ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update rule S7201: Disable rule and move rule text to S6363 (SONARKT-636) (#4802)

Browse Source 
* Close S7201

* Update S6363 with updated descriptions

* Update OWASP categories with S7201 info
This commit is contained in:
Egon Okerman 2025-03-26 11:57:39 +01:00 committed by GitHub
parent 1490c6d3f0
commit 6b9c19eceb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 76 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/S6363/ask-yourself.adoc
View File

@ -1,6 +1,6 @@
== Ask Yourself Whether == Ask Yourself Whether
* No local files have to be accessed by the Webview. * You open files that may be created or altered by external sources.
* The WebView contains untrusted data that could cause harm when rendered. * You open arbitrary URLs from external sources.
There is a risk if you answered yes to any of those questions. There is a risk if you answered yes to any of these questions.

12
rules/S6363/description.adoc
View File

@ -1,7 +1,7 @@
WebViews can be used to display web content as part of a mobile application. A Exposing the Android file system to WebViews is security-sensitive.
browser engine is used to render and display the content. Like a web
application, a mobile application that uses WebViews can be vulnerable to
Cross-Site Scripting if untrusted code is rendered.
If malicious JavaScript code in a WebView is executed this can leak the contents Granting file access to WebViews, particularly through the `file://` scheme, introduces a risk of local file inclusion
of sensitive files when access to local files is enabled. vulnerabilities. The severity of this risk depends heavily on the specific `WebSettings` configured. Overly permissive
settings can allow malicious scripts to access a wide range of local files, potentially exposing sensitive data such as
Personally Identifiable Information (PII) or private application data, leading to data breaches and other security
compromises.

60
rules/S6363/kotlin/rule.adoc
View File

@ -8,26 +8,66 @@ include::../recommended.adoc[]
[source,kotlin] [source,kotlin]
---- ----
import android.webkit.WebView AndroidView(
factory = { context ->
val webView: WebView = findViewById(R.id.webview) WebView(context).apply {
webView.getSettings().setAllowContentAccess(true) // Sensitive webViewClient = WebViewClient()
webView.getSettings().setAllowFileAccess(true) // Sensitive settings.apply {
allowFileAccess = true // Sensitive
allowFileAccessFromFileURLs = true // Sensitive
allowUniversalAccessFromFileURLs = true // Sensitive
allowContentAccess = true // Sensitive
}
loadUrl("file:///android_asset/example.html")
}
}
)
---- ----
== Compliant Solution == Compliant Solution
[source,kotlin] [source,kotlin]
---- ----
import android.webkit.WebView AndroidView(
factory = { context ->
val webView = WebView(context)
val assetLoader = WebViewAssetLoader.Builder()
.addPathHandler("/assets/", WebViewAssetLoader.AssetsPathHandler(context))
.build()
val webView: WebView = findViewById(R.id.webview) webView.webViewClient = object : WebViewClient() {
webView.getSettings().setAllowContentAccess(false) @RequiresApi(Build.VERSION_CODES.LOLLIPOP)
webView.getSettings().setAllowFileAccess(false) override fun shouldInterceptRequest(view: WebView?, request: WebResourceRequest): WebResourceResponse? {
return assetLoader.shouldInterceptRequest(request.url)
}
@Suppress("deprecation")
override fun shouldInterceptRequest(view: WebView?, url: String?): WebResourceResponse? {
return assetLoader.shouldInterceptRequest(Uri.parse(url))
}
}
webView.settings.apply {
allowFileAccess = false
allowFileAccessFromFileURLs = false
allowUniversalAccessFromFileURLs = false
allowContentAccess = false
}
webView.loadUrl("https://appassets.androidplatform.net/assets/example.html")
webView
}
)
---- ----
include::../see.adoc[] The compliant solution uses `WebViewAssetLoader` to load local files instead of directly accessing them via `file://`
URLs. This approach serves assets over a secure `https://appassets.androidplatform.net` URL, effectively isolating the
WebView from the local file system.
The file access settings are disabled by default in modern Android versions. To prevent possible security issues in
`Build.VERSION_CODES.Q` and earlier, it is still recommended to explicitly set those values to false.
include::../see.adoc[]
ifdef::env-github,rspecator-view[] ifdef::env-github,rspecator-view[]

6
rules/S6363/metadata.json
View File

@ -26,8 +26,8 @@
79 79
], ],
"OWASP": [ "OWASP": [
"A6", "A3",
"A7" "A6"
], ],
"MASVS": [ "MASVS": [
"MSTG-PLATFORM-2" "MSTG-PLATFORM-2"
@ -36,7 +36,7 @@
"M8" "M8"
], ],
"OWASP Top 10 2021": [ "OWASP Top 10 2021": [
"A3" "A1"
], ],
"PCI DSS 3.2": [ "PCI DSS 3.2": [
"6.5.1", "6.5.1",

9
rules/S6363/recommended.adoc
View File

@ -1,6 +1,7 @@
== Recommended Secure Coding Practices == Recommended Secure Coding Practices
It is recommended to disable access to local files for WebViews unless it is Avoid opening `file://` URLs from external sources in WebView components. If your application accepts arbitrary URLs
necessary. In the case of a successful attack through a Cross-Site Scripting from external sources, do not enable this functionality. Instead, utilize `androidx.webkit.WebViewAssetLoader` to access
vulnerability the attackers attack surface decreases drastically if no files files, including assets and resources, via `http(s)://` schemes.
can be read out.
For enhanced security, ensure that the options to load `file://` URLs are explicitly set to false.

6
rules/S6363/see.adoc
View File

@ -1,7 +1,9 @@
== See == See
* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
* OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
* Android Documentation - https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion[WebViews - Unsafe File Inclusion]

2
rules/S7201/kotlin/metadata.json
View File

@ -7,7 +7,7 @@
}, },
"attribute": "COMPLETE" "attribute": "COMPLETE"
}, },
"status": "ready", "status": "closed",
"remediation": { "remediation": {
"func": "Constant\/Issue", "func": "Constant\/Issue",
"constantCost": "30min" "constantCost": "30min"

1
rules/S7201/metadata.json
View File

@ -1,2 +1,3 @@
{ {
"status": "closed"
} }