From 88298fe663f3874a4f9dcf8a729d70804a61e995 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Tue, 7 Nov 2023 22:52:01 +0100 Subject: [PATCH] New rule: missing-noopener-window-open-native.yaml Should unblock #407 --- ...=> missing-noopener-window-open-native.js} | 0 .../missing-noopener-window-open-native.yaml | 46 +++++++++++++++++++ 2 files changed, 46 insertions(+) rename assets/semgrep_rules/services/{missing-noopener-window-open.js => missing-noopener-window-open-native.js} (100%) create mode 100644 assets/semgrep_rules/services/missing-noopener-window-open-native.yaml diff --git a/assets/semgrep_rules/services/missing-noopener-window-open.js b/assets/semgrep_rules/services/missing-noopener-window-open-native.js similarity index 100% rename from assets/semgrep_rules/services/missing-noopener-window-open.js rename to assets/semgrep_rules/services/missing-noopener-window-open-native.js diff --git a/assets/semgrep_rules/services/missing-noopener-window-open-native.yaml b/assets/semgrep_rules/services/missing-noopener-window-open-native.yaml new file mode 100644 index 00000000..62db43e4 --- /dev/null +++ b/assets/semgrep_rules/services/missing-noopener-window-open-native.yaml @@ -0,0 +1,46 @@ +rules: + - id: missing-noopener-window-open-native + message: window.open should enforce `noopener` to avoid tab-nabbing vulnerabilities. + metadata: + author: Andrea Brancaleoni @ Brave + confidence: LOW + cwe: + - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + owasp: + - A01:2021 - Broken Access Control + references: + - https://web.dev/external-anchors-use-rel-noopener/ + - https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer + category: security + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + license: MIT + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/missing-noopener-window-open-native.yaml + languages: + - typescript + - javascript + paths: + exclude: + - '*test*' + severity: INFO + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: window.open($...URL) + - pattern: document.open($...URL) + - pattern: open($...URL) + - metavariable-comparison: + metavariable: $...URL + comparison: not re.match('.*(chrome|brave)(-untrusted)?://.*', str($...URL)) and re.match('^([^,]*|[^,]*,[^,]*)$', str($...URL)) + - patterns: + - pattern-either: + - pattern: window.open($URL, $TARGET, $FEATURES, ...) + - pattern: document.open($URL, $TARGET, $FEATURES, ...) + - pattern: open($URL, $TARGET, $FEATURES, ...) + - metavariable-comparison: + metavariable: $...FEATURES + comparison: not re.match(".*no(opener|referrer).*", str($FEATURES))