Skip to content

Add new security rules for Swift applications regarding webviews and XML parsing #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Add new security rules for Swift applications regarding webviews and XML parsing #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5713a6f
swift-xxe-prevention-swift
ESS-ENN Dec 5, 2024
1b7644d
swift-webview-config-allows-js-swift
ESS-ENN Dec 5, 2024
d238975
swift-webview-config-base-url-swift
ESS-ENN Dec 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 110 additions & 0 deletions rules/swift/security/swift-webview-config-allows-js-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
id: swift-webview-config-allows-js-swift
severity: warning
language: swift
message: >-
Webviews were observed that do not have JavaScript disabled. Consider
disabling JavaScript wherever the functionality is not required, following
the principle of least privelege.
note: >-
[CWE-272] Least Privilege Violation.
[REFERENCES]
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
match_pattern_upgradeKnownHostsToHTTPS:
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^javaScriptEnabled|allowsContentJavaScript$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal
regex: '^true$'
- follows:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: neighbor
kind: simple_identifier
pattern: $F
- has:
stopBy: neighbor
kind: call_expression
any:
- pattern: WKWebpagePreferences()
- pattern: WKPreferences()
- not:
follows:
stopBy: neighbor
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^(javaScriptEnabled|allowsContentJavaScript)$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal
regex: '^true$'
- not:
precedes:
stopBy: end
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^(javaScriptEnabled|allowsContentJavaScript)$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
pattern: $$$
rule:
kind: assignment
matches: match_pattern_upgradeKnownHostsToHTTPS
73 changes: 73 additions & 0 deletions rules/swift/security/swift-webview-config-base-url-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
id: swift-webview-config-base-url-swift
severity: warning
language: swift
message: >-
UIWebView instances were observed where the baseURL is misconfigured as
nil, which allows for origin abuse within the webview. In order to remove
the effective origin, the application should explicitly set the baseURL to
`about:blank` or similar.
note: >-
[CWE-272] Least Privilege Violation.
[REFERENCES]
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
matches_patttern_loadHTMLString_&_load:
kind: call_expression
all:
- has:
stopBy: end
kind: navigation_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $W
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: end
kind: simple_identifier
regex: '^loadHTMLString|load$'
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: '^baseURL$'
- has:
stopBy: end
regex: '^nil$'
- inside:
stopBy: end
kind: source_file
has:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: neighbor
kind: simple_identifier
pattern: $W
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: simple_identifier
regex: '^UIWebView$'
- has:
stopBy: neighbor
kind: call_suffix
rule:
kind: call_expression
matches: matches_patttern_loadHTMLString_&_load
114 changes: 114 additions & 0 deletions rules/swift/security/swift-xxe-prevention-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
id: swift-xxe-prevention-swift
severity: warning
language: swift
message: >-
Usage of Apple's native XML Parser was observed where the parser is
explicitly instructed to resolve external entities. This can lead to XXE
attacks if untrusted input is parsed. Consider disabling this
functionality where feasible.
note: >-
[CWE-611] Improper Restriction of XML External Entity Reference.
[REFERENCES]
- https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html
- https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
utils:
match_pattern_upgradeKnownHostsToHTTPS:
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^shouldResolveExternalEntities$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal
regex: '^true$'
- follows:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: neighbor
kind: simple_identifier
pattern: $F
- has:
stopBy: neighbor
kind: call_expression
pattern: XMLParser($$$)
- not:
follows:
stopBy: end
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^shouldResolveExternalEntities$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal
regex: '^true$'
- not:
precedes:
stopBy: end
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^shouldResolveExternalEntities$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
any:
- has:
stopBy: neighbor
pattern: $$$
rule:
kind: assignment
matches: match_pattern_upgradeKnownHostsToHTTPS
Loading