← 返回首页
Unsafe WebView fetch — CodeQL query help documentation CodeQL docs
CodeQL documentation
CodeQL resources

Unsafe WebView fetch

ID: swift/unsafe-webview-fetch Kind: path-problem Security severity: 7.8 Severity: warning Precision: high Tags: - security - external/cwe/cwe-079 - external/cwe/cwe-095 - external/cwe/cwe-749 Query suites: - swift-code-scanning.qls - swift-security-extended.qls - swift-security-and-quality.qls

Click to see the query in the CodeQL repository

Fetching data in a web view without restricting the base URL may allow an attacker to access sensitive local data, for example using file://. Data can then be extracted from the software using the URL of a machine under the attacker’s control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.

Recommendation

When loading HTML into a web view, always set the baseURL to an appropriate URL that you control, or to about:blank. Do not use nil, as this does not restrict URLs that can be resolved. Also do not use a baseURL that could itself be controlled by an attacker.

Example

In the following example, a call to UIWebView.loadHTMLString has the baseURL set to nil, which does not restrict URLs that can be resolved from within the web page.

let webview = UIWebView() ... webview.loadHTMLString(htmlData, baseURL: nil) // BAD

To fix the problem, we set the baseURL to about:blank. This ensures that an attacker cannot resolve URLs that point to the local file system, or to web servers under their control.

let webview = UIWebView() ... webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD

References