Skip to content

Commit

Permalink
New rule: brave-execute-script.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
thypon committed Oct 27, 2023
1 parent cb72e90 commit 3e3d39e
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 0 deletions.
8 changes: 8 additions & 0 deletions assets/semgrep_rules/client/brave-execute-script.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
int main() {
// ruleid: brave-execute-script
web_frame->ExecuteScriptInIsolatedWorld(
isolated_world_id_,
blink::WebScriptSource(
blink::WebString::FromUTF16(foobar)),
blink::BackForwardCacheAware::kAllow);
}
25 changes: 25 additions & 0 deletions assets/semgrep_rules/client/brave-execute-script.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
rules:
- id: brave-execute-script
metadata:
author: Andrea Brancaleoni <abc@pompel.me>
references:
- https://github.com/brave/brave-browser/wiki/Security-reviews
confidence: MEDIUM
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/brave-execute-script.yaml
assignees: |
thypon
diracdeltas
bridiver
message: |
$FUNC usages should be vet by the security-team.
References:
- https://github.com/brave/brave-browser/wiki/Security-reviews (point 13)
severity: INFO
languages:
- cpp
patterns:
- pattern: $OBJ.$FUNC(...)
- metavariable-regex:
metavariable: $FUNC
regex: ^(.*ExecuteScript.*|ExecuteMethodAndReturnValue|CallFunctionEvenIfScriptDisabled)$

0 comments on commit 3e3d39e

Please sign in to comment.