Detection note
This issue was identified through automated LLM-based static analysis of WebView addJavascriptInterface bridges, as part of academic security research at the University of Southern Denmark (SDU) in the context of a masters level course named Engineering in Research.
The finding was manually reviewed before submission.
To aid the purposes of our research, we would kindly request acknowledgement of the reported issue as well as a final verdict from the open source community working on this repository, even if the issue is not acted on.
We are reporting in good faith and are happy to answer questions.
Please remember both us and LLMs can make mistakes, any response is greatly appreciated :)
Summary
WebAppAircraftInterface.importFromFile() is exposed as a @JavascriptInterface method on the AndroidList bridge registered in AircraftActivity. It accepts a caller-supplied filename and constructs a file path by directly concatenating the app's user data folder with that input, without sanitizing path-traversal sequences. A malicious or compromised page loaded in the WebView can escape the intended directory and read arbitrary files accessible to the app process.
Severity: High
Affected version(s):
Affected file(s)
app/src/main/java/com/ds/avare/webinfc/WebAppAircraftInterface.java -- importFromFile(String path) (entry point line 442, sink line 488)
app/src/main/java/com/ds/avare/AircraftActivity.java -- bridge registration (line 96)
app/src/main/java/com/ds/avare/storage/Preferences.java -- getUserDataFolder()
Vulnerable code
// app/src/main/java/com/ds/avare/webinfc/WebAppAircraftInterface.java
// Line 442 -- exposed to JavaScript
@JavascriptInterface
public void importFromFile(String txt) {
// ...
// Line 488 -- no canonicalization or boundary check before opening
instream = new FileInputStream(mPref.getUserDataFolder() + File.separator + txt);
// ...
}
// app/src/main/java/com/ds/avare/AircraftActivity.java, line 96
mWebView.addJavascriptInterface(mInfc, "AndroidList");
Proof of concept
// Executed from JavaScript inside the app's WebView.
// Attempts to trigger importFromFile with a traversal sequence
// that escapes the user data folder and reaches the app's SQLite database.
AndroidList.importFromFile("../../databases/avare.db");
Any JavaScript context that can reach the AndroidList bridge (including a compromised or attacker-controlled page if the WebView loads remote content) can invoke this call. The app process will attempt to open the resolved path with no boundary enforcement.
Impact
An attacker who can execute JavaScript in the WebView -- whether through a compromised page, a cross-site scripting vulnerability in loaded content, or any other script-injection vector -- can supply arbitrary path-traversal sequences (e.g., ../, ../../) to the importFromFile method. Because the path is concatenated directly without canonicalization or prefix validation, the FileInputStream will open any file readable by the app's process, including:
- SQLite databases (e.g.,
avare.db) containing flight plans, waypoints, and user data
- Shared preferences XML files, which may contain credentials or tokens
- Any other file within the app's private data sandbox (
/data/data/com.ds.avare/)
No user interaction beyond the initial WebView page load is required once an injection vector is present.
Suggested mitigation
Resolve the canonical path of the target file and verify it remains within the intended base directory before opening the stream:
@JavascriptInterface
public void importFromFile(String txt) {
try {
File base = new File(mPref.getUserDataFolder()).getCanonicalFile();
File target = new File(base, txt).getCanonicalFile();
// Reject any path that escapes the user data folder
if (!target.toPath().startsWith(base.toPath())) {
return; // path traversal attempt -- abort silently or log
}
instream = new FileInputStream(target);
// ... rest of existing logic
} catch (IOException e) {
// handle error
}
}
Additionally, consider allowlisting permitted file extensions (e.g., .csv, .gpx) so that even a valid in-directory path cannot be used to read sensitive file types such as .db or .xml preference files.
Detection note
This issue was identified through automated LLM-based static analysis of WebView
addJavascriptInterfacebridges, as part of academic security research at the University of Southern Denmark (SDU) in the context of a masters level course named Engineering in Research.The finding was manually reviewed before submission.
To aid the purposes of our research, we would kindly request acknowledgement of the reported issue as well as a final verdict from the open source community working on this repository, even if the issue is not acted on.
We are reporting in good faith and are happy to answer questions.
Please remember both us and LLMs can make mistakes, any response is greatly appreciated :)
Summary
WebAppAircraftInterface.importFromFile()is exposed as a@JavascriptInterfacemethod on theAndroidListbridge registered inAircraftActivity. It accepts a caller-supplied filename and constructs a file path by directly concatenating the app's user data folder with that input, without sanitizing path-traversal sequences. A malicious or compromised page loaded in the WebView can escape the intended directory and read arbitrary files accessible to the app process.Severity: High
Affected version(s):
Affected file(s)
app/src/main/java/com/ds/avare/webinfc/WebAppAircraftInterface.java--importFromFile(String path)(entry point line 442, sink line 488)app/src/main/java/com/ds/avare/AircraftActivity.java-- bridge registration (line 96)app/src/main/java/com/ds/avare/storage/Preferences.java--getUserDataFolder()Vulnerable code
Proof of concept
Any JavaScript context that can reach the
AndroidListbridge (including a compromised or attacker-controlled page if the WebView loads remote content) can invoke this call. The app process will attempt to open the resolved path with no boundary enforcement.Impact
An attacker who can execute JavaScript in the WebView -- whether through a compromised page, a cross-site scripting vulnerability in loaded content, or any other script-injection vector -- can supply arbitrary path-traversal sequences (e.g.,
../,../../) to theimportFromFilemethod. Because the path is concatenated directly without canonicalization or prefix validation, theFileInputStreamwill open any file readable by the app's process, including:avare.db) containing flight plans, waypoints, and user data/data/data/com.ds.avare/)No user interaction beyond the initial WebView page load is required once an injection vector is present.
Suggested mitigation
Resolve the canonical path of the target file and verify it remains within the intended base directory before opening the stream:
Additionally, consider allowlisting permitted file extensions (e.g.,
.csv,.gpx) so that even a valid in-directory path cannot be used to read sensitive file types such as.dbor.xmlpreference files.