Skip to content

Commit

Permalink
New rule: missing-noopener-window-open-native.yaml
Browse files Browse the repository at this point in the history
Should unblock #407
  • Loading branch information
thypon committed Nov 7, 2023
1 parent b30d655 commit 88298fe
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
rules:
- id: missing-noopener-window-open-native
message: window.open should enforce `noopener` to avoid tab-nabbing vulnerabilities.
metadata:
author: Andrea Brancaleoni @ Brave
confidence: LOW
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
references:
- https://web.dev/external-anchors-use-rel-noopener/
- https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
category: security
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
license: MIT
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/missing-noopener-window-open-native.yaml
languages:
- typescript
- javascript
paths:
exclude:
- '*test*'
severity: INFO
patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: window.open($...URL)
- pattern: document.open($...URL)
- pattern: open($...URL)
- metavariable-comparison:
metavariable: $...URL
comparison: not re.match('.*(chrome|brave)(-untrusted)?://.*', str($...URL)) and re.match('^([^,]*|[^,]*,[^,]*)$', str($...URL))
- patterns:
- pattern-either:
- pattern: window.open($URL, $TARGET, $FEATURES, ...)
- pattern: document.open($URL, $TARGET, $FEATURES, ...)
- pattern: open($URL, $TARGET, $FEATURES, ...)
- metavariable-comparison:
metavariable: $...FEATURES
comparison: not re.match(".*no(opener|referrer).*", str($FEATURES))

0 comments on commit 88298fe

Please sign in to comment.