You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
2.7 KiB
86 lines
2.7 KiB
8 years ago
|
/*
|
||
|
* Copyright (c) 2016 - present Facebook, Inc.
|
||
|
* All rights reserved.
|
||
|
*
|
||
|
* This source code is licensed under the BSD style license found in the
|
||
|
* LICENSE file in the root directory of this source tree. An additional grant
|
||
|
* of patent rights can be found in the PATENTS file in the same directory.
|
||
|
*/
|
||
|
|
||
|
package codetoanalyze.java.quandary;
|
||
|
|
||
|
import android.content.Context;
|
||
|
import android.webkit.JavascriptInterface;
|
||
|
import android.webkit.WebView;
|
||
|
import android.webkit.WebViewClient;
|
||
|
import android.webkit.WebChromeClient;
|
||
|
|
||
|
import com.facebook.infer.builtins.InferTaint;
|
||
|
|
||
|
public class WebViews {
|
||
|
|
||
|
void callWebviewSinks(WebView webview) {
|
||
|
String stringSource = (String) InferTaint.inferSecretSource();
|
||
|
|
||
|
webview.addJavascriptInterface(new Object(), stringSource);
|
||
|
webview.evaluateJavascript(stringSource, null);
|
||
|
webview.loadData(stringSource, "", "");
|
||
|
webview.loadDataWithBaseURL("", stringSource, "", "", "");
|
||
|
webview.loadUrl(stringSource); // should have 5 reports
|
||
|
}
|
||
|
|
||
|
void callWebviewClientSinks(WebView webview, WebViewClient client) {
|
||
|
String stringSource = (String) InferTaint.inferSecretSource();
|
||
|
|
||
|
client.onLoadResource(webview, stringSource);
|
||
|
client.shouldInterceptRequest(webview, stringSource);
|
||
|
client.shouldOverrideUrlLoading(webview, stringSource); // should have 3 reports
|
||
|
}
|
||
|
|
||
|
void callWebviewChromeClientSinks(WebView webview, WebChromeClient client) {
|
||
|
String stringSource = (String) InferTaint.inferSecretSource();
|
||
|
|
||
|
client.onJsAlert(webview, stringSource, "", null);
|
||
|
client.onJsBeforeUnload(webview, stringSource, "", null);
|
||
|
client.onJsConfirm(webview, stringSource, "", null);
|
||
|
client.onJsPrompt(webview, stringSource, "", "", null); // should have 4 reports
|
||
|
}
|
||
|
|
||
|
// make sure all of the rules apply to subclasses as well
|
||
|
class MyWebView extends WebView {
|
||
|
public MyWebView(Context c) {
|
||
|
super(c);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
class MyWebViewClient extends WebViewClient {
|
||
|
}
|
||
|
|
||
|
class MyWebChromeClient extends WebChromeClient {
|
||
|
}
|
||
|
|
||
|
void callWebviewSubclassSinks(
|
||
|
MyWebView webview, MyWebViewClient client, MyWebChromeClient chromeClient) {
|
||
|
|
||
|
String stringSource = (String) InferTaint.inferSecretSource();
|
||
|
webview.evaluateJavascript(stringSource, null);
|
||
|
client.onLoadResource(webview, stringSource);
|
||
|
chromeClient.onJsAlert(webview, stringSource, "", null); // should have 3 reports
|
||
|
}
|
||
|
|
||
|
class JsObject {
|
||
|
@JavascriptInterface
|
||
|
Object returnSource() {
|
||
|
return InferTaint.inferSecretSource();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// in order to get this, we have to understand that addJavaScriptInterface can evaluate the
|
||
|
// JsObject.returnSource method
|
||
|
void FN_addJavascriptInterface(MyWebView webview) {
|
||
|
// should warn here
|
||
|
webview.addJavascriptInterface(new JsObject(), "injectedObject");
|
||
|
}
|
||
|
|
||
|
}
|