Query to detect insecure WebResourceResponse implementation

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll

@@ -0,0 +1,82 @@
+/** Provides Android methods relating to web resource response. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * The Android class `android.webkit.WebResourceRequest` for handling web requests.
+ */
+class WebResourceRequest extends RefType {
+  WebResourceRequest() { this.hasQualifiedName("android.webkit", "WebResourceRequest") }
+}
+
+/**
+ * The Android class `android.webkit.WebResourceResponse` for rendering web responses.
+ */
+class WebResourceResponse extends RefType {
+  WebResourceResponse() { this.hasQualifiedName("android.webkit", "WebResourceResponse") }
+}
+
+/** The `shouldInterceptRequest` method of Android's `WebViewClient` class. */
+class ShouldInterceptRequestMethod extends Method {
+  ShouldInterceptRequestMethod() {
+    this.hasName("shouldInterceptRequest") and
+    this.getDeclaringType().getASupertype*() instanceof TypeWebViewClient and
+    this.getReturnType() instanceof WebResourceResponse
+  }
+}
+
+/** A method call to `setWebViewClient` of `WebView`. */
+class SetWebViewClientMethodAccess extends MethodAccess {
+  SetWebViewClientMethodAccess() {
+    this.getMethod().hasName("setWebViewClient") and
+    this.getMethod().getDeclaringType().getASupertype*() instanceof TypeWebView and
+    this.getMethod().getParameterType(0) instanceof TypeWebViewClient
+  }
+}
+
+/** A sink representing a constructor call of `WebResourceResponse` in Android `WebViewClient`. */
+class WebResourceResponseSink extends DataFlow::Node {
+  WebResourceResponseSink() {
+    exists(ConstructorCall cc |
+      cc.getConstructedType() instanceof WebResourceResponse and
+      (
+        this.asExpr() = cc.getArgument(2) and cc.getNumArgument() = 3 // WebResourceResponse(String mimeType, String encoding, InputStream data)
+        or
+        this.asExpr() = cc.getArgument(5) and cc.getNumArgument() = 6 // WebResourceResponse(String mimeType, String encoding, int statusCode, String reasonPhrase, Map<String, String> responseHeaders, InputStream data)
+      )
+    )
+  }
+}
+
+/**
+ * Value step from a fetching url call of `WebView` to `WebViewClient`.
+ */
+private class FetchUrlStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(
+      // webview.loadUrl(url) -> webview.setWebViewClient(new WebViewClient() { shouldInterceptRequest(view, url) });
+      WebViewLoadUrlMethod lm, ShouldInterceptRequestMethod im, SetWebViewClientMethodAccess sma
+    |
+      sma.getArgument(0).getType() = im.getDeclaringType().getASupertype*() and
+      exists(MethodAccess lma |
+        lma.getMethod() = lm and
+        lma.getQualifier().getType() = sma.getQualifier().getType() and
+        pred.asExpr() = lma.getArgument(0) and
+        succ.asExpr() = im.getParameter(1).getAnAccess()
+      )
+    )
+  }
+}
+
+/** Value/taint steps relating to url loading and file reading in an Android application. */
+private class LoadUrlSource extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.io;FileInputStream;true;FileInputStream;;;Argument[0];Argument[-1];taint",
+        "android.net;Uri;false;getPath;;;Argument[0];ReturnValue;value",
+        "android.webkit;WebResourceRequest;false;getUrl;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.java

@@ -0,0 +1,17 @@
+// BAD: no URI validation
+Uri uri = Uri.parse(url);
+FileInputStream inputStream = new FileInputStream(uri.getPath());
+String mimeType = getMimeTypeFromPath(uri.getPath());
+return new WebResourceResponse(mimeType, "UTF-8", inputStream);
+
+
+// GOOD: check for a trusted prefix, ensuring path traversal is not used to erase that prefix:
+// (alternatively use `WebViewAssetsLoader`)
+if (uri.getPath().startsWith("/local_cache/") && !uri.getPath().contains("..")) {
+    File cacheFile = new File(getCacheDir(), uri.getLastPathSegment());
+    FileInputStream inputStream = new FileInputStream(cacheFile);
+    String mimeType = getMimeTypeFromPath(uri.getPath());
+    return new WebResourceResponse(mimeType, "UTF-8", inputStream);
+}
+
+return assetLoader.shouldInterceptRequest(request.getUrl());

java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Android provides a <code>WebResourceResponse</code> API, which is a <code>WebView</code> class that
+allows an Android application to behave as a web server by handling requests of popular protocols such
+as <code>http(s)</code>, <code>file</code>, as well as <code>javascript</code>; and returning a response
+(including status code, content type, content encoding, headers and the response body). Improper
+implementation with insufficient input validation can lead to leaking of sensitive configuration file
+or user data because requests could refer to paths intended to be application-private.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Unsanitized user provided url must not be used to serve a response directly. When handling a request,
+always validate that the file path is not the receiver's protected directory. Alternatively the Android
+API <code>WebViewAssetLoader</code> can be used, which safely processes data from resources, assets or
+a predefined directory.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following examples show a bad situation and two good situations respectively. In the bad situation, a
+response is served without path validation. In the good situation, a response is either served with path
+validation or through the safe <code>WebViewAssetLoader</code> implementation.
+</p>
+<sample src="InsecureWebResourceResponse.java" />
+</example>
+
+<references>
+<li>
+Google:
+<a href="https://blog.oversecured.com/Android-Exploring-vulnerabilities-in-WebResourceResponse/">Android: Exploring vulnerabilities in WebResourceResponse</a>.
+</li>
+<li>
+CVE:
+<a href="https://cordova.apache.org/announcements/2014/08/04/android-351.html">CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading</a>.
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Insecure Android WebView Resource Response
+ * @description Insecure implementation of Android WebResourceResponse intercepts malicious app requests
+ *              and return arbitrary sensitive content.
+ * @kind path-problem
+ * @id java/insecure-webview-resource-response
+ * @problem.severity error
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import semmle.code.java.controlflow.Guards
+import experimental.semmle.code.java.PathSanitizer
+import AndroidWebResourceResponse
+import DataFlow::PathGraph
+
+class InsecureWebResourceResponseConfig extends TaintTracking::Configuration {
+  InsecureWebResourceResponseConfig() { this = "InsecureWebResourceResponseConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof PathTraversalBarrierGuard
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureWebResourceResponseConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Leaking arbitrary content in Android from $@.", source.getNode(),
+  "this user input"

java/ql/src/experimental/semmle/code/java/PathSanitizer.qll

@@ -20,13 +20,25 @@ private class ExactStringPathMatchGuard extends PathTraversalBarrierGuard instan
   }
 }
 
+/**
+ * Returns the qualifier of a method call if it's a variable access, or the qualifier of the qualifier if
+ * the qualifier itself is a method call to `getPath`, which helps to reduce FPs by handling scenarios
+ * such as `!uri.getPath().contains("..")`.
+ */
+private Expr getRealQualifier(Expr e) {
+  e.(MethodAccess).getMethod().hasQualifiedName("android.net", "Uri", "getPath") and
+  result = e.(MethodAccess).getQualifier()
+  or
+  result = e.(VarAccess)
+}
+
 private class AllowListGuard extends Guard instanceof MethodAccess {
   AllowListGuard() {
     (isStringPartialMatch(this) or isPathPartialMatch(this)) and
     not isDisallowedWord(super.getAnArgument())
   }
 
-  Expr getCheckedExpr() { result = super.getQualifier() }
+  Expr getCheckedExpr() { result = getRealQualifier(super.getQualifier()) }
 }
 
 /**
@@ -73,7 +85,7 @@ private class BlockListGuard extends Guard instanceof MethodAccess {
     isDisallowedWord(super.getAnArgument())
   }
 
-  Expr getCheckedExpr() { result = super.getQualifier() }
+  Expr getCheckedExpr() { result = getRealQualifier(super.getQualifier()) }
 }
 
 /**
@@ -144,7 +156,7 @@ class PathTraversalGuard extends Guard instanceof MethodAccess {
     super.getAnArgument().(CompileTimeConstantExpr).getStringValue() = ".."
   }
 
-  Expr getCheckedExpr() { result = super.getQualifier() }
+  Expr getCheckedExpr() { result = getRealQualifier(super.getQualifier()) }
 }
 
 /** A complementary sanitizer that protects against path traversal using path normalization. */

java/ql/test/experimental/query-tests/security/CWE-200/AndroidManifest.xml

@@ -0,0 +1,30 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <application
+        android:icon="@drawable/ic_launcher"
+        android:label="@string/app_name"
+        android:theme="@style/AppTheme" >
+        <activity
+            android:name=".InsecureWebResourceResponse"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".InsecureWebViewActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>