Skip to content

Add YAML Configurations for Swift Webview Security Rules and Tests #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Add YAML Configurations for Swift Webview Security Rules and Tests #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1850da9
swift-webview-config-allows-file-access-swift
ESS-ENN Dec 6, 2024
6f2512c
swift-webview-config-fraudulent-site-warning-swift
ESS-ENN Dec 6, 2024
7e72fd3
swift-webview-config-https-upgrade-swift
ESS-ENN Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions rules/swift/security/swift-webview-config-allows-file-access-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
id: swift-webview-config-allows-file-access-swift
language: swift
severity: warning
message: >-
Webviews were observed that do not disable access to application files.
If the WebView does not require loading content from the local filesystem
of the application, this setting should be disabled.
note: >-
[CWE-272]: Least Privilege Violation
[REFERENCES]
https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
match_call_expression:
kind: call_expression
has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_arguments
all:
- has:
stopBy: end
kind: value_argument
has:
stopBy: end
kind: boolean_literal
field: value
regex: '^true$'
- has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: '^forKey$'
- has:
stopBy: end
kind: line_string_literal
has:
stopBy: end
kind: line_str_text
regex: '^allowFileAccessFromFileURLs$'


rule:
any:
- matches: match_call_expression








100 changes: 100 additions & 0 deletions rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
id: swift-webview-config-fraudulent-site-warning-swift
language: swift
severity: warning
message: >-
Webviews were observed that explicitly opt ouf of the WKWebView
fraudulent site warnings. Consider enabling such functionality, to better
protect your users from fraud/malware.
note: >-
[CWE-272]: Least Privilege Violation
[REFERENCES]
https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
match_isFraudulentWebsiteWarningEnabled:
kind: assignment
all:
- has:
stopBy: end
kind: navigation_expression
has:
stopBy: end
kind: simple_identifier
pattern: $R
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: end
kind: simple_identifier
regex: "^isFraudulentWebsiteWarningEnabled$"
- has:
kind: boolean_literal
regex: "^false$"
- follows:
stopBy: end
kind: property_declaration
has:
stopBy: end
kind: pattern
has:
kind: simple_identifier
pattern: $R
- not:
precedes:
kind: assignment
has:
kind: boolean_literal
regex: "false$|true"
- not:
follows:
kind: assignment
has:
stopBy: end
kind: boolean_literal
regex: "^false"
match_simple_identifier:
kind: assignment
all:
- has:
stopBy: end
kind: navigation_expression
has:
stopBy: end
kind: simple_identifier
pattern: $R
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: end
kind: simple_identifier
regex: "^isFraudulentWebsiteWarningEnabled$"
- has:
kind: simple_identifier
- follows:
stopBy: end
kind: property_declaration
has:
stopBy: end
kind: pattern
has:
kind: simple_identifier
pattern: $R
- not:
precedes:
kind: assignment
has:
kind: boolean_literal
regex: "false$|true"
- not:
follows:
kind: assignment
has:
stopBy: end
kind: boolean_literal
regex: "^false"

rule:
any:
- matches: match_isFraudulentWebsiteWarningEnabled
- matches: match_simple_identifier
115 changes: 115 additions & 0 deletions rules/swift/security/swift-webview-config-https-upgrade-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
id: swift-webview-config-https-upgrade-swift
severity: warning
language: swift
message: >-
Webviews were observed that do not enable the
`upgradeKnownHostsToHTTPS` feature. This feature will ensure accidental
HTTP connections are automatically upgraded to HTTPS, avoiding potential
data leakage over the network.
note: >-
[CWE-272] Least Privilege Violation.
[REFERENCES]
- https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/3752243-upgradeknownhoststohttps
- https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
utils:
match_pattern_upgradeKnownHostsToHTTPS:
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^upgradeKnownHostsToHTTPS$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal
regex: '^false$'
- follows:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: neighbor
kind: simple_identifier
pattern: $F
- has:
stopBy: neighbor
kind: call_expression
pattern: WKWebViewConfiguration()
- not:
follows:
stopBy: end
kind: assignment
all:
- has:
stopBy: neighbor
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^upgradeKnownHostsToHTTPS$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal
regex: '^false$'

- not:
precedes:
stopBy: neighbor
kind: assignment
all:
- all:
- has:
stopBy: end
kind: directly_assignable_expression
all:
- has:
stopBy: end
kind: simple_identifier
pattern: $F
- has:
stopBy: end
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: '^upgradeKnownHostsToHTTPS$'
- has:
stopBy: neighbor
regex: '^=$'
- has:
stopBy: neighbor
kind: boolean_literal

rule:
kind: assignment
matches: match_pattern_upgradeKnownHostsToHTTPS


117 changes: 117 additions & 0 deletions tests/__snapshots__/swift-webview-config-allows-file-access-swift-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
id: swift-webview-config-allows-file-access-swift
snapshots:
? "func enableFileAccessFromFileURLs() {\nwebView.configuration.preferences.setValue(true, forKey: \"allowFileAccessFromFileURLs\")\nprint(\"allowFileAccessFromFileURLs has been set to true.\")\n} \n"
: labels:
- source: 'webView.configuration.preferences.setValue(true, forKey: "allowFileAccessFromFileURLs")'
style: primary
start: 38
end: 125
- source: 'true'
style: secondary
start: 81
end: 85
- source: 'true'
style: secondary
start: 81
end: 85
- source: forKey
style: secondary
start: 87
end: 93
- source: allowFileAccessFromFileURLs
style: secondary
start: 96
end: 123
- source: '"allowFileAccessFromFileURLs"'
style: secondary
start: 95
end: 124
- source: 'forKey: "allowFileAccessFromFileURLs"'
style: secondary
start: 87
end: 124
- source: '(true, forKey: "allowFileAccessFromFileURLs")'
style: secondary
start: 80
end: 125
- source: '(true, forKey: "allowFileAccessFromFileURLs")'
style: secondary
start: 80
end: 125
? |
preferences.setValue(true, forKey: "allowFileAccessFromFileURLs")
: labels:
- source: 'preferences.setValue(true, forKey: "allowFileAccessFromFileURLs")'
style: primary
start: 0
end: 65
- source: 'true'
style: secondary
start: 21
end: 25
- source: 'true'
style: secondary
start: 21
end: 25
- source: forKey
style: secondary
start: 27
end: 33
- source: allowFileAccessFromFileURLs
style: secondary
start: 36
end: 63
- source: '"allowFileAccessFromFileURLs"'
style: secondary
start: 35
end: 64
- source: 'forKey: "allowFileAccessFromFileURLs"'
style: secondary
start: 27
end: 64
- source: '(true, forKey: "allowFileAccessFromFileURLs")'
style: secondary
start: 20
end: 65
- source: '(true, forKey: "allowFileAccessFromFileURLs")'
style: secondary
start: 20
end: 65
? "webViewConfig.webView.configuration.preferences.setValue(true, forKey: \"allowFileAccessFromFileURLs\") \n"
: labels:
- source: 'webViewConfig.webView.configuration.preferences.setValue(true, forKey: "allowFileAccessFromFileURLs")'
style: primary
start: 0
end: 101
- source: 'true'
style: secondary
start: 57
end: 61
- source: 'true'
style: secondary
start: 57
end: 61
- source: forKey
style: secondary
start: 63
end: 69
- source: allowFileAccessFromFileURLs
style: secondary
start: 72
end: 99
- source: '"allowFileAccessFromFileURLs"'
style: secondary
start: 71
end: 100
- source: 'forKey: "allowFileAccessFromFileURLs"'
style: secondary
start: 63
end: 100
- source: '(true, forKey: "allowFileAccessFromFileURLs")'
style: secondary
start: 56
end: 101
- source: '(true, forKey: "allowFileAccessFromFileURLs")'
style: secondary
start: 56
end: 101
Loading