-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S7074: webSecurity should be enabled (#4302)
* Add html to rule S7074 * Add html for S7074 --------- Co-authored-by: daniel-teuchert-sonarsource <[email protected]> Co-authored-by: Daniel Teuchert <[email protected]>
- Loading branch information
1 parent
9debaf8
commit 5a80173
Showing
12 changed files
with
136 additions
and
62 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
A Content Security Policy helps prevent the injection of malicious content. | ||
Define a CSP that restricts the sources of content that can be loaded by your application. | ||
|
||
[source,javascript] | ||
---- | ||
mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => { | ||
callback({ | ||
responseHeaders: { | ||
...details.responseHeaders, | ||
'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"] | ||
} | ||
}); | ||
}); | ||
---- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
=== Documentation | ||
|
||
* Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity] | ||
* Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options] | ||
* Electron Documentation - https://www.electronjs.org/docs/latest/api/webview-tag#disablewebsecurity[disablewebsecurity] | ||
* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
=== Highlighting | ||
|
||
Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
{ | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
include::../summary.adoc[] | ||
|
||
== Why is this an issue? | ||
|
||
include::../rationale.adoc[] | ||
|
||
include::../impact.adoc[] | ||
|
||
== How to fix it | ||
|
||
=== Code examples | ||
|
||
To fix the `webSecurity` flag vulnerability in Electron applications, you should not use the `disablewebsecurity` attribute for `webview` tags. The security restrictions on web content loaded by your application are enabled per default. | ||
|
||
==== Noncompliant code example | ||
|
||
[source,html,diff-id=11,diff-type=noncompliant] | ||
---- | ||
<webview disablewebsecurity src="page.html"></webview><!-- noncompliant --> | ||
---- | ||
|
||
==== Compliant solution | ||
|
||
[source,html,diff-id=11,diff-type=compliant] | ||
---- | ||
<webview src="page.html"></webview> | ||
---- | ||
|
||
=== How does this work? | ||
|
||
The compliant example does not disable `websecurity`. The default setting is secure. | ||
|
||
//=== Pitfalls | ||
|
||
=== Going the extra mile | ||
|
||
include::../common/extra-mile/csp.adoc[] | ||
|
||
== Resources | ||
|
||
include::../common/resources/docs.adoc[] | ||
|
||
//=== Articles & blog posts | ||
//=== Conference presentations | ||
//=== Standards | ||
//=== External coding guidelines | ||
//=== Benchmarks | ||
|
||
ifdef::env-github,rspecator-view[] | ||
|
||
''' | ||
== Implementation Specification | ||
(visible only on this page) | ||
|
||
include::../message.adoc[] | ||
|
||
include::../highlighting.adoc[] | ||
|
||
''' | ||
== Comments And Links | ||
(visible only on this page) | ||
|
||
endif::env-github,rspecator-view[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
=== What is the potential impact? | ||
|
||
When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users. | ||
|
||
==== Code Execution | ||
|
||
When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code. | ||
These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information. | ||
This can lead to identity theft and financial loss for users. | ||
|
||
==== Phishing Attacks | ||
|
||
With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application. | ||
These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,2 @@ | ||
{ | ||
"title": "webSecurity should be enabled", | ||
"type": "VULNERABILITY", | ||
"status": "ready", | ||
"remediation": { | ||
"func": "Constant\/Issue", | ||
"constantCost": "5min" | ||
}, | ||
"tags": [ | ||
], | ||
"defaultSeverity": "Major", | ||
"ruleSpecification": "RSPEC-7074", | ||
"sqKey": "S7074", | ||
"scope": "All", | ||
"defaultQualityProfiles": ["Sonar way"], | ||
"quickfix": "unknown", | ||
"code": { | ||
"impacts": { | ||
"SECURITY": "MEDIUM" | ||
}, | ||
"attribute": "CONVENTIONAL" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
=== Message | ||
* Change this code to enable web security. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,23 @@ | ||
{ | ||
"title": "webSecurity should be enabled", | ||
"type": "VULNERABILITY", | ||
"status": "ready", | ||
"remediation": { | ||
"func": "Constant\/Issue", | ||
"constantCost": "5min" | ||
}, | ||
"tags": [ | ||
], | ||
"defaultSeverity": "Major", | ||
"ruleSpecification": "RSPEC-7074", | ||
"sqKey": "S7074", | ||
"scope": "All", | ||
"defaultQualityProfiles": ["Sonar way"], | ||
"quickfix": "unknown", | ||
"code": { | ||
"impacts": { | ||
"SECURITY": "MEDIUM" | ||
}, | ||
"attribute": "CONVENTIONAL" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones. | ||
This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage. | ||
The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
The `webSecurity` flag in Electron applications controls the security settings for web content. |