Create rule S7085: Missing Navigation Filtering (#4305)

* Create rule S7085 * Added rule description for S7085 --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
2024-09-20 13:58:21 +02:00 · 2024-09-20 13:58:21 +02:00 · a8fe186b1c
commit a8fe186b1c
parent 82c24b65b4
3 changed files with 140 additions and 0 deletions
--- a/rules/S7085/javascript/metadata.json
+++ b/rules/S7085/javascript/metadata.json
@ -0,0 +1,23 @@
 {
  "title": "Missing Navigation Filtering",
  "type": "VULNERABILITY",
  "status": "ready",
  "remediation": {
    "func": "Constant\/Issue",
    "constantCost": "5min"
  },
  "tags": [
  ],
  "defaultSeverity": "Major",
  "ruleSpecification": "RSPEC-7085",
  "sqKey": "S7085",
  "scope": "All",
  "defaultQualityProfiles": ["Sonar way"],
  "quickfix": "unknown",
  "code": {
    "impacts": {
      "SECURITY": "MEDIUM"
    },
    "attribute": "COMPLETE"
  }
 }
--- a/rules/S7085/javascript/rule.adoc
+++ b/rules/S7085/javascript/rule.adoc
@ -0,0 +1,115 @@
 Unrestricted navigation in Electron applications can lead to security issues.
 == Why is this an issue?
 By default, Electron allows renderers to navigate to any location. This navigation can be triggered by clicking on the link of a web content page, by dragging and dropping URLs on the application’s window, and in other ways. This might allow navigating to malicious pages and websites that might be able to take advantage of potential render privileges (IPC events, exposed API functions, etc).
 === What is the potential impact?
 Unrestricted navigation in Electron applications poses significant security risks. Electron apps combine web technologies with native capabilities, making them powerful but also potentially vulnerable to web-based attacks. If navigation is not properly restricted, malicious actors can exploit this to navigate to untrusted or harmful web content. This can lead to a variety of security issues, including:
 ==== Cross-Site Scripting (XSS) Attacks
 Unrestricted navigation can allow attackers to inject malicious scripts into the application, leading to data theft, session hijacking, or other malicious activities.
 ==== Phishing Attacks
 Users can be redirected to phishing sites that mimic legitimate services, tricking them into divulging sensitive information such as login credentials or financial details.
 ==== Remote Code Execution
 By navigating to a malicious site, an attacker might exploit vulnerabilities in the Electron app or its dependencies to execute arbitrary code on the user's machine.
 == How to fix it
 === Code examples
 ==== Noncompliant code example
 [source,javascript,diff-id=1,diff-type=noncompliant]
 ----
 const { app, BrowserWindow } = require('electron/main')
 const createWindow = () => {
  const win = new BrowserWindow({
    width: 600,
    height: 800,
  })
  win.loadUrl('https://safe.example.com')
 }
 app.whenReady().then(() => {
  createWindow()
 })
 ----
 ==== Compliant solution
 [source,javascript,diff-id=1,diff-type=compliant]
 ----
 const { app, BrowserWindow } = require('electron/main')
 const { URL } = require('url')
 const createWindow = () => {
  const win = new BrowserWindow({
    width: 600,
    height: 800,
  })
  win.loadUrl('https://safe.example.com')
 }
 app.on('web-contents-created', (event, contents) => {
    contents.on('will-navigate', (event, navigationUrl) => {
        const parsedUrl = new URL(navigationUrl)
        if (parsedUrl.origin !== 'https://safe.example.com') {
        event.preventDefault()
        }
    })
 })
 app.whenReady().then(() => {
  createWindow()
 })
 ----
 === How does this work?
 The compliant code adds an event listener that will check for every webcontent that will navigate,
 if the target URL points to a safe host.
 //=== Pitfalls
 //=== Going the extra mile
 == Resources
 === Documentation
 * Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#13-disable-or-limit-navigation[Disable or limit navigation]
 * Electron Documentation - https://www.electronjs.org/docs/latest/api/web-contents#event-will-navigate[Event: 'will-navigate']
 //=== Articles & blog posts
 //=== Conference presentations
 //=== Standards
 //=== External coding guidelines
 //=== Benchmarks
 ifdef::env-github,rspecator-view[]
 '''
 == Implementation Specification
 (visible only on this page)
 === Message
 * Make sure to restrict navigation targets.
 === Highlighting
 Highlight the first new BrowserWindow() call that is found.
 '''
 == Comments And Links
 (visible only on this page)
 endif::env-github,rspecator-view[]
--- a/rules/S7085/metadata.json
+++ b/rules/S7085/metadata.json
@ -0,0 +1,2 @@
 {
 }