Android WebView JavaScript settings
Android WebView JavaScript settings
Pathfinder supports querying for Android WebView JavaScript settings in the source code. Enabling this setting can result in cross-site scripting attacks.
Query Syntax CWE-079
setJavaScriptEnabled Webview API
/** * @name Android WebView JavaScript settings * @description Enabling JavaScript execution in a WebView can result in cross-site scripting attacks. * @kind problem * @id java/Android/webview-javascript-enabled * @problem.severity warning * @security-severity 6.1 * @precision medium * @tags security * external/cwe/cwe-079 */FROM method_invocation AS miWHERE mi.getName() == "setJavaScriptEnabled" && "true" in mi.getArgumentName()SELECT mi, "Enabling JavaScript execution in a WebView can result in cross-site scripting attacks."setAllowUniversalAccessFromFileURLs Webview API
/** * @name Android WebView JavaScript settings * @description Enabling SetAllowUniversalAccessFromFileURLs leak s&&box access to file:/// URLs from any origin. * @kind problem * @id java/Android/webview-javascript-enabled * @problem.severity warning * @security-severity 6.1 * @precision medium * @tags security * external/cwe/cwe-079 */FROM method_invocation AS miWHERE mi.getName() == "setAllowUniversalAccessFromFileURLs" && "true" in mi.getArgumentName()SELECT mi, "Enabling SetAllowUniversalAccessFromFileURLs leak s&&box access to file:/// URLs from any origin."setAllowFileAccessFromFileURLs Webview API
/** * @name Android WebView JavaScript settings * @description Enabling setAllowFileAccessFromFileURLs leak s&&box access to file:/// URLs. * @kind problem * @id java/Android/webview-javascript-enabled * @problem.severity warning * @security-severity 6.1 * @precision medium * @tags security * external/cwe/cwe-079 */FROM method_invocation AS miWHERE mi.getName() == "setAllowFileAccessFromFileURLs" && "true" in mi.getArgumentName()SELECT mi, "Enabling setAllowFileAccessFromFileURLs leak s&&box access to file:/// URLs."setAllowContentAccess Webview API
/** * @name Android WebView JavaScript settings * @description Enabling setAllowContentAccess enables content:// access from webpages. * @kind problem * @id java/Android/webview-javascript-enabled * @problem.severity warning * @security-severity 6.1 * @precision medium * @tags security * external/cwe/cwe-079 */FROM method_invocation AS miWHERE mi.getName() == "setAllowContentAccess" && "true" in mi.getArgumentName()SELECT mi, "Enabling setAllowContentAccess enables content:// access from webpages."setAllowFileAccess Webview API
/** * @name Android WebView JavaScript settings * @description Enabling setAllowFileAccess enables webview access to file:/// URLs. * @kind problem * @id java/Android/webview-javascript-enabled * @problem.severity warning * @security-severity 6.1 * @precision medium * @tags security * external/cwe/cwe-079 */FROM method_invocation AS miWHERE mi.getName() == "setAllowFileAccess" && "true" in mi.getArgumentName()SELECT mi, "Enabling setAllowFileAccess enables webview access to file:/// URLs."addJavascriptInterface Webview API
/** * @name Android WebView JavaScript settings * @description Enabling addJavascriptInterface exposes java methods to JavaScript. * @kind problem * @id java/Android/webview-javascript-enabled * @problem.severity warning * @security-severity 8.1 * @precision medium * @tags security * external/cwe/cwe-079 */FROM method_invocation AS miWHERE mi.getName() == "addJavascriptInterface"SELECT mi, "Enabling addJavascriptInterface exposes java methods to JavaScript."