10: Add WebViewPlugin

2019-04-17 08:53:54 +02:00
parent 6ecdafac87
commit 716a6bc92c
3 changed files with 75 additions and 1 deletions
--- a/src/main/java/com/bartek/esa/core/di/PluginModule.java
+++ b/src/main/java/com/bartek/esa/core/di/PluginModule.java
@@ -137,4 +137,10 @@ public class PluginModule {
    public Plugin orderedAndStickyBroadcastPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
        return new OrderedBroadcastPlugin(globMatcher, xmlHelper);
    }
+
+    @Provides
+    @IntoSet
+    public Plugin webViewPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        return new WebViewPlugin(globMatcher, xmlHelper);
+    }
 }
--- a/src/main/java/com/bartek/esa/core/plugin/WebViewPlugin.java
+++ b/src/main/java/com/bartek/esa/core/plugin/WebViewPlugin.java
@@ -0,0 +1,51 @@
+package com.bartek.esa.core.plugin;
+
+import com.bartek.esa.core.archetype.JavaPlugin;
+import com.bartek.esa.core.model.enumeration.Severity;
+import com.bartek.esa.core.xml.XmlHelper;
+import com.bartek.esa.file.matcher.GlobMatcher;
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+
+import javax.inject.Inject;
+
+public class WebViewPlugin extends JavaPlugin {
+    private static final String SETTINGS_METHODS = "addJavascriptInterface|setJavaScriptEnabled|setWebContentsDebuggingEnabled|setAllowFileAccess|setDomStorageEnabled";
+
+    @Inject
+    public WebViewPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        super(globMatcher, xmlHelper);
+    }
+
+    @Override
+    public void run(CompilationUnit compilationUnit) {
+        compilationUnit.findAll(MethodCallExpr.class).stream()
+                .filter(expr -> expr.getName().getIdentifier().matches(SETTINGS_METHODS))
+                .forEach(this::issueMethod);
+    }
+
+    private void issueMethod(MethodCallExpr methodCall) {
+        switch (methodCall.getName().getIdentifier()) {
+            case "addJavascriptInterface":
+                addIssue(Severity.VULNERABILITY, ".JS_INTERFACE", getLineNumberFromExpression(methodCall), methodCall.toString());
+                break;
+            case "setJavaScriptEnabled":
+                issueSettingsMethod(methodCall, ".JS_ENABLED");
+                break;
+            case "setWebContentsDebuggingEnabled":
+                issueSettingsMethod(methodCall, ".DEBUGGING_ENABLED");
+                break;
+            case "setAllowFileAccess":
+                issueSettingsMethod(methodCall, ".ALLOW_FILE_ACCESS");
+                break;
+        }
+    }
+
+    private void issueSettingsMethod(MethodCallExpr methodCall, String descriptionCode) {
+        Expression firstArg = methodCall.getArguments().get(0);
+        if (firstArg.isBooleanLiteralExpr() && firstArg.asBooleanLiteralExpr().getValue()) {
+            addIssue(Severity.INFO, descriptionCode, getLineNumberFromExpression(methodCall), methodCall.toString());
+        }
+    }
+}
--- a/src/main/resources/description.properties
+++ b/src/main/resources/description.properties
@@ -118,4 +118,21 @@ com.bartek.esa.core.plugin.WorldAccessPermissionsPlugin=World access permissions
  Consider using less permissive mode.

 com.bartek.esa.core.plugin.OrderedBroadcastPlugin=Sending ordered broadcast. Potential broadcast theft.\n\
-  Malicious applications can intercept ordered broadcasts, stop their propagation and resend with malicious data.
+  Malicious applications can intercept ordered broadcasts, stop their propagation and resend with malicious data.
+
+com.bartek.esa.core.plugin.WebViewPlugin.JS_INTERFACE=WebView with JavaScript interface. Potential malicious code injection.\n\
+  The WebView uses 'addJavascriptInterface' method which exposes public methods to JavaScript code. Loading JavaScript code \n\
+  from untrusted sources is a major security violation and should never be used.
+
+com.bartek.esa.core.plugin.WebViewPlugin.JS_ENABLED=JavaScript enabled in WebView.\n\
+  The WebView has enabled JavaScript code execution. This can effect in XSS attack.\n\
+  Consider disabling JavaScript in WebView.
+
+com.bartek.esa.core.plugin.WebViewPlugin.DEBUGGING_ENABLED=JavaScript debugging enabled in WebView.\n\
+  The WebView has enabled JavaScript code debugging. This can effect in data leakage from WebView component.\n\
+  Consider disabling JavaScript debugging in WebView.
+
+com.bartek.esa.core.plugin.WebViewPlugin.ALLOW_FILE_ACCESS=Access to file system from WebView.\n\
+  The WebView has granted access to private files. Loading content from untrusted source may effect with \n\
+  accessing private files by malicious site/application.\n\
+  Consider disabling this option.