Create rule S7074: webSecurity should be enabled (#4265)

* Create rule S7074 * Rule description and fix the folder name * Update rules/S7074/javascript/rule.adoc Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Simplify Impacts following review. * Add missing message and highlight information. --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-09-18 13:19:05 +02:00 · 2024-09-18 13:19:05 +02:00 · d70c3c40c7
commit d70c3c40c7
parent 492dae1d8b
3 changed files with 137 additions and 0 deletions
--- a/rules/S7074/javascript/metadata.json
+++ b/rules/S7074/javascript/metadata.json
@ -0,0 +1,23 @@
 {
  "title": "webSecurity should be enabled",
  "type": "VULNERABILITY",
  "status": "ready",
  "remediation": {
    "func": "Constant\/Issue",
    "constantCost": "5min"
  },
  "tags": [
  ],
  "defaultSeverity": "Major",
  "ruleSpecification": "RSPEC-7074",
  "sqKey": "S7074",
  "scope": "All",
  "defaultQualityProfiles": ["Sonar way"],
  "quickfix": "unknown",
  "code": {
    "impacts": {
      "SECURITY": "MEDIUM"
    },
    "attribute": "CONVENTIONAL"
  }
 }
--- a/rules/S7074/javascript/rule.adoc
+++ b/rules/S7074/javascript/rule.adoc
@ -0,0 +1,112 @@
 The `webSecurity` flag in Electron applications controls the security settings for web content.
 == Why is this an issue?
 When this flag is disabled, it allows the application to load and execute content from any source, including potentially unsafe ones. 
 This vulnerability can be exploited when a user interacts with untrusted web content, such as clicking on a malicious link or opening a compromised webpage. 
 The attacker can then inject harmful scripts or code into the application, bypassing the usual security restrictions. 
 === What is the potential impact?
 When the `webSecurity` flag is disabled, it opens the door to various types of attacks that can compromise the integrity and security of the application and its users.
 ==== Code Execution
 When the `webSecurity` flag is off, attackers can inject malicious scripts into the application and execute arbitrary code. 
 These scripts can steal sensitive information such as user credentials or sessions, personal data, and financial information.
 This can lead to identity theft and financial loss for users.
 ==== Phishing Attacks
 With the `webSecurity` flag disabled, attackers can create convincing phishing pages within the application. 
 These pages can trick users into providing sensitive information, believing they are interacting with a legitimate part of the application.
 == How to fix it
 === Code examples
 To fix the `webSecurity` flag vulnerability in Electron applications, you need to ensure that the `webSecurity` property of `webPreferences` is not false. 
 This will enforce security restrictions on web content loaded by your application. 
 If the `webSecurity` flag is not explicitly set in your application, it is enabled by default.
 ==== Noncompliant code example
 [source,javascript,diff-id=1,diff-type=noncompliant]
 ----
 const { BrowserWindow } = require('electron');
 let mainWindow = new BrowserWindow({
  webPreferences: {
    webSecurity: false // Noncompliant
  }
 });
 ----
 ==== Compliant solution
 [source,javascript,diff-id=1,diff-type=compliant]
 ----
 const { BrowserWindow } = require('electron');
 let mainWindow = new BrowserWindow({
  webPreferences: {
    webSecurity: true
  }
 });
 ----
 === How does this work?
 In the compliant example, `webSecurity` is explicitly enabled. 
 It is also sufficient not to set this property, as it is enabled by default.
 //=== Pitfalls
 === Going the extra mile
 A Content Security Policy helps prevent the injection of malicious content. 
 Define a CSP that restricts the sources of content that can be loaded by your application.
 [source,javascript]
 ----
 mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
  callback({
    responseHeaders: {
      ...details.responseHeaders,
      'Content-Security-Policy': ["default-src 'self'; script-src 'self' https://example.com"]
    }
  });
 });
 ----
 == Resources
 === Documentation
 * Electron Documentation - https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity[Security - Do not disable webSecurity]
 * Electron Documentation - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow - Options]
 * MDN web docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
 //=== Articles & blog posts
 //=== Conference presentations
 //=== Standards
 //=== External coding guidelines
 //=== Benchmarks
 ifdef::env-github,rspecator-view[]
 '''
 == Implementation Specification
 (visible only on this page)
 === Message
 * Change this code to enable web security.
 === Highlighting
 Highlight the `webSecurity` flag (Javascript) or the `disablewebsecurity` attribute (HTML).
 '''
 == Comments And Links
 (visible only on this page)
 endif::env-github,rspecator-view[]
--- a/rules/S7074/metadata.json
+++ b/rules/S7074/metadata.json
@ -0,0 +1,2 @@
 {
 }