Create rule S7201: Exposing the Android file system to WebViews is security-sensitive (#4680)

rules/S7201/ask-yourself.adoc

@@ -0,0 +1,6 @@
+== Ask Yourself Whether
+
+* You open files that may be created or altered by external sources.
+* You open arbitrary URLs from external sources.
+
+There is a risk if you answered yes to any of these questions.

rules/S7201/description.adoc

@@ -0,0 +1,7 @@
+Exposing the Android file system to WebViews is security-sensitive.
+
+Granting file access to WebViews, particularly through the `file://` scheme, introduces a risk of local file inclusion
+vulnerabilities. The severity of this risk depends heavily on the specific `WebSettings` configured.  Overly permissive
+settings can allow malicious scripts to access a wide range of local files, potentially exposing sensitive data such as
+Personally Identifiable Information (PII) or private application data, leading to data breaches and other security
+compromises.

rules/S7201/kotlin/metadata.json

@@ -0,0 +1,46 @@
+{
+  "title": "Exposing the Android file system to WebViews is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "code": {
+    "impacts": {
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "COMPLETE"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
+  },
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7201",
+  "sqKey": "S7201",
+  "scope": "Main",
+  "securityStandards": {
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A1"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M8"
+    ],
+    "MASVS": [
+      "MSTG-PLATFORM-2"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ]
+}

rules/S7201/kotlin/rule.adoc

@@ -0,0 +1,80 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+
+[source,kotlin]
+----
+AndroidView(
+    factory = { context ->
+        WebView(context).apply {
+            webViewClient = WebViewClient()
+            settings.apply {
+                allowFileAccess = true  // Sensitive
+                allowFileAccessFromFileURLs = true  // Sensitive
+                allowUniversalAccessFromFileURLs = true  // Sensitive
+                allowContentAccess = true  // Sensitive
+            }
+            loadUrl("file:///android_asset/example.html")
+        }
+   }
+)
+----
+
+== Compliant Solution
+
+[source,kotlin]
+----
+AndroidView(
+    factory = { context ->
+        val webView = WebView(context)
+        val assetLoader = WebViewAssetLoader.Builder()
+            .addPathHandler("/assets/", WebViewAssetLoader.AssetsPathHandler(context))
+            .build()
+
+        webView.webViewClient = object : WebViewClient() {
+            @RequiresApi(Build.VERSION_CODES.LOLLIPOP)
+            override fun shouldInterceptRequest(view: WebView?, request: WebResourceRequest): WebResourceResponse? {
+                return assetLoader.shouldInterceptRequest(request.url)
+            }
+
+            @Suppress("deprecation")
+            override fun shouldInterceptRequest(view: WebView?, url: String?): WebResourceResponse? {
+                return assetLoader.shouldInterceptRequest(Uri.parse(url))
+            }
+        }
+
+        webView.settings.apply {
+            allowFileAccess = false
+            allowFileAccessFromFileURLs = false
+            allowUniversalAccessFromFileURLs = false
+            allowContentAccess = false
+        }
+
+        webView.loadUrl("https://appassets.androidplatform.net/assets/example.html")
+        webView
+    }
+)
+----
+
+The compliant solution uses `WebViewAssetLoader` to load local files instead of directly accessing them via `file://`
+URLs. This approach serves assets over a secure `https://appassets.androidplatform.net` URL, effectively isolating the
+WebView from the local file system.
+
+The file access settings are disabled by default in modern Android versions. To prevent possible security issues in
+`Build.VERSION_CODES.Q` and earlier, it is still recommended to explicitly set those values to false.
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+endif::env-github,rspecator-view[]

rules/S7201/message.adoc

@@ -0,0 +1,3 @@
+=== Message
+
+Make sure exposing the Android file system is safe here.

rules/S7201/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7201/recommended.adoc

@@ -0,0 +1,7 @@
+== Recommended Secure Coding Practices
+
+Avoid opening `file://` URLs from external sources in WebView components. If your application accepts arbitrary URLs
+from external sources, do not enable this functionality. Instead, utilize `androidx.webkit.WebViewAssetLoader` to access
+files, including assets and resources, via `http(s)://` schemes.
+
+For enhanced security, ensure that the options to load `file://` URLs are explicitly set to false.

rules/S7201/see.adoc

@@ -0,0 +1,7 @@
+== See
+
+* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
+* OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements]
+* Android Documentation - https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion[WebViews – Unsafe File Inclusion]