lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/AddJavascriptInterfaceDetector.kt

/*
 * Copyright (C) 2014 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.tools.lint.checks

import com.android.tools.lint.client.api.TYPE_OBJECT
import com.android.tools.lint.client.api.TYPE_STRING
import com.android.tools.lint.detector.api.Category
import com.android.tools.lint.detector.api.Detector
import com.android.tools.lint.detector.api.Implementation
import com.android.tools.lint.detector.api.Issue
import com.android.tools.lint.detector.api.JavaContext
import com.android.tools.lint.detector.api.Scope
import com.android.tools.lint.detector.api.Severity
import com.android.tools.lint.detector.api.SourceCodeScanner
import com.intellij.psi.PsiMethod
import org.jetbrains.uast.UCallExpression

/**
 * Ensures that addJavascriptInterface is not called for API levels below 17.
 */
class AddJavascriptInterfaceDetector : Detector(), SourceCodeScanner {
    companion object {
        @JvmField
        val ISSUE = Issue.create(
            id = "AddJavascriptInterface",
            //noinspection LintImplTextFormat
            briefDescription = "`addJavascriptInterface` Called",
            explanation = """
            For applications built for API levels below 17, `WebView#addJavascriptInterface` presents a \
            security hazard as JavaScript on the target web page has the ability to use reflection to access \
            the injected object's public fields and thus manipulate the host application in unintended ways.
            """,
            moreInfo = "https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object,%20java.lang.String)",
            category = Category.SECURITY,
            priority = 9,
            severity = Severity.WARNING,
            androidSpecific = true,
            implementation = Implementation(
                AddJavascriptInterfaceDetector::class.java,
                Scope.JAVA_FILE_SCOPE
            )
        ).addMoreInfo("https://support.google.com/faqs/answer/9095419?hl=en")

        const val WEB_VIEW = "android.webkit.WebView"
        const val ADD_JAVASCRIPT_INTERFACE = "addJavascriptInterface"
    }

    // ---- implements SourceCodeScanner ----

    override fun getApplicableMethodNames(): List<String>? = listOf(ADD_JAVASCRIPT_INTERFACE)

    override fun visitMethodCall(
        context: JavaContext,
        node: UCallExpression,
        method: PsiMethod
    ) {
        // Ignore the issue if we never build for any API less than 17.
        if (context.mainProject.minSdk >= 17) {
            return
        }

        val evaluator = context.evaluator
        if (!evaluator.methodMatches(method, WEB_VIEW, true, TYPE_OBJECT, TYPE_STRING)) {
            return
        }

        val message = "`WebView.addJavascriptInterface` should not be called with " +
                "minSdkVersion < 17 for security reasons: JavaScript can use reflection " +
                "to manipulate application"
        context.report(ISSUE, node, context.getNameLocation(node), message)
    }
}