mobsf.mobsfscan.webview.webview_external_storage.webview_external_storage

profile photo of MobSFMobSF
Author
unknown
Download Count*
GPLv3
License

WebView load files from external storage. Files in external storage can be modified by any application.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: webview_external_storage
    patterns:
      - pattern-either:
          - pattern: |
              $X = <... $E.getExternalStorageDirectory() ...>;
              ...
              $WV.loadUrl(<... $X ...>);
          - pattern: |
              $WV.loadUrl(<... $E.getExternalStorageDirectory().$F() ...>);
          - pattern: |
              $X = <... Environment.getExternalStorageDirectory().$F() ...>;
              ...
              $WV.loadUrl(<... $X ...>);
          - pattern: |
              $X = <... $E.getExternalFilesDir(...) ...>;
              ...
              $WV.loadUrl(<... $X ...>);
    message: WebView load files from external storage. Files in external storage can
      be modified by any application.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: cwe-749
      owasp-mobile: m1
      masvs: platform-6
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-webview-protocol-handlers-mstg-platform-6
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other