Access Java object methods through JavaScript exposure¶

ID: java/android/webview-addjavascriptinterface
Kind: problem
Security severity: 7.8
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-079
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Calling the addJavascriptInterface method of the android.webkit.WebView class allows the web pages of a WebView to access a Java object’s methods via JavaScript.

Objects exposed to JavaScript are available in all frames of the WebView.

Recommendation¶

If you need to expose Java objects to JavaScript, guarantee that no untrusted third-party content is loaded into the WebView.

Example¶

In the following (bad) example, a Java object is exposed to JavaScript.

import android.webkit.JavascriptInterface;
import android.database.sqlite.SQLiteOpenHelper;

class ExposedObject extends SQLiteOpenHelper {
    @JavascriptInterface
    public String studentEmail(String studentName) {
        // SQL injection
        String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";

        Cursor cursor = db.rawQuery(query, null);
        cursor.moveToFirst();
        String email = cursor.getString(0);

        return email;
    }
}

webview.getSettings().setJavaScriptEnabled(true);
webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
webview.loadData("", "text/html", null);

String name = "Robert'; DROP TABLE students; --";
// BAD: Untrusted input loaded into WebView
webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");

References¶

Android Documentation: addJavascriptInterface
Common Weakness Enumeration: CWE-79.

© GitHub, Inc.
Terms
Privacy