contrib.nodejsscan.security_electronjs.electron_allow_http

returntocorp

Author

Download Count*

GPLv3

License

Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: electron_allow_http
    patterns:
      - pattern-either:
          - pattern: >
              new BrowserWindow({webPreferences: {allowRunningInsecureContent:
              true}});
          - pattern: |
              var $X = {webPreferences: {allowRunningInsecureContent: true}};
    message: Application can load content over HTTP and that makes the app
      vulnerable to Man in the middle attacks.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A06:2017 - Security Misconfiguration
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      category: security
      technology:
        - electron
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Short Link: https://sg.run/Donq