swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: swift-webview-config-allows-js-open-windows
    message: Webviews were observed that explictly allow JavaScript in an WKWebview
      to open windows automatically. Consider disabling this functionality if
      not required, following the principle of least privelege.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: LOW
      confidence: HIGH
      category: security
      cwe:
        - "CWE-272: Least Privilege Violation"
      masvs:
        - "MASVS-PLATFORM-2: The app uses WebViews securely"
      references:
        - https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
        - https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati
      subcategory:
        - audit
      technology:
        - ios
        - macos
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - swift
    patterns:
      - pattern: |
          $P = WKPreferences()
          ...
      - pattern-either:
          - patterns:
              - pattern-inside: |
                  $P.JavaScriptCanOpenWindowsAutomatically  = $FALSE
                  ...
                  $P.JavaScriptCanOpenWindowsAutomatically  = $TRUE
              - pattern-not-inside: |
                  ...
                  $P.JavaScriptCanOpenWindowsAutomatically  = $TRUE
                  ...
                  $P.JavaScriptCanOpenWindowsAutomatically = $FALSE
              - pattern: |
                  $P.JavaScriptCanOpenWindowsAutomatically  = true
              - metavariable-regex:
                  metavariable: $TRUE
                  regex: ^(true)$
              - metavariable-regex:
                  metavariable: $TRUE
                  regex: (.*(?!true))
          - patterns:
              - pattern: |
                  $P.JavaScriptCanOpenWindowsAutomatically  = true
              - pattern-not-inside: |
                  ...
                  $P.JavaScriptCanOpenWindowsAutomatically  = ...
                  ...
                  $P.JavaScriptCanOpenWindowsAutomatically  = ...

Examples

webview-js-window.swift

let prefs = WKPreferences()
// ruleid: swift-webview-config-allows-js-open-windows
prefs.JavaScriptCanOpenWindowsAutomatically  = true
let config = WKWebViewConfiguration()
config.defaultWebpagePreferences = prefs

WKWebView(frame: .zero, configuration: config)

let prefs2 = WKPreferences()
prefs2.JavaScriptCanOpenWindowsAutomatically  = true
// okid: swift-webview-config-allows-js-open-windows
prefs2.JavaScriptCanOpenWindowsAutomatically  = false
let config = WKWebViewConfiguration()
config.defaultWebpagePreferences = prefs2

WKWebView(frame: .zero, configuration: config)