diff --git a/rules/S7074/common/extra-mile/csp.adoc b/rules/S7074/common/extra-mile/csp.adoc
new file mode 100644
index 00000000000..9971fdaea1b
--- /dev/null
+++ b/rules/S7074/common/extra-mile/csp.adoc
@@ -0,0 +1,14 @@
+A Content Security Policy helps prevent the injection of malicious content.
+Define a CSP that restricts the sources of content that can be loaded by your application.
+
+[source,javascript]
+----
+mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+ callback({
+ responseHeaders: {
+ ...details.responseHeaders,
+ 'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"]
+ }
+ });
+});
+----
\ No newline at end of file
diff --git a/rules/S7074/common/resources/docs.adoc b/rules/S7074/common/resources/docs.adoc
new file mode 100644
index 00000000000..64a07a0b2e0
--- /dev/null
+++ b/rules/S7074/common/resources/docs.adoc
@@ -0,0 +1,6 @@
+=== Documentation
+
+* Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity]
+* Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options]
+* Electron Documentation - https://www.electronjs.org/docs/latest/api/webview-tag#disablewebsecurity[disablewebsecurity]
+* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
\ No newline at end of file
diff --git a/rules/S7074/highlighting.adoc b/rules/S7074/highlighting.adoc
new file mode 100644
index 00000000000..3f8b321b0ff
--- /dev/null
+++ b/rules/S7074/highlighting.adoc
@@ -0,0 +1,3 @@
+=== Highlighting
+
+Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML).
\ No newline at end of file
diff --git a/rules/S7074/html/metadata.json b/rules/S7074/html/metadata.json
new file mode 100644
index 00000000000..7a73a41bfdf
--- /dev/null
+++ b/rules/S7074/html/metadata.json
@@ -0,0 +1,2 @@
+{
+}
\ No newline at end of file
diff --git a/rules/S7074/html/rule.adoc b/rules/S7074/html/rule.adoc
new file mode 100644
index 00000000000..547ab417906
--- /dev/null
+++ b/rules/S7074/html/rule.adoc
@@ -0,0 +1,63 @@
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+To fix the `webSecurity` flag vulnerability in Electron applications, you should not use the `disablewebsecurity` attribute for `webview` tags. The security restrictions on web content loaded by your application are enabled per default.
+
+==== Noncompliant code example
+
+[source,html,diff-id=11,diff-type=noncompliant]
+----
+
+----
+
+==== Compliant solution
+
+[source,html,diff-id=11,diff-type=compliant]
+----
+
+----
+
+=== How does this work?
+
+The compliant example does not disable `websecurity`. The default setting is secure.
+
+//=== Pitfalls
+
+=== Going the extra mile
+
+include::../common/extra-mile/csp.adoc[]
+
+== Resources
+
+include::../common/resources/docs.adoc[]
+
+//=== Articles & blog posts
+//=== Conference presentations
+//=== Standards
+//=== External coding guidelines
+//=== Benchmarks
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+include::../highlighting.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+endif::env-github,rspecator-view[]
diff --git a/rules/S7074/impact.adoc b/rules/S7074/impact.adoc
new file mode 100644
index 00000000000..6f97b0fe0dc
--- /dev/null
+++ b/rules/S7074/impact.adoc
@@ -0,0 +1,14 @@
+=== What is the potential impact?
+
+When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users.
+
+==== Code Execution
+
+When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code.
+These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information.
+This can lead to identity theft and financial loss for users.
+
+==== Phishing Attacks
+
+With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application.
+These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application.
\ No newline at end of file
diff --git a/rules/S7074/javascript/metadata.json b/rules/S7074/javascript/metadata.json
index 8d81a893d3b..2c63c085104 100644
--- a/rules/S7074/javascript/metadata.json
+++ b/rules/S7074/javascript/metadata.json
@@ -1,23 +1,2 @@
{
- "title": "webSecurity should be enabled",
- "type": "VULNERABILITY",
- "status": "ready",
- "remediation": {
- "func": "Constant\/Issue",
- "constantCost": "5min"
- },
- "tags": [
- ],
- "defaultSeverity": "Major",
- "ruleSpecification": "RSPEC-7074",
- "sqKey": "S7074",
- "scope": "All",
- "defaultQualityProfiles": ["Sonar way"],
- "quickfix": "unknown",
- "code": {
- "impacts": {
- "SECURITY": "MEDIUM"
- },
- "attribute": "CONVENTIONAL"
- }
}
diff --git a/rules/S7074/javascript/rule.adoc b/rules/S7074/javascript/rule.adoc
index 5c7e94a445a..78b05b8ec47 100644
--- a/rules/S7074/javascript/rule.adoc
+++ b/rules/S7074/javascript/rule.adoc
@@ -1,25 +1,10 @@
-The `webSecurity` flag in Electron applications controls the security settings for web content.
+include::../summary.adoc[]
== Why is this an issue?
-When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones.
-This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage.
-The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions.
+include::../rationale.adoc[]
-=== What is the potential impact?
-
-When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users.
-
-==== Code Execution
-
-When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code.
-These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information.
-This can lead to identity theft and financial loss for users.
-
-==== Phishing Attacks
-
-With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application.
-These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application.
+include::../impact.adoc[]
== How to fix it
@@ -64,27 +49,11 @@ It is also sufficient not to set this property, as it is enabled by default.
=== Going the extra mile
-A Content Security Policy helps prevent the injection of malicious content.
-Define a CSP that restricts the sources of content that can be loaded by your application.
-
-[source,javascript]
-----
-mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
- callback({
- responseHeaders: {
- ...details.responseHeaders,
- 'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"]
- }
- });
-});
-----
+include::../common/extra-mile/csp.adoc[]
== Resources
-=== Documentation
-* Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity]
-* Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options]
-* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
+include::../common/resources/docs.adoc[]
//=== Articles & blog posts
//=== Conference presentations
@@ -98,12 +67,9 @@ ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)
-=== Message
-* Change this code to enable web security.
-
-=== Highlighting
+include::../message.adoc[]
-Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML).
+include::../highlighting.adoc[]
'''
== Comments And Links
diff --git a/rules/S7074/message.adoc b/rules/S7074/message.adoc
new file mode 100644
index 00000000000..e33371213ca
--- /dev/null
+++ b/rules/S7074/message.adoc
@@ -0,0 +1,2 @@
+=== Message
+* Change this code to enable web security.
\ No newline at end of file
diff --git a/rules/S7074/metadata.json b/rules/S7074/metadata.json
index 2c63c085104..8d81a893d3b 100644
--- a/rules/S7074/metadata.json
+++ b/rules/S7074/metadata.json
@@ -1,2 +1,23 @@
{
+ "title": "webSecurity should be enabled",
+ "type": "VULNERABILITY",
+ "status": "ready",
+ "remediation": {
+ "func": "Constant\/Issue",
+ "constantCost": "5min"
+ },
+ "tags": [
+ ],
+ "defaultSeverity": "Major",
+ "ruleSpecification": "RSPEC-7074",
+ "sqKey": "S7074",
+ "scope": "All",
+ "defaultQualityProfiles": ["Sonar way"],
+ "quickfix": "unknown",
+ "code": {
+ "impacts": {
+ "SECURITY": "MEDIUM"
+ },
+ "attribute": "CONVENTIONAL"
+ }
}
diff --git a/rules/S7074/rationale.adoc b/rules/S7074/rationale.adoc
new file mode 100644
index 00000000000..a82dc87787d
--- /dev/null
+++ b/rules/S7074/rationale.adoc
@@ -0,0 +1,3 @@
+When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones.
+This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage.
+The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions.
diff --git a/rules/S7074/summary.adoc b/rules/S7074/summary.adoc
new file mode 100644
index 00000000000..0e35ff1e870
--- /dev/null
+++ b/rules/S7074/summary.adoc
@@ -0,0 +1 @@
+The `webSecurity` flag in Electron applications controls the security settings for web content.
\ No newline at end of file