Create rule S7074: webSecurity should be enabled (#4302)

* Add html to rule S7074 * Add html for S7074 --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
2024-09-19 16:03:28 +02:00 · 2024-09-19 16:03:28 +02:00 · 5a801735f7
commit 5a801735f7
parent 9debaf87d1
12 changed files with 136 additions and 62 deletions
--- a/rules/S7074/common/extra-mile/csp.adoc
+++ b/rules/S7074/common/extra-mile/csp.adoc
@ -0,0 +1,14 @@
+A Content Security Policy helps prevent the injection of malicious content. 
+Define a CSP that restricts the sources of content that can be loaded by your application.
+
+[source,javascript]
+----
+mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+  callback({
+    responseHeaders: {
+      ...details.responseHeaders,
+      'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"]
+    }
+  });
+});
+----
--- a/rules/S7074/common/resources/docs.adoc
+++ b/rules/S7074/common/resources/docs.adoc
@ -0,0 +1,6 @@
+=== Documentation
+
+* Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity]
+* Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options]
+* Electron Documentation - https://www.electronjs.org/docs/latest/api/webview-tag#disablewebsecurity[disablewebsecurity]
+* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
--- a/rules/S7074/highlighting.adoc
+++ b/rules/S7074/highlighting.adoc
@ -0,0 +1,3 @@
+=== Highlighting
+
+Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML).
--- a/rules/S7074/html/metadata.json
+++ b/rules/S7074/html/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S7074/html/rule.adoc
+++ b/rules/S7074/html/rule.adoc
@ -0,0 +1,63 @@
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+To fix the `webSecurity` flag vulnerability in Electron applications, you should not use the `disablewebsecurity` attribute for `webview` tags. The security restrictions on web content loaded by your application are enabled per default.
+
+==== Noncompliant code example
+
+[source,html,diff-id=11,diff-type=noncompliant]
+----
+<webview disablewebsecurity src="page.html"></webview><!-- noncompliant -->
+----
+
+==== Compliant solution
+
+[source,html,diff-id=11,diff-type=compliant]
+----
+<webview src="page.html"></webview>
+----
+
+=== How does this work?
+
+The compliant example does not disable `websecurity`. The default setting is secure.
+
+//=== Pitfalls
+
+=== Going the extra mile
+
+include::../common/extra-mile/csp.adoc[]
+
+== Resources
+
+include::../common/resources/docs.adoc[]
+
+//=== Articles & blog posts
+//=== Conference presentations
+//=== Standards
+//=== External coding guidelines
+//=== Benchmarks
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+include::../highlighting.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+endif::env-github,rspecator-view[]
--- a/rules/S7074/impact.adoc
+++ b/rules/S7074/impact.adoc
@ -0,0 +1,14 @@
+=== What is the potential impact?
+
+When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users.
+
+==== Code Execution
+
+When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code. 
+These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information.
+This can lead to identity theft and financial loss for users.
+
+==== Phishing Attacks
+
+With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application. 
+These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application.
--- a/rules/S7074/javascript/metadata.json
+++ b/rules/S7074/javascript/metadata.json
@ -1,23 +1,2 @@
 {
-  "title": "webSecurity should be enabled",
-  "type": "VULNERABILITY",
-  "status": "ready",
-  "remediation": {
-    "func": "Constant\/Issue",
-    "constantCost": "5min"
-  },
-  "tags": [
-  ],
-  "defaultSeverity": "Major",
-  "ruleSpecification": "RSPEC-7074",
-  "sqKey": "S7074",
-  "scope": "All",
-  "defaultQualityProfiles": ["Sonar way"],
-  "quickfix": "unknown",
-  "code": {
-    "impacts": {
-      "SECURITY": "MEDIUM"
-    },
-    "attribute": "CONVENTIONAL"
-  }
 }
--- a/rules/S7074/javascript/rule.adoc
+++ b/rules/S7074/javascript/rule.adoc
@ -1,25 +1,10 @@
-The `webSecurity` flag in Electron applications controls the security settings for web content.
+include::../summary.adoc[]

 == Why is this an issue?

-When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones. 
-This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage. 
-The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions. 
+include::../rationale.adoc[]

-=== What is the potential impact?
-
-When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users.
-
-==== Code Execution
-
-When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code. 
-These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information.
-This can lead to identity theft and financial loss for users.
-
-==== Phishing Attacks
-
-With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application. 
-These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application.
+include::../impact.adoc[]

 == How to fix it

@ -64,27 +49,11 @@ It is also sufficient not to set this property, as it is enabled by default.

 === Going the extra mile

-A Content Security Policy helps prevent the injection of malicious content. 
-Define a CSP that restricts the sources of content that can be loaded by your application.
-
-[source,javascript]
----
-mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
-  callback({
-    responseHeaders: {
-      ...details.responseHeaders,
-      'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"]
-    }
-  });
-});
----
+include::../common/extra-mile/csp.adoc[]

 == Resources
-=== Documentation

-* Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity]
-* Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options]
-* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
+include::../common/resources/docs.adoc[]

 //=== Articles & blog posts
 //=== Conference presentations
@ -98,12 +67,9 @@ ifdef::env-github,rspecator-view[]
 == Implementation Specification
 (visible only on this page)

-=== Message
-* Change this code to enable web security.
+include::../message.adoc[]

-=== Highlighting
-
-Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML).
+include::../highlighting.adoc[]

 '''
 == Comments And Links
--- a/rules/S7074/message.adoc
+++ b/rules/S7074/message.adoc
@ -0,0 +1,2 @@
+=== Message
+* Change this code to enable web security.
--- a/rules/S7074/metadata.json
+++ b/rules/S7074/metadata.json
@ -1,2 +1,23 @@
 {
+  "title": "webSecurity should be enabled",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7074",
+  "sqKey": "S7074",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  }
 }
--- a/rules/S7074/rationale.adoc
+++ b/rules/S7074/rationale.adoc
@ -0,0 +1,3 @@
+When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones. 
+This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage. 
+The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions. 
--- a/rules/S7074/summary.adoc
+++ b/rules/S7074/summary.adoc
@ -0,0 +1 @@
+The `webSecurity` flag in Electron applications controls the security settings for web content.
				`@ -0,0 +1 @@`
				The `webSecurity` flag in Electron applications controls the security settings for web content.