that calls `SslErrorHandler.proceed()` unconditionally, and that never calls `SslErrorHandler.cancel()`.
+
+This means that a certificate initially rejected by the system will be accepted by the `WebViewClient`, regardless of its origin.
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=101,diff-type=noncompliant]
+----
+class MyWebViewClient : WebViewClient() {
+    override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) =
+        handler.proceed() // Noncompliant
+}
+----
+
+==== Compliant solution
+
+You need to implement a validation of the server certificate received in the `SslErrorHandler` object, calling `proceed` and `cancel` appropriately.
+
+[source,kotlin,diff-id=101,diff-type=compliant]
+----
+class MyWebViewClient : WebViewClient() {
+    override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) {
+        if (error.certificate.isServerCertificateValid()) {
+            handler.proceed()
+        } else {
+            handler.cancel()
+        }
+    }
+
+    private fun SslCertificate.isServerCertificateValid(): Boolean {
+        // Implement the server certificate validation logic here ...
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/validation.adoc[]
--- a/rules/S4830/kotlin/rule.adoc
+++ b/rules/S4830/kotlin/rule.adoc
@ -10,11 +10,15 @@ include::../impact.adoc[]

 include::how-to-fix-it/java-cryptography-extension.adoc[]

+include::how-to-fix-it/android-webview.adoc[]
+
 == Resources

 include::../common/resources/standards-mobile.adoc[]

-* https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
+* CERT - https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
+* Google Support - https://support.google.com/faqs/answer/7071387?hl=en[How to address WebView SSL Error Handler alerts in your apps]
+* Android Documentation - https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)[WebViewClient.onReceivedSslError] method

 ifdef::env-github,rspecator-view[]