You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
149 lines
4.1 KiB
149 lines
4.1 KiB
/*
|
|
* Copyright (c) 2016 - present Facebook, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This source code is licensed under the BSD style license found in the
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
*/
|
|
|
|
package codetoanalyze.java.quandary;
|
|
|
|
import java.io.File;
|
|
import java.net.URISyntaxException;
|
|
|
|
import android.app.Activity;
|
|
import android.content.Context;
|
|
import android.content.Intent;
|
|
import android.net.Uri;
|
|
import android.webkit.JavascriptInterface;
|
|
import android.webkit.JsPromptResult;
|
|
import android.webkit.JsResult;
|
|
import android.webkit.ValueCallback;
|
|
import android.webkit.WebChromeClient;
|
|
import android.webkit.WebMessage;
|
|
import android.webkit.WebResourceRequest;
|
|
import android.webkit.WebResourceResponse;
|
|
import android.webkit.WebView;
|
|
import android.webkit.WebViewClient;
|
|
|
|
import com.facebook.infer.builtins.InferTaint;
|
|
|
|
public class WebViews {
|
|
|
|
void callWebviewSinks(WebView webview) {
|
|
String stringSource = (String) InferTaint.inferSecretSource();
|
|
|
|
webview.evaluateJavascript(stringSource, null);
|
|
webview.loadData(stringSource, "", "");
|
|
webview.loadDataWithBaseURL("", stringSource, "", "", "");
|
|
webview.loadUrl(stringSource); // should have 5 reports
|
|
webview.postUrl(stringSource, null);
|
|
webview.postWebMessage(null, (Uri) InferTaint.inferSecretSource());
|
|
}
|
|
|
|
// make sure all of the rules apply to subclasses as well
|
|
class MyWebView extends WebView {
|
|
public MyWebView(Context c) {
|
|
super(c);
|
|
}
|
|
}
|
|
|
|
Activity mActivity;
|
|
|
|
class MyWebViewClient extends WebViewClient {
|
|
|
|
@Override
|
|
public void onLoadResource(WebView w, String url) {
|
|
try {
|
|
Intent i = Intent.parseUri(url, 0);
|
|
mActivity.startActivity(i); // should report
|
|
} catch (URISyntaxException e) {
|
|
}
|
|
}
|
|
|
|
@Override
|
|
public WebResourceResponse shouldInterceptRequest(WebView w, WebResourceRequest request) {
|
|
mActivity.startActivity(new Intent("action", request.getUrl())); // should report
|
|
return null;
|
|
}
|
|
|
|
File webResourceToFileBad(WebResourceRequest request) {
|
|
return new File(request.getUrl().getPath());
|
|
}
|
|
|
|
@Override
|
|
public boolean shouldOverrideUrlLoading(WebView w, String url) {
|
|
try {
|
|
Intent i = Intent.parseUri(url, 0);
|
|
mActivity.startActivity(i); // should report
|
|
} catch (URISyntaxException e) {
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
|
|
class MyWebChromeClient extends WebChromeClient {
|
|
|
|
@Override
|
|
public boolean onJsAlert(WebView w, String url, String message, JsResult result) {
|
|
try {
|
|
Intent i = Intent.parseUri(url, 0);
|
|
mActivity.startActivity(i);
|
|
} catch (URISyntaxException e) {
|
|
}
|
|
return false;
|
|
}
|
|
|
|
@Override
|
|
public boolean onJsBeforeUnload(WebView w, String url, String m, JsResult result) {
|
|
try {
|
|
Intent i = Intent.parseUri(url, 0);
|
|
mActivity.startActivity(i);
|
|
} catch (URISyntaxException e) {
|
|
}
|
|
return false;
|
|
}
|
|
|
|
@Override
|
|
public boolean onJsConfirm(WebView w, String url, String m, JsResult result) {
|
|
try {
|
|
Intent i = Intent.parseUri(url, 0);
|
|
mActivity.startActivity(i);
|
|
} catch (URISyntaxException e) {
|
|
}
|
|
return false;
|
|
}
|
|
|
|
@Override
|
|
public boolean onJsPrompt(WebView w, String url, String m, String s, JsPromptResult result) {
|
|
try {
|
|
Intent i = Intent.parseUri(url, 0);
|
|
mActivity.startActivity(i);
|
|
} catch (URISyntaxException e) {
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
|
|
void callWebviewSubclassSink(MyWebView webview) {
|
|
String stringSource = (String) InferTaint.inferSecretSource();
|
|
webview.evaluateJavascript(stringSource, null);
|
|
}
|
|
|
|
class JsObject {
|
|
@JavascriptInterface
|
|
Object returnSource() {
|
|
return InferTaint.inferSecretSource();
|
|
}
|
|
}
|
|
|
|
// in order to get this, we have to understand that addJavaScriptInterface can evaluate the
|
|
// JsObject.returnSource method
|
|
void FN_addJavascriptInterface(MyWebView webview) {
|
|
// should warn here
|
|
webview.addJavascriptInterface(new JsObject(), "injectedObject");
|
|
}
|
|
|
|
}
|