diff --git a/rules/swift/security/swift-webview-config-allows-js-open-windows-swift.yml b/rules/swift/security/swift-webview-config-allows-js-open-windows-swift.yml new file mode 100644 index 00000000..80b4ff8d --- /dev/null +++ b/rules/swift/security/swift-webview-config-allows-js-open-windows-swift.yml @@ -0,0 +1,62 @@ +id: swift-webview-config-allows-js-open-windows-swift +language: swift +severity: warning +message: >- + Webviews were observed that explictly allow JavaScript in an WKWebview + to open windows automatically. Consider disabling this functionality if + not required, following the principle of least privelege. +note: >- + [CWE-272]: Least Privilege Violation + [REFERENCES] + https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ + https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati +utils: + match_JavaScriptCanOpenWindowsAutomatically: + kind: assignment + all: + - has: + stopBy: end + kind: navigation_expression + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: end + kind: navigation_suffix + has: + stopBy: end + kind: simple_identifier + regex: "^JavaScriptCanOpenWindowsAutomatically$" + - has: + kind: boolean_literal + regex: "^true$" + - follows: + stopBy: end + kind: property_declaration + has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + - not: + precedes: + stopBy: neighbor + kind: assignment + has: + stopBy: end + kind: boolean_literal + regex: "^true$|false" + - not: + follows: + stopBy: neighbor + kind: assignment + has: + stopBy: end + kind: boolean_literal + regex: "^true" + +rule: + any: + - matches: match_JavaScriptCanOpenWindowsAutomatically diff --git a/rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml b/rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml new file mode 100644 index 00000000..4704a735 --- /dev/null +++ b/rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml @@ -0,0 +1,58 @@ +id: swift-webview-config-fraudulent-site-warning-swift +language: swift +severity: warning +message: >- + Webviews were observed that explicitly opt ouf of the WKWebView + fraudulent site warnings. Consider enabling such functionality, to better + protect your users from fraud/malware. +note: >- + [CWE-272]: Least Privilege Violation + [REFERENCES] + https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ +utils: + match_isFraudulentWebsiteWarningEnabled: + kind: assignment + all: + - has: + stopBy: end + kind: navigation_expression + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: end + kind: navigation_suffix + has: + stopBy: end + kind: simple_identifier + regex: "^isFraudulentWebsiteWarningEnabled$" + - has: + kind: boolean_literal + regex: "^false$" + - follows: + stopBy: end + kind: property_declaration + has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + - not: + precedes: + kind: assignment + has: + kind: boolean_literal + regex: "false$|true" + - not: + follows: + stopBy: end + kind: assignment + has: + stopBy: end + kind: boolean_literal + regex: "^false" +rule: + any: + - matches: match_isFraudulentWebsiteWarningEnabled diff --git a/tests/__snapshots__/swift-webview-config-allows-js-open-windows-swift-snapshot.yml b/tests/__snapshots__/swift-webview-config-allows-js-open-windows-swift-snapshot.yml new file mode 100644 index 00000000..156978e1 --- /dev/null +++ b/tests/__snapshots__/swift-webview-config-allows-js-open-windows-swift-snapshot.yml @@ -0,0 +1,42 @@ +id: swift-webview-config-allows-js-open-windows-swift +snapshots: + ? | + let prefs = WKPreferences() + prefs.JavaScriptCanOpenWindowsAutomatically = true + : labels: + - source: prefs.JavaScriptCanOpenWindowsAutomatically = true + style: primary + start: 28 + end: 79 + - source: prefs + style: secondary + start: 28 + end: 33 + - source: prefs.JavaScriptCanOpenWindowsAutomatically + style: secondary + start: 28 + end: 71 + - source: JavaScriptCanOpenWindowsAutomatically + style: secondary + start: 34 + end: 71 + - source: .JavaScriptCanOpenWindowsAutomatically + style: secondary + start: 33 + end: 71 + - source: 'true' + style: secondary + start: 75 + end: 79 + - source: prefs + style: secondary + start: 4 + end: 9 + - source: prefs + style: secondary + start: 4 + end: 9 + - source: let prefs = WKPreferences() + style: secondary + start: 0 + end: 27 diff --git a/tests/__snapshots__/swift-webview-config-fraudulent-site-warning-swift-snapshot.yml b/tests/__snapshots__/swift-webview-config-fraudulent-site-warning-swift-snapshot.yml new file mode 100644 index 00000000..e0ebe7e8 --- /dev/null +++ b/tests/__snapshots__/swift-webview-config-fraudulent-site-warning-swift-snapshot.yml @@ -0,0 +1,83 @@ +id: swift-webview-config-fraudulent-site-warning-swift +snapshots: + ? | + let prefs2 = WKPreferences() + prefs2.isFraudulentWebsiteWarningEnabled = false + : labels: + - source: prefs2.isFraudulentWebsiteWarningEnabled = false + style: primary + start: 29 + end: 78 + - source: prefs2 + style: secondary + start: 29 + end: 35 + - source: prefs2.isFraudulentWebsiteWarningEnabled + style: secondary + start: 29 + end: 69 + - source: isFraudulentWebsiteWarningEnabled + style: secondary + start: 36 + end: 69 + - source: .isFraudulentWebsiteWarningEnabled + style: secondary + start: 35 + end: 69 + - source: 'false' + style: secondary + start: 73 + end: 78 + - source: prefs2 + style: secondary + start: 4 + end: 10 + - source: prefs2 + style: secondary + start: 4 + end: 10 + - source: let prefs2 = WKPreferences() + style: secondary + start: 0 + end: 28 + ? | + let prefs2 = WKPreferences() + prefs2.isFraudulentWebsiteWarningEnabled = true + prefs2.isFraudulentWebsiteWarningEnabled = false + : labels: + - source: prefs2.isFraudulentWebsiteWarningEnabled = false + style: primary + start: 78 + end: 127 + - source: prefs2 + style: secondary + start: 78 + end: 84 + - source: prefs2.isFraudulentWebsiteWarningEnabled + style: secondary + start: 78 + end: 118 + - source: isFraudulentWebsiteWarningEnabled + style: secondary + start: 85 + end: 118 + - source: .isFraudulentWebsiteWarningEnabled + style: secondary + start: 84 + end: 118 + - source: 'false' + style: secondary + start: 122 + end: 127 + - source: prefs2 + style: secondary + start: 4 + end: 10 + - source: prefs2 + style: secondary + start: 4 + end: 10 + - source: let prefs2 = WKPreferences() + style: secondary + start: 0 + end: 28 diff --git a/tests/swift/swift-webview-config-allows-js-open-windows-swift-test.yml b/tests/swift/swift-webview-config-allows-js-open-windows-swift-test.yml new file mode 100644 index 00000000..3772db95 --- /dev/null +++ b/tests/swift/swift-webview-config-allows-js-open-windows-swift-test.yml @@ -0,0 +1,10 @@ +id: swift-webview-config-allows-js-open-windows-swift +valid: + - | + let prefs2 = WKPreferences() + prefs2.JavaScriptCanOpenWindowsAutomatically = true + prefs2.JavaScriptCanOpenWindowsAutomatically = false +invalid: + - | + let prefs = WKPreferences() + prefs.JavaScriptCanOpenWindowsAutomatically = true diff --git a/tests/swift/swift-webview-config-fraudulent-site-warning-swift-test.yml b/tests/swift/swift-webview-config-fraudulent-site-warning-swift-test.yml new file mode 100644 index 00000000..229867e2 --- /dev/null +++ b/tests/swift/swift-webview-config-fraudulent-site-warning-swift-test.yml @@ -0,0 +1,13 @@ +id: swift-webview-config-fraudulent-site-warning-swift +valid: + - | + let prefs = WKPreferences() + prefs.isFraudulentWebsiteWarningEnabled = true +invalid: + - | + let prefs2 = WKPreferences() + prefs2.isFraudulentWebsiteWarningEnabled = true + prefs2.isFraudulentWebsiteWarningEnabled = false + - | + let prefs2 = WKPreferences() + prefs2.isFraudulentWebsiteWarningEnabled = false