Checker JavascriptExecution

belongs to group Basic
Identify unsafe Javascript execution

Frameworks supported by this checker

  • android up to API level 28

Warnings generated by this checker

  • AllowedFileAccessFromFileURLsByDefaultWarning: enabling by default access from other file scheme URLs [ CWE749 ]
  • AllowedFileAccessFromFileURLsWarning: enabling access from other file scheme URLs [ CWE749 ]
  • AllowedUniversalAccessFromFileURLsByDefaultWarning: enabling by default access from any origin [ CWE749 ]
  • AllowedUniversalAccessFromFileURLsWarning: enabling access from any origin [ CWE749 ]
  • ExplicitJavascriptExecutionNotFoundWarning: if not required disable the Javascript execution [ CWE749 ]
  • JavascriptEnabledWarning: is it a safe Javascript execution ? If not required disable theJavascript execution [ CWE749 ]
  • MissingJavascriptInterfaceAnnotationWarning: missing @JavascriptInterface annotation [ CWE749 ]
  • RiskyJavascriptInterfaceWarning: unsafe instruction detected, it could lead in the execution of untrusted Java code [ CWE749 ]

Options accepted by this checker

  • none

Annotations understood by this checker

  • none


Description

The JavascriptExecution checker is dedicated to the analysis of Android applications. The JavascriptExecution checker is able to produce a warning when a javascript execution is unsafe or is not correctly initialized.


Examples

Consider the following program:

package example.javascriptExecutionChecker;

import android.app.Activity;
import android.os.Bundle;
import android.webkit.WebView;

public class JavascriptExecutionExample extends Activity {

    WebView myWebView;

    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        myWebView = new WebView(this);
        myWebView.getSettings().setJavaScriptEnabled(true);
        myWebView.addJavascriptInterface(new MyJavaScriptInterface(), "saymyname");
        myWebView.loadUrl("file:///html_pages/index.html");
        setContentView(myWebView);
    }

    final class MyJavaScriptInterface {
        MyJavaScriptInterface() { }

        public String myMessage() {
            return "Hello World!";
        }
    }
}

If executed with a framework android API 17 or earlier, this checker issues the following warnings :

JavascriptExecutionExample.java:14: [JavascriptExecution: JavascriptEnabledWarning] Are you sure that the Javascript execution is safe ? if not required or if the application does not directly use JavaScript within the web view, disable the Javascript execution or remove the method "setJavaScriptEnabled"
JavascriptExecutionExample.java:15: [JavascriptExecution: RiskyJavascriptInterfaceWarning] unsafe instruction detected. It allows Javascript to invoke operations that are normally reserved for Android applications. This could lead in the execution of untrusted Java code with the application permissions

The Android 4.2 and earlier, present a security risk related to the Javascript execution and the use of addJavascriptInterface. As described in the Android Api, it allows Javascript to invoke operations that are normally reserved for Android applications. This could lead in the execution of untrusted Java code with the application permissions. Moreover all public methods (including the inherited ones) can be accessed. In this cases, the analysis triggers a RiskyJavascriptInterfaceWarning like the example at line 15. An example of exploit is shown here. The security tips of Android recommended to check the content and behavior of the Javascript code to be executed. The JavascriptEnabledWarning in line 14 is triggered to remind the user that Javascript execution is enabled and that the Javascript code must be checked manually in order to avoid web security issues.

If executed with a framework android API 18 or higher, this checker issues the following warnings :

JavascriptExecutionExample.java:14: [JavascriptExecution: MissingJavascriptInterfaceAnnotationWarning] Are you sure that the Javascript execution is safe ? if not required or if the application does not directly use JavaScript within the web view, disable the Javascript execution or remove the method "setJavaScriptEnabled"
JavascriptExecutionExample.java:15: [JavascriptExecution: MissingJavascriptInterfaceAnnotationWarning] the class of object into 0 of method "addJavascriptInterface" does not contain any public methods annotated as @JavascriptInterface

The Android 4.3 and higher implemented the @JavascriptInterface annotation, in order to guarantee that only trust public methods which are annotated with JavascriptInterface can be accessed from JavaScript. However, if an object does not have any public methods annotated as @JavascriptInterface and it is useless in a Javascript execution because it does not have entry point. In this cases, the analysis triggers a MissingJavascriptInterfaceAnnotationWarning, like the example at line 15. In the example in addJavascriptInterface a MyJavaScriptInterface object is passed as a parameter, but MyJavaScriptInterface class does not contain public methods annotated as @JavascriptInterface, then the object is useless for Javascript execution.

Consider the following program:

package example.javascriptExecutionChecker;

import android.app.Activity;
import android.os.Bundle;
import android.webkit.WebView;

public class JavascriptExecutionExample extends Activity {

    WebView myWebView;

    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        myWebView = new WebView(this);
        myWebView.getSettings().setJavaScriptEnabled(true);
        setContentView(myWebView);
    }
}

This checker issues the following warning:

JavascriptExecutionExample.java:14: [JavascriptExecution: ExplicitJavascriptExecutionNotFoundWarning] Are you sure to enable Javascript? It did not find any explicit Javascript execution inside "example.javascriptExecutionChecker.JavascriptExecutionExample.onCreate"

As recommended in security tips of Android, the enabling of Javascipt should only be performed if strictly necessary for a Javascript execution. At line 14, ExplicitJavascriptExecutionNotFoundWarning is triggered because the Javascript is enabled in a WebView but there are no methods that invoke a Javascript execution.

Consider the following program:

package example.javascriptExecutionChecker;

import android.app.Activity;
import android.os.Bundle;
import android.webkit.WebView;

public class JavascriptExecutionExample {

  public class Test1 extends Activity  {
	  WebView mWebView;
	
	  public void onCreate(Bundle paramBundle)
	  {
		    super.onCreate(paramBundle);
		    this.mWebView = new WebView(this);
		    
		    this.mWebView.getSettings().setAllowFileAccessFromFileURLs(true); 
		    																  
		    setContentView(this.mWebView);
	  }

  }
  
  public class Test2 extends Activity  {
	  WebView mWebView;
	
	  public void onCreate(Bundle paramBundle)
	  {
		    super.onCreate(paramBundle);
		    this.mWebView = new WebView(this);
		    
		    this.mWebView.getSettings().setAllowUniversalAccessFromFileURLs(true);
		   
		    setContentView(this.mWebView);
	  }

  }
}

If executed with a framework android API 16 or later, this checker issues the following warnings :

JavascriptExecutionExample.java:15: [JavascriptExecution: AllowedUniversalAccessFromFileURLsByWarning] Are you sure to allow the content of a file scheme URL to access from other file scheme URLs? To enable the most restrictive, and therefore secure, policy the method "setAllowFileAccessFromFileURLs" should be disabled
JavascriptExecutionExample.java:32: [JavascriptExecution: AllowedFileAccessAccessFromFileURLsByDefaultWarning] Are you sure to allow the content of a file scheme URL to access from any origin? To enable the most restrictive, and therefore secure, policy the method "setAllowUniversalAccessFromFileURLs" should be disabled

Since Android 4.1 (androidAPI16), the following instructions android.webkit.WebSettings.WebSettings.setAllowUniversalAccessFromFileURLs() and android.webkit.WebSettings.WebSettings.setAllowFileAccessFromFileURLs(), whether JavaScript running in the context of a file scheme URL, they allow to enable/disable to access content from, respectively, other file scheme URLs and any origin( included other file scheme URLs). As recommended by Android documentation, to enable the most restrictive, and therefore secure policy, this settings should be disabled.

package example.javascriptExecutionChecker;

import android.app.Activity;
import android.os.Bundle;
import android.webkit.WebView;

public class JavascriptExecutionExample {

  public class Test1 extends Activity  {
	  WebView mWebView;
	
	  public void onCreate(Bundle paramBundle)
	  {
		    super.onCreate(paramBundle);
		    this.mWebView = new WebView(this);
		    																  
		    setContentView(this.mWebView);
	  }

  }
}

If executed with a framework android API 15 or older, this checker issues the following warnings :

JavascriptExecutionExample.java:15: [JavascriptExecution: AllowedUniversalAccessFromFileURLsByWarning] Are you sure to allow by default the content of a file scheme URL to access from any origin? To enable the most restrictive, and therefore secure, policy the method "init" should explicitly disable the option

The Android 4.0.4 (androidAPI15) and earlier, allow to access to content by default, through the android.webkit.WebSettings.WebSettings of android.webkit.WebView.