Skip to content

Commit c8b07de

Browse files
ESS-ENNESS-ENN
authored
Add YAML Configs for Swift Webview Security Rules and Test Cases
1 parent 00526ee commit c8b07de

6 files changed

+458
-0
lines changed

rules/swift/security/swift-webview-config-allows-universal-file-access-swift.yml

Lines changed: 198 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,198 @@
1+
id: swift-webview-config-allows-universal-file-access-swift
2+
severity: warning
3+
language: swift
4+
message: >-
5+
Webviews were observed that do not disable access to application files.
6+
If the WebView does not require loading content from the local filesystem
7+
of the application, this setting should be disabled.
8+
note: >-
9+
[CWE-272] Least Privilege Violation.
10+
[REFERENCES]
11+
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
12+
utils:
13+
match_pattern_two:
14+
kind: call_expression
15+
all:
16+
- has:
17+
stopBy: neighbor
18+
kind: navigation_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: simple_identifier
23+
pattern: $W
24+
- has:
25+
stopBy: neighbor
26+
kind: navigation_suffix
27+
has:
28+
stopBy: neighbor
29+
kind: simple_identifier
30+
regex: "^setValue$"
31+
- has:
32+
stopBy: neighbor
33+
kind: call_suffix
34+
all:
35+
- has:
36+
stopBy: end
37+
kind: value_argument
38+
has:
39+
stopBy: neighbor
40+
kind: boolean_literal
41+
regex: "^true$"
42+
- has:
43+
stopBy: end
44+
kind: value_argument
45+
all:
46+
- has:
47+
stopBy: end
48+
kind: simple_identifier
49+
regex: "^forKey$"
50+
- has:
51+
stopBy: neighbor
52+
kind: line_string_literal
53+
has:
54+
stopBy: neighbor
55+
kind: line_str_text
56+
regex: "^allowUniversalAccessFromFileURLs$"
57+
- follows:
58+
stopBy: end
59+
kind: property_declaration
60+
all:
61+
- has:
62+
stopBy: end
63+
kind: pattern
64+
has:
65+
stopBy: neighbor
66+
kind: simple_identifier
67+
pattern: $W
68+
- any:
69+
- has:
70+
stopBy: neighbor
71+
kind: navigation_expression
72+
- has:
73+
stopBy: neighbor
74+
kind: call_expression
75+
- not:
76+
precedes:
77+
stopBy: neighbor
78+
kind: call_expression
79+
all:
80+
- has:
81+
stopBy: neighbor
82+
kind: navigation_expression
83+
all:
84+
- has:
85+
stopBy: neighbor
86+
kind: simple_identifier
87+
pattern: $W
88+
- has:
89+
stopBy: neighbor
90+
kind: navigation_suffix
91+
has:
92+
stopBy: neighbor
93+
kind: simple_identifier
94+
regex: "^setValue$"
95+
- has:
96+
stopBy: neighbor
97+
kind: call_suffix
98+
all:
99+
- has:
100+
stopBy: end
101+
kind: value_argument
102+
has:
103+
stopBy: neighbor
104+
kind: boolean_literal
105+
regex: "^false$"
106+
- has:
107+
stopBy: end
108+
kind: value_argument
109+
all:
110+
- has:
111+
stopBy: end
112+
kind: simple_identifier
113+
regex: "^forKey$"
114+
- has:
115+
stopBy: neighbor
116+
kind: line_string_literal
117+
has:
118+
stopBy: neighbor
119+
kind: line_str_text
120+
regex: "^allowUniversalAccessFromFileURLs$"
121+
122+
match_pattern_one:
123+
kind: call_expression
124+
all:
125+
- has:
126+
stopBy: neighbor
127+
kind: navigation_expression
128+
all:
129+
- has:
130+
stopBy: neighbor
131+
kind: navigation_expression
132+
all:
133+
- has:
134+
stopBy: end
135+
kind: simple_identifier
136+
pattern: $L
137+
- has:
138+
stopBy: neighbor
139+
kind: navigation_suffix
140+
has:
141+
stopBy: neighbor
142+
kind: simple_identifier
143+
regex: "^configuration$"
144+
- has:
145+
stopBy: neighbor
146+
kind: navigation_suffix
147+
has:
148+
stopBy: neighbor
149+
kind: simple_identifier
150+
regex: "^setValue$"
151+
- has:
152+
stopBy: neighbor
153+
kind: call_suffix
154+
has:
155+
stopBy: neighbor
156+
kind: value_arguments
157+
all:
158+
- has:
159+
stopBy: neighbor
160+
kind: value_argument
161+
has:
162+
stopBy: neighbor
163+
kind: boolean_literal
164+
regex: "^true$"
165+
- has:
166+
stopBy: neighbor
167+
kind: value_argument
168+
all:
169+
- has:
170+
stopBy: neighbor
171+
kind: simple_identifier
172+
regex: "^forKey$"
173+
- has:
174+
stopBy: neighbor
175+
kind: line_string_literal
176+
has:
177+
stopBy: neighbor
178+
kind: line_str_text
179+
regex: "^allowUniversalAccessFromFileURLs$"
180+
- follows:
181+
stopBy: neighbor
182+
kind: property_declaration
183+
all:
184+
- has:
185+
stopBy: end
186+
kind: pattern
187+
has:
188+
stopBy: neighbor
189+
kind: simple_identifier
190+
pattern: $L
191+
- has:
192+
stopBy: neighbor
193+
kind: call_expression
194+
rule:
195+
kind: call_expression
196+
any:
197+
- matches: match_pattern_two
198+
- matches: match_pattern_one

rules/swift/security/swift-webview-config-https-upgrade-swift.yml

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
id: swift-webview-config-https-upgrade-swift
2+
severity: warning
3+
language: swift
4+
message: >-
5+
Webviews were observed that do not enable the
6+
`upgradeKnownHostsToHTTPS` feature. This feature will ensure accidental
7+
HTTP connections are automatically upgraded to HTTPS, avoiding potential
8+
data leakage over the network.
9+
note: >-
10+
[CWE-272] Least Privilege Violation.
11+
[REFERENCES]
12+
- https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/3752243-upgradeknownhoststohttps
13+
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
14+
utils:
15+
match_pattern_upgradeKnownHostsToHTTPS:
16+
kind: assignment
17+
all:
18+
- has:
19+
stopBy: neighbor
20+
kind: directly_assignable_expression
21+
all:
22+
- has:
23+
stopBy: end
24+
kind: simple_identifier
25+
pattern: $F
26+
- has:
27+
stopBy: end
28+
kind: navigation_suffix
29+
has:
30+
stopBy: neighbor
31+
kind: simple_identifier
32+
regex: "^upgradeKnownHostsToHTTPS$"
33+
- has:
34+
stopBy: neighbor
35+
regex: "^=$"
36+
- has:
37+
stopBy: neighbor
38+
kind: boolean_literal
39+
regex: "^false$"
40+
- follows:
41+
stopBy: end
42+
kind: property_declaration
43+
all:
44+
- has:
45+
stopBy: end
46+
kind: pattern
47+
has:
48+
stopBy: neighbor
49+
kind: simple_identifier
50+
pattern: $F
51+
- has:
52+
stopBy: neighbor
53+
kind: call_expression
54+
pattern: WKWebViewConfiguration()
55+
- not:
56+
follows:
57+
stopBy: end
58+
kind: assignment
59+
all:
60+
- has:
61+
stopBy: neighbor
62+
kind: directly_assignable_expression
63+
all:
64+
- has:
65+
stopBy: end
66+
kind: simple_identifier
67+
pattern: $F
68+
- has:
69+
stopBy: end
70+
kind: navigation_suffix
71+
has:
72+
stopBy: neighbor
73+
kind: simple_identifier
74+
regex: "^upgradeKnownHostsToHTTPS$"
75+
- has:
76+
stopBy: neighbor
77+
regex: "^=$"
78+
- has:
79+
stopBy: neighbor
80+
kind: boolean_literal
81+
regex: "^false$"
82+
- not:
83+
precedes:
84+
stopBy: neighbor
85+
kind: assignment
86+
all:
87+
- all:
88+
- has:
89+
stopBy: neighbor
90+
kind: directly_assignable_expression
91+
all:
92+
- has:
93+
stopBy: end
94+
kind: simple_identifier
95+
pattern: $F
96+
- has:
97+
stopBy: end
98+
kind: navigation_suffix
99+
has:
100+
stopBy: neighbor
101+
kind: simple_identifier
102+
regex: "^upgradeKnownHostsToHTTPS$"
103+
- has:
104+
stopBy: neighbor
105+
regex: "^=$"
106+
- has:
107+
stopBy: neighbor
108+
kind: boolean_literal
109+
regex: "^false$"
110+
111+
rule:
112+
kind: assignment
113+
matches: match_pattern_upgradeKnownHostsToHTTPS

tests/__snapshots__/swift-webview-config-allows-universal-file-access-swift-snapshot.yml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
id: swift-webview-config-allows-universal-file-access-swift
2+
snapshots:
3+
? |
4+
let w = WKWebView(frame: .zero, configuration: config)
5+
w.setValue(true, forKey: "allowUniversalAccessFromFileURLs")
6+
let config = w.configuration
7+
config.setValue(true, forKey: "allowUniversalAccessFromFileURLs")
8+
: labels:
9+
- source: 'w.setValue(true, forKey: "allowUniversalAccessFromFileURLs")'
10+
style: primary
11+
start: 55
12+
end: 115
13+
- source: w
14+
style: secondary
15+
start: 55
16+
end: 56
17+
- source: setValue
18+
style: secondary
19+
start: 57
20+
end: 65
21+
- source: .setValue
22+
style: secondary
23+
start: 56
24+
end: 65
25+
- source: w.setValue
26+
style: secondary
27+
start: 55
28+
end: 65
29+
- source: 'true'
30+
style: secondary
31+
start: 66
32+
end: 70
33+
- source: 'true'
34+
style: secondary
35+
start: 66
36+
end: 70
37+
- source: forKey
38+
style: secondary
39+
start: 72
40+
end: 78
41+
- source: allowUniversalAccessFromFileURLs
42+
style: secondary
43+
start: 81
44+
end: 113
45+
- source: '"allowUniversalAccessFromFileURLs"'
46+
style: secondary
47+
start: 80
48+
end: 114
49+
- source: 'forKey: "allowUniversalAccessFromFileURLs"'
50+
style: secondary
51+
start: 72
52+
end: 114
53+
- source: '(true, forKey: "allowUniversalAccessFromFileURLs")'
54+
style: secondary
55+
start: 65
56+
end: 115
57+
- source: w
58+
style: secondary
59+
start: 4
60+
end: 5
61+
- source: w
62+
style: secondary
63+
start: 4
64+
end: 5
65+
- source: 'WKWebView(frame: .zero, configuration: config)'
66+
style: secondary
67+
start: 8
68+
end: 54
69+
- source: 'let w = WKWebView(frame: .zero, configuration: config)'
70+
style: secondary
71+
start: 0
72+
end: 54

0 commit comments

Comments
 (0)