diff --git a/rules/S7201/ask-yourself.adoc b/rules/S7201/ask-yourself.adoc new file mode 100644 index 0000000000..561f647513 --- /dev/null +++ b/rules/S7201/ask-yourself.adoc @@ -0,0 +1,6 @@ +== Ask Yourself Whether + +* You open files that may be created or altered by external sources. +* You open arbitrary URLs from external sources. + +There is a risk if you answered yes to any of these questions. diff --git a/rules/S7201/description.adoc b/rules/S7201/description.adoc new file mode 100644 index 0000000000..a80257ec5e --- /dev/null +++ b/rules/S7201/description.adoc @@ -0,0 +1,7 @@ +Exposing the Android file system to WebViews is security-sensitive. + +Granting file access to WebViews, particularly through the `file://` scheme, introduces a risk of local file inclusion +vulnerabilities. The severity of this risk depends heavily on the specific `WebSettings` configured. Overly permissive +settings can allow malicious scripts to access a wide range of local files, potentially exposing sensitive data such as +Personally Identifiable Information (PII) or private application data, leading to data breaches and other security +compromises. diff --git a/rules/S7201/kotlin/metadata.json b/rules/S7201/kotlin/metadata.json new file mode 100644 index 0000000000..a097fc7c65 --- /dev/null +++ b/rules/S7201/kotlin/metadata.json @@ -0,0 +1,46 @@ +{ + "title": "Exposing the Android file system to WebViews is security-sensitive", + "type": "SECURITY_HOTSPOT", + "code": { + "impacts": { + "SECURITY": "MEDIUM" + }, + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + ], + "extra": { + "replacementRules": [ + + ], + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7201", + "sqKey": "S7201", + "scope": "Main", + "securityStandards": { + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A1" + ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], + "MASVS": [ + "MSTG-PLATFORM-2" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ] +} diff --git a/rules/S7201/kotlin/rule.adoc b/rules/S7201/kotlin/rule.adoc new file mode 100644 index 0000000000..fa4b9b6919 --- /dev/null +++ b/rules/S7201/kotlin/rule.adoc @@ -0,0 +1,80 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,kotlin] +---- +AndroidView( + factory = { context -> + WebView(context).apply { + webViewClient = WebViewClient() + settings.apply { + allowFileAccess = true // Sensitive + allowFileAccessFromFileURLs = true // Sensitive + allowUniversalAccessFromFileURLs = true // Sensitive + allowContentAccess = true // Sensitive + } + loadUrl("file:///android_asset/example.html") + } + } +) +---- + +== Compliant Solution + +[source,kotlin] +---- +AndroidView( + factory = { context -> + val webView = WebView(context) + val assetLoader = WebViewAssetLoader.Builder() + .addPathHandler("/assets/", WebViewAssetLoader.AssetsPathHandler(context)) + .build() + + webView.webViewClient = object : WebViewClient() { + @RequiresApi(Build.VERSION_CODES.LOLLIPOP) + override fun shouldInterceptRequest(view: WebView?, request: WebResourceRequest): WebResourceResponse? { + return assetLoader.shouldInterceptRequest(request.url) + } + + @Suppress("deprecation") + override fun shouldInterceptRequest(view: WebView?, url: String?): WebResourceResponse? { + return assetLoader.shouldInterceptRequest(Uri.parse(url)) + } + } + + webView.settings.apply { + allowFileAccess = false + allowFileAccessFromFileURLs = false + allowUniversalAccessFromFileURLs = false + allowContentAccess = false + } + + webView.loadUrl("https://appassets.androidplatform.net/assets/example.html") + webView + } +) +---- + +The compliant solution uses `WebViewAssetLoader` to load local files instead of directly accessing them via `file://` +URLs. This approach serves assets over a secure `https://appassets.androidplatform.net` URL, effectively isolating the +WebView from the local file system. + +The file access settings are disabled by default in modern Android versions. To prevent possible security issues in +`Build.VERSION_CODES.Q` and earlier, it is still recommended to explicitly set those values to false. + +include::../see.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +endif::env-github,rspecator-view[] diff --git a/rules/S7201/message.adoc b/rules/S7201/message.adoc new file mode 100644 index 0000000000..c76bc9c73f --- /dev/null +++ b/rules/S7201/message.adoc @@ -0,0 +1,3 @@ +=== Message + +Make sure exposing the Android file system is safe here. diff --git a/rules/S7201/metadata.json b/rules/S7201/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S7201/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7201/recommended.adoc b/rules/S7201/recommended.adoc new file mode 100644 index 0000000000..3173b73454 --- /dev/null +++ b/rules/S7201/recommended.adoc @@ -0,0 +1,7 @@ +== Recommended Secure Coding Practices + +Avoid opening `file://` URLs from external sources in WebView components. If your application accepts arbitrary URLs +from external sources, do not enable this functionality. Instead, utilize `androidx.webkit.WebViewAssetLoader` to access +files, including assets and resources, via `http(s)://` schemes. + +For enhanced security, ensure that the options to load `file://` URLs are explicitly set to false. diff --git a/rules/S7201/see.adoc b/rules/S7201/see.adoc new file mode 100644 index 0000000000..0758623966 --- /dev/null +++ b/rules/S7201/see.adoc @@ -0,0 +1,7 @@ +== See + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] +* Android Documentation - https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion[WebViews – Unsafe File Inclusion]