46 lines
1.7 KiB
Plaintext
46 lines
1.7 KiB
Plaintext
Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]
|
|
|
|
SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).
|
|
|
|
|
|
This rule will raise an issue when a method named ``++onReceivedSslError++`` with first argument of type ``++android.webkit.WebView++`` is defined.
|
|
|
|
== Sensitive Code Example
|
|
|
|
Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])
|
|
|
|
----
|
|
package com.example.myapplication.rspec_5326;
|
|
|
|
import android.net.http.SslError;
|
|
import android.os.Build;
|
|
import android.support.annotation.RequiresApi;
|
|
import android.webkit.SslErrorHandler;
|
|
import android.webkit.WebView;
|
|
import android.webkit.WebViewClient;
|
|
|
|
import java.util.function.Function;
|
|
|
|
public class SSLTLSValidation extends WebViewClient {
|
|
private final Function<SslError, Boolean> acceptSslError;
|
|
|
|
SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
|
|
this.acceptSslError = acceptSslError;
|
|
}
|
|
|
|
@RequiresApi(api = Build.VERSION_CODES.N)
|
|
@Override
|
|
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
|
|
if (acceptSslError.apply(error)) {
|
|
handler.proceed();
|
|
} else {
|
|
handler.cancel();
|
|
}
|
|
}
|
|
}
|
|
----
|