Description

This detector identifies Cross-Site Scripting (XSS) vulnerabilities in Dart applications where WebView components load content from files read from public storage directories. When untrusted data from publicly accessible files is directly loaded into WebViews without proper sanitization, attackers can inject malicious scripts that execute in the application's context, potentially compromising user data and application security.

Detection Strategy

• The code must import both the path_provider package (for accessing file system paths) and the webview_flutter package (for WebView functionality)

• A WebView sink method is called (methods that load content into WebView components)

• The first argument to the WebView sink method contains data that originates from reading files located in public/external storage directories

• The data flow from the untrusted file read to the WebView sink is not properly sanitized

• The file being read is accessible to other applications or users on the device, making it a potential attack vector

Vulnerable code example

import 'dart:io';
import 'package:path_provider/path_provider.dart';
import 'package:webview_flutter/webview_flutter.dart';

// VULNERABLE: External storage content executed as JavaScript
Future<void> loadScript(WebViewController controller) async {
  final directory = await getExternalStorageDirectory();
  final file = File('${directory!.path}/script.js');...

✅ Secure code example

import 'dart:convert';
import 'dart:io';
import 'package:path_provider/path_provider.dart';
import 'package:webview_flutter/webview_flutter.dart';

// SAFE: External storage content sanitized before JavaScript execution
Future<void> loadScript(WebViewController controller) async {
  final directory = await getExternalStorageDirectory();...