diff --git a/rules/S7081/javascript/metadata.json b/rules/S7081/javascript/metadata.json new file mode 100644 index 00000000000..0eaf51243b3 --- /dev/null +++ b/rules/S7081/javascript/metadata.json @@ -0,0 +1,24 @@ +{ + "title": "Context isolation should be enabled", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7081", + "sqKey": "S7081", + "scope": "All", + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "CONVENTIONAL" + } +} \ No newline at end of file diff --git a/rules/S7081/javascript/rule.adoc b/rules/S7081/javascript/rule.adoc new file mode 100644 index 00000000000..5c7e2766ece --- /dev/null +++ b/rules/S7081/javascript/rule.adoc @@ -0,0 +1,93 @@ +In Electron, context isolation is a key security feature that separates preload scripts and Electron's internal logic from the renderer process. As the renderer often displays untrusted content, this feature prevents attackers from directly accessing sensitive APIs or system resources. + +== Why is this an issue? + +In Electron, there is a clear separation between the main process and the renderer process. The main process is responsible for managing system-level resources and interacting with the operating system, while the renderer process is responsible for rendering the user interface and executing JavaScript code in the context of a web page. Electron provides a mechanism called context isolation to enforce this separation and prevent the renderer process from directly accessing sensitive APIs in the main process. + +This can lead to a variety of security issues, including remote code execution, privilege escalation, and data exfiltration. When `nodeIntegration` is enabled, it is even possible to access Node.js APIs from the renderer process, which can further increase the attack surface and expose additional system-level capabilities to untrusted content. Therefore, extreme caution should be taken when using Node.js APIs from the main process to the renderer process in Electron applications. + +=== What is the potential impact? + +==== Full application compromise + +If attackers succeed in gaining access to the main process and its APIs, they can potentially execute arbitrary code with the privileges of the main process. This can lead to a full application compromise, unauthorized access to sensitive data, or other security breaches. For example, an attacker could use this access to exfiltrate sensitive information, modify application behavior, or perform other malicious actions. + +==== Privilege escalation + +Attackers can also use this vulnerability to escalate their privileges within the application. As they can access the preload script, it may become possible to pivot from here to bypass security checks, granting them elevated privileges that they should not have. This can result in unauthorized access to sensitive data, unauthorized actions, or even administrative control over the application. + +== How to fix it in Electron + +=== Code examples + +==== Noncompliant code example + +[source,javascript,diff-id=1,diff-type=noncompliant] +---- +const { app, BrowserWindow } = require('electron'); + +app.whenReady().then(() => { + const win = new BrowserWindow({ + width: 800, + height: 600, + webPreferences: { + contextIsolation: false, // Noncompliant + }, + }); +}); +---- + +==== Compliant solution + +[source,javascript,diff-id=1,diff-type=compliant] +---- +const { app, BrowserWindow } = require('electron'); + +app.whenReady().then(() => { + const win = new BrowserWindow({ + width: 800, + height: 600, + }); +}); +---- + +=== How does this work? + +The compliant solution omits the `contextIsolation` option. Context isolation is enabled by default since Electron 12, so it is not necessary to set this option explicitly in this case. + +=== Pitfalls + +By enabling context isolation, it is harder for attackers to access sensitive APIs. However, if the IPC between the renderer and the main process is not properly secured, attackers may still be able to exploit vulnerabilities in the communication channel. Rule S7072 contains more information about this subject. + +== Resources +=== Documentation + +* Electron - https://www.electronjs.org/docs/tutorial/context-isolation[Context Isolation] +* Electron - https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions[BrowserWindow] + +=== Articles & blog posts + +* Sonar - https://www.sonarsource.com/blog/reply-to-calc-the-attack-chain-to-compromise-mailspring/[Reply to Calc: The Attack Chain to Compromise Mailspring] +* Masato Kinugawa - https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=14[How I hacked Microsoft Teams and got $150,000 in Pwn2Own] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message +* Change this code to enable context isolation. + +=== Highlighting + +* JavaScript: + * Highlight the `contextIsolation` property. +* HTML: + * Highlight the `webPreferences` attribute. + +''' +== Comments And Links +(visible only on this page) + +endif::env-github,rspecator-view[] diff --git a/rules/S7081/metadata.json b/rules/S7081/metadata.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/rules/S7081/metadata.json @@ -0,0 +1 @@ +{} \ No newline at end of file