• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Access Java object methods through JavaScript exposure

ID: java/android/webview-addjavascriptinterface Kind: problem Security severity: 6.1 Severity: warning Precision: medium Tags: - security - external/cwe/cwe-079 Query suites: - java-security-extended.qls - java-security-and-quality.qls 

Click to see the query in the CodeQL repository

Calling the addJavascriptInterface method of the android.webkit.WebView class allows the web pages of a WebView to access a Java object’s methods via JavaScript.

Objects exposed to JavaScript are available in all frames of the WebView.

Recommendation

If you need to expose Java objects to JavaScript, guarantee that no untrusted third-party content is loaded into the WebView.

Example

In the following (bad) example, a Java object is exposed to JavaScript.

import android.webkit.JavascriptInterface; import android.database.sqlite.SQLiteOpenHelper; class ExposedObject extends SQLiteOpenHelper {  @JavascriptInterface  public String studentEmail(String studentName) {  // SQL injection  String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";  Cursor cursor = db.rawQuery(query, null);  cursor.moveToFirst();  String email = cursor.getString(0);  return email;  } } webview.getSettings().setJavaScriptEnabled(true); webview.addJavaScriptInterface(new ExposedObject(), "exposedObject"); webview.loadData("", "text/html", null); String name = "Robert'; DROP TABLE students; --"; // BAD: Untrusted input loaded into WebView webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))"); 

References

• Android Documentation: addJavascriptInterface

• Common Weakness Enumeration: CWE-79.

• © GitHub, Inc.
• Terms
• Privacy