Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security rules for JavaScript settings and base URL in Swift web views #48

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+420 −0
Open

Add security rules for JavaScript settings and base URL in Swift web views #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d30aca0
swift-webview-config-allows-js-swift
ESS-ENN Oct 28, 2024
40dc9d7
swift-webview-config-base-url-swift
ESS-ENN Oct 28, 2024
0f09172
Merge branch 'main' into two-more-webview-rules-swift-28Oct2024
ESS-ENN Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 110 additions & 0 deletions rules/swift/security/swift-webview-config-allows-js-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
id: swift-webview-config-allows-js-swift
severity: warning
language: swift
message: >-
Webviews were observed that do not have JavaScript disabled. Consider
disabling JavaScript wherever the functionality is not required, following
the principle of least privelege.
note: >-
[CWE-272] Least Privilege Violation.
[REFERENCES]
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
match_pattern_upgradeKnownHostsToHTTPS:
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: "^javaScriptEnabled|allowsContentJavaScript$"
- has:
stopBy: neighbor
regex: "^=$"
- has:
stopBy: neighbor
kind: boolean_literal
regex: "^true$"
- follows:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: neighbor
kind: simple_identifier
pattern: $F
- has:
stopBy: neighbor
kind: call_expression
any:
- pattern: WKWebpagePreferences()
- pattern: WKPreferences()
- not:
follows:
stopBy: end
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: "^(javaScriptEnabled|allowsContentJavaScript)$"
- has:
stopBy: neighbor
regex: "^=$"
- has:
stopBy: neighbor
kind: boolean_literal
regex: "^true$"
- not:
precedes:
stopBy: end
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: "^(javaScriptEnabled|allowsContentJavaScript)$"
- has:
stopBy: neighbor
regex: "^=$"
- has:
stopBy: neighbor
pattern: $$$
rule:
kind: assignment
matches: match_pattern_upgradeKnownHostsToHTTPS
65 changes: 65 additions & 0 deletions rules/swift/security/swift-webview-config-base-url-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
id: swift-webview-config-base-url-swift
severity: warning
language: swift
message: >-
UIWebView instances were observed where the baseURL is misconfigured as
nil, which allows for origin abuse within the webview. In order to remove
the effective origin, the application should explicitly set the baseURL to
`about:blank` or similar.
note: >-
[CWE-272] Least Privilege Violation.
[REFERENCES]
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
matches_patttern_loadHTMLString_&_load:
kind: call_expression
all:
- has:
stopBy: end
kind: navigation_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $W
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: end
kind: simple_identifier
regex: "^loadHTMLString|load$"
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^baseURL$"
- has:
stopBy: end
regex: "^nil$"
- follows:
stopBy: end
kind: property_declaration
all:
- all:
- has:
stopBy: end
kind: pattern
has:
stopBy: end
kind: simple_identifier
pattern: $W
- has:
stopBy: end
kind: call_expression
pattern: UIWebView(...)

rule:
kind: call_expression
matches: matches_patttern_loadHTMLString_&_load
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
101 changes: 101 additions & 0 deletions tests/__snapshots__/swift-webview-config-allows-js-swift-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
id: swift-webview-config-allows-js-swift
snapshots:
? |
let preferences = WKPreferences()
preferences.javaScriptEnabled = true
preferences.javaScriptCanOpenWindowsAutomatically = false
: labels:
- source: preferences.javaScriptEnabled = true
style: primary
start: 34
end: 70
- source: preferences
style: secondary
start: 34
end: 45
- source: javaScriptEnabled
style: secondary
start: 46
end: 63
- source: .javaScriptEnabled
style: secondary
start: 45
end: 63
- source: preferences.javaScriptEnabled
style: secondary
start: 34
end: 63
- source: =
style: secondary
start: 64
end: 65
- source: 'true'
style: secondary
start: 66
end: 70
- source: preferences
style: secondary
start: 4
end: 15
- source: preferences
style: secondary
start: 4
end: 15
- source: WKPreferences()
style: secondary
start: 18
end: 33
- source: let preferences = WKPreferences()
style: secondary
start: 0
end: 33
? |
let prefs = WKWebpagePreferences()
prefs.allowsContentJavaScript = true
let config = WKWebViewConfiguration()
config.defaultWebpagePreferences = prefs
: labels:
- source: prefs.allowsContentJavaScript = true
style: primary
start: 35
end: 71
- source: prefs
style: secondary
start: 35
end: 40
- source: allowsContentJavaScript
style: secondary
start: 41
end: 64
- source: .allowsContentJavaScript
style: secondary
start: 40
end: 64
- source: prefs.allowsContentJavaScript
style: secondary
start: 35
end: 64
- source: =
style: secondary
start: 65
end: 66
- source: 'true'
style: secondary
start: 67
end: 71
- source: prefs
style: secondary
start: 4
end: 9
- source: prefs
style: secondary
start: 4
end: 9
- source: WKWebpagePreferences()
style: secondary
start: 12
end: 34
- source: let prefs = WKWebpagePreferences()
style: secondary
start: 0
end: 34
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
114 changes: 114 additions & 0 deletions tests/__snapshots__/swift-webview-config-base-url-swift-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
id: swift-webview-config-base-url-swift
snapshots:
? |
let webview = UIWebView(...)
webview.loadHTMLString(someHtmlString, baseURL: nil)
: labels:
- source: 'webview.loadHTMLString(someHtmlString, baseURL: nil)'
style: primary
start: 29
end: 81
- source: webview
style: secondary
start: 29
end: 36
- source: loadHTMLString
style: secondary
start: 37
end: 51
- source: .loadHTMLString
style: secondary
start: 36
end: 51
- source: webview.loadHTMLString
style: secondary
start: 29
end: 51
- source: baseURL
style: secondary
start: 68
end: 75
- source: nil
style: secondary
start: 77
end: 80
- source: 'baseURL: nil'
style: secondary
start: 68
end: 80
- source: '(someHtmlString, baseURL: nil)'
style: secondary
start: 51
end: 81
- source: webview
style: secondary
start: 4
end: 11
- source: webview
style: secondary
start: 4
end: 11
- source: UIWebView(...)
style: secondary
start: 14
end: 28
- source: let webview = UIWebView(...)
style: secondary
start: 0
end: 28
? |
let webview3 = UIWebView(...)
webview3.load(data, mimetype: "application/json", textEncodingName: "UTF8", baseURL: nil)
: labels:
- source: 'webview3.load(data, mimetype: "application/json", textEncodingName: "UTF8", baseURL: nil)'
style: primary
start: 30
end: 119
- source: webview3
style: secondary
start: 30
end: 38
- source: load
style: secondary
start: 39
end: 43
- source: .load
style: secondary
start: 38
end: 43
- source: webview3.load
style: secondary
start: 30
end: 43
- source: baseURL
style: secondary
start: 106
end: 113
- source: nil
style: secondary
start: 115
end: 118
- source: 'baseURL: nil'
style: secondary
start: 106
end: 118
- source: '(data, mimetype: "application/json", textEncodingName: "UTF8", baseURL: nil)'
style: secondary
start: 43
end: 119
- source: webview3
style: secondary
start: 4
end: 12
- source: webview3
style: secondary
start: 4
end: 12
- source: UIWebView(...)
style: secondary
start: 15
end: 29
- source: let webview3 = UIWebView(...)
style: secondary
start: 0
end: 29
Loading