JavaScript Injection¶
ID: swift/unsafe-js-evalKind: path-problemSecurity severity: 9.3Severity: warningPrecision: mediumTags: - security - external/cwe/cwe-094 - external/cwe/cwe-095 - external/cwe/cwe-749Query suites: - swift-security-extended.qls - swift-security-and-quality.qls
Click to see the query in the CodeQL repository
Evaluating JavaScript that contains a substring from a remote origin may lead to remote code execution. Code written by an attacker can execute unauthorized actions, including exfiltration of local data through a third party web service.
Recommendation¶
When loading JavaScript into a web view, evaluate only known, locally-defined source code. If part of the input comes from a remote source, do not inject it into the JavaScript code to be evaluated. Instead, send it to the web view as data using an API such asWKWebView.callAsyncJavaScript with thearguments dictionary to pass remote data objects.
Example¶
In the following (bad) example, a call toWKWebView.evaluateJavaScript evaluates JavaScript source code that is tainted with remote data, potentially introducing a code injection vulnerability.
letwebview:WKWebViewletremoteData=tryString(contentsOf:URL(string:"http://example.com/evil.json")!)..._=tryawaitwebview.evaluateJavaScript("console.log("+remoteData+")")// BAD
In the following (good) example, we sanitize the remote data by passing it using thearguments dictionary ofWKWebView.callAsyncJavaScript. This ensures that untrusted data cannot be evaluated as JavaScript source code.
letwebview:WKWebViewletremoteData=tryString(contentsOf:URL(string:"http://example.com/evil.json")!)..._=tryawaitwebview.callAsyncJavaScript("console.log(data)",arguments:["data":remoteData],// GOODcontentWorld:.page)
References¶
Apple Developer Documentation:WKWebView.callAsyncJavaScript(_:arguments:in:contentWorld:)
Common Weakness Enumeration:CWE-94.
Common Weakness Enumeration:CWE-95.
Common Weakness Enumeration:CWE-749.