contrib.nodejsscan.security_electronjs.electron_disable_websecurity

returntocorp

Author

Download Count*

GPLv3

License

Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: electron_disable_websecurity
    patterns:
      - pattern-either:
          - pattern: |
              new BrowserWindow({webPreferences: {webSecurity: false}});
          - pattern: |
              var $X = {webPreferences: {webSecurity: false}};
    message: Disabling webSecurity will disable the same-origin policy and allows
      the execution of insecure code from any domain.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A06:2017 - Security Misconfiguration
      cwe: "CWE-346: Origin Validation Error"
      category: security
      technology:
        - electron
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Short Link: https://sg.run/Bkb7