Create rule S7074: webSecurity should be enabled (#4265)

* Create rule S7074 * Rule description and fix the folder name * Update rules/S7074/javascript/rule.adoc Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Simplify Impacts following review. * Add missing message and highlight information. --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-09-18 13:19:05 +02:00 · 2024-09-18 13:19:05 +02:00 · d70c3c40c7
commit d70c3c40c7
parent 492dae1d8b
3 changed files with 137 additions and 0 deletions
--- a/rules/S7074/javascript/metadata.json
+++ b/rules/S7074/javascript/metadata.json
@ -0,0 +1,23 @@
+{
+  "title": "webSecurity should be enabled",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7074",
+  "sqKey": "S7074",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}
--- a/rules/S7074/javascript/rule.adoc
+++ b/rules/S7074/javascript/rule.adoc
@ -0,0 +1,112 @@
+The `webSecurity` flag in Electron applications controls the security settings for web content.
+
+== Why is this an issue?
+
+When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones. 
+This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage. 
+The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions. 
+
+=== What is the potential impact?
+
+When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users.
+
+==== Code Execution
+
+When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code. 
+These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information.
+This can lead to identity theft and financial loss for users.
+
+==== Phishing Attacks
+
+With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application. 
+These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application.
+
+== How to fix it
+
+=== Code examples
+
+To fix the `webSecurity` flag vulnerability in Electron applications, you need to ensure that the `webSecurity` property of `webPreferences` is not false. 
+This will enforce security restrictions on web content loaded by your application. 
+If the `webSecurity` flag is not explicitly set in your application, it is enabled by default.
+
+==== Noncompliant code example
+
+[source,javascript,diff-id=1,diff-type=noncompliant]
+----
+const { BrowserWindow } = require('electron');
+
+let mainWindow = new BrowserWindow({
+  webPreferences: {
+    webSecurity: false // Noncompliant
+  }
+});
+----
+
+==== Compliant solution
+
+[source,javascript,diff-id=1,diff-type=compliant]
+----
+const { BrowserWindow } = require('electron');
+
+let mainWindow = new BrowserWindow({
+  webPreferences: {
+    webSecurity: true
+  }
+});
+----
+
+=== How does this work?
+
+In the compliant example, `webSecurity` is explicitly enabled. 
+It is also sufficient not to set this property, as it is enabled by default.
+
+//=== Pitfalls
+
+=== Going the extra mile
+
+A Content Security Policy helps prevent the injection of malicious content. 
+Define a CSP that restricts the sources of content that can be loaded by your application.
+
+[source,javascript]
+----
+mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+  callback({
+    responseHeaders: {
+      ...details.responseHeaders,
+      'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"]
+    }
+  });
+});
+----
+
+== Resources
+=== Documentation
+
+* Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity]
+* Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options]
+* MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
+
+//=== Articles & blog posts
+//=== Conference presentations
+//=== Standards
+//=== External coding guidelines
+//=== Benchmarks
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+* Change this code to enable web security.
+
+=== Highlighting
+
+Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML).
+
+'''
+== Comments And Links
+(visible only on this page)
+
+endif::env-github,rspecator-view[]
--- a/rules/S7074/metadata.json
+++ b/rules/S7074/metadata.json
@ -0,0 +1,2 @@
+{
+}