diff --git a/assets/semgrep_rules/client/brave-execute-script.cpp b/assets/semgrep_rules/client/brave-execute-script.cpp new file mode 100644 index 00000000..a6cef063 --- /dev/null +++ b/assets/semgrep_rules/client/brave-execute-script.cpp @@ -0,0 +1,8 @@ +int main() { + // ruleid: brave-execute-script + web_frame->ExecuteScriptInIsolatedWorld( + isolated_world_id_, + blink::WebScriptSource( + blink::WebString::FromUTF16(foobar)), + blink::BackForwardCacheAware::kAllow); +} diff --git a/assets/semgrep_rules/client/brave-execute-script.yaml b/assets/semgrep_rules/client/brave-execute-script.yaml new file mode 100644 index 00000000..b8f312ac --- /dev/null +++ b/assets/semgrep_rules/client/brave-execute-script.yaml @@ -0,0 +1,25 @@ +rules: + - id: brave-execute-script + metadata: + author: Andrea Brancaleoni + references: + - https://github.com/brave/brave-browser/wiki/Security-reviews + confidence: MEDIUM + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/brave-execute-script.yaml + assignees: | + thypon + diracdeltas + bridiver + message: | + $FUNC usages should be vet by the security-team. + + References: + - https://github.com/brave/brave-browser/wiki/Security-reviews (point 13) + severity: INFO + languages: + - cpp + patterns: + - pattern: $OBJ.$FUNC(...) + - metavariable-regex: + metavariable: $FUNC + regex: ^(.*ExecuteScript.*|ExecuteMethodAndReturnValue|CallFunctionEvenIfScriptDisabled)$