html.security.audit.missing-integrity.missing-integrity

profile photo of semgrepsemgrep
Author
unknown
Download Count*

This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-integrity
    metadata:
      category: security
      technology:
        - html
      cwe:
        - "CWE-353: Missing Support for Integrity Check"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      confidence: LOW
      references:
        - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    patterns:
      - pattern-either:
          - pattern: <script $...A >...</script>
          - pattern: <link $...A >
      - metavariable-pattern:
          metavariable: $...A
          patterns:
            - pattern-either:
                - pattern: src='... :// ...'
                - pattern: src="... :// ..."
                - pattern: href='... :// ...'
                - pattern: href="... :// ..."
                - pattern: src='//...'
                - pattern: src="//..."
                - pattern: href='//...'
                - pattern: href="//..."
            - pattern-not-regex: (?is).*integrity=
            - pattern-not-regex: (google-analytics\.com|fonts\.googleapis\.com|fonts\.gstatic\.com|googletagmanager\.com)
            - pattern-not-regex: .*rel\s*=\s*['"]?preconnect.*
    paths:
      include:
        - "*.html"
    message: This tag is missing an 'integrity' subresource integrity attribute. The
      'integrity' attribute allows for the browser to verify that externally
      hosted files (for example from a CDN) are delivered without unexpected
      manipulation. Without this attribute, if an attacker can modify the
      externally hosted resource, this could lead to XSS and other types of
      attacks. To prevent this, include the base64-encoded cryptographic hash of
      the resource (file) you’re telling the browser to fetch in the 'integrity'
      attribute for all externally hosted files.
    severity: WARNING
    languages:
      - generic

Examples

missing-integrity.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
    <!-- ruleid: missing-integrity -->
    <script src='https://somewhere-external.com/something-external.js'></script>
    <!-- ruleid: missing-integrity -->
    <script src='//somewhere-external.com/something-external.js'></script>
    <!-- ok: missing-integrity -->
    <script src="https://somewhere-external.com/something-external.js" integrity="sha512-blahblah"></script>
    <!-- ok: missing-integrity -->
    <script src="./something-internal.js"></script>
    <!-- ok: missing-integrity -->
    <script>console.log('something')</script>
    <!-- ruleid: missing-integrity -->
    <link href="https://somewhere-external.com/something-external.css" rel="stylesheet">
    <!-- ruleid: missing-integrity -->
    <link rel="stylesheet" href="https://somewhere-external.com/something-external.css">
    <!-- ok: missing-integrity -->
    <link href="https://somewhere-external.com/something-external.css" rel="stylesheet"
        integrity="sha512-blahblah">
    <!-- ok: missing-integrity -->
    <link rel="stylesheet" type="text/css" href="./something-internal.css" />
    <!-- ok: missing-integrity -->
    <script src="https://www.googletagmanager.com/gtag/js?id=GA_TRACKING_ID"></script>
    <!-- ok: missing-integrity -->
    <script src="https://www.google-analytics.com/analytics.js"></script>
    <!-- ok: missing-integrity -->
    <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Tangerine">
    <!-- ruleid: missing-integrity -->
    <link rel="stylesheet" href="https://otherfontsxgoogleapis.com/css?family=Tangerine">
    <!-- ok: missing-integrity -->
    <link rel="stylesheet" href="https://someurl/style.css" integrity="sha256-somehashdigest">
    <!-- ok: missing-integrity -->
    <link rel="stylesheet" href="./css/mystyle.css">
	<!-- ok: missing-integrity -->
	<link rel="preconnect" href="https://fonts.gstatic.com/" />
	<!-- ok: missing-integrity -->
	<link rel=preconnect href="https://fonts.gstatic.com/" />
</head>
<body>

</body>
</html>