...
Any URI received via an intent
from outside a trust-boundary should be validated before rendering it with WebView
. For example, the following code checks an a received URI and rejects the "file:
" scheme URI. More generally, it allows only URIs that start with "http". (Note that "https" starts with "http".)
Code Block | ||
---|---|---|
| ||
public class MyBrowser extends Activity { @override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); WebView webView = (WebView) findViewById(R.id.webview); String url = getIntent().getStringExtra("url"); if (!url.startsWith("file:http")) { /* Note: "https".startsWith("http") == true */ url = "about:blank"; } webView.loadUrl(url); } } |
Risk Assessment
Allowing WebView
to access sensitive resources may result in information leaks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD02-J | medium | probable | high | P6 | L2 |
Automated Detection
Automatic detection is not feasible.
...