QL code and tests for C#/C++/JavaScript.

2025-12-22 19:56:32 +01:00 · 2018-08-02 17:53:23 +01:00
commit b55526aa58
10684 changed files with 581163 additions and 0 deletions
--- a/javascript/ql/src/Electron/AllowRunningInsecureContent.qhelp
+++ b/javascript/ql/src/Electron/AllowRunningInsecureContent.qhelp
@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>
+      Electron is secure by default through a policy banning the execution of
+      content loaded over HTTP. Setting the
+      <code>allowRunningInsecureContent</code> property of a
+      <code>webPreferences</code> object to <code>true</code> will disable this
+      policy.
+    </p>
+    <p>
+      Enabling the execution of insecure content is strongly discouraged.
+    </p>
+  </overview>
+  
+  <recommendation>
+    <p>
+      Do not enable the <code>allowRunningInsecureContent</code> property.
+    </p>
+  </recommendation>
+  
+  <example>
+    <p>
+      The following example shows <code>allowRunningInsecureContent</code>
+      being enabled.
+    </p>
+    <sample src="examples/AllowRunningInsecureContent.js"/>
+    
+    <p>
+      This is problematic, since it allows the execution of code from an
+      untrusted origin.
+    </p>
+    
+  </example>
+  
+  <references>
+    <li>Electron Documentation: <a href="https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true">Security, Native Capabilities, and Your Responsibility</a></li>
+  </references>
+</qhelp>
--- a/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
+++ b/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Enabling Electron allowRunningInsecureContent
+ * @description Enabling allowRunningInsecureContent can allow remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @precision very-high
+ * @tags security
+ *       frameworks/electron
+ * @id js/enabling-electron-insecure-content
+ */
+
+
+import javascript
+
+from DataFlow::PropWrite allowRunningInsecureContent, Electron::WebPreferences preferences
+where allowRunningInsecureContent = preferences.getAPropertyWrite("allowRunningInsecureContent")
+  and allowRunningInsecureContent.getRhs().mayHaveBooleanValue(true)
+select allowRunningInsecureContent, "Enabling allowRunningInsecureContent is strongly discouraged."
--- a/javascript/ql/src/Electron/DisablingWebSecurity.qhelp
+++ b/javascript/ql/src/Electron/DisablingWebSecurity.qhelp
@@ -0,0 +1,41 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>
+      Electron is secure by default through a same-origin policy requiring all
+      JavaScript and CSS code to originate from the machine running the
+      Electron application. Setting the <code>webSecurity</code> property of a
+      <code>webPreferences</code> object to <code>false</code> will disable the
+      same-origin policy.
+    </p>
+    <p>
+      Disabling the same-origin policy is strongly discouraged.
+    </p>
+  </overview>
+  
+  <recommendation>
+    <p>
+      Do not disable <code>webSecurity</code>.
+    </p>
+  </recommendation>
+  
+  <example>
+    <p>
+      The following example shows <code>webSecurity</code> being disabled.
+    </p>
+    <sample src="examples/DisablingWebSecurity.js"/>
+    
+    <p>
+      This is problematic, since it allows the execution of insecure code from
+      other domains.
+    </p>
+    
+  </example>
+  
+  <references>
+    <li>Electron Documentation: <a href="https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity">Security, Native Capabilities, and Your Responsibility</a></li>
+  </references>
+</qhelp>
--- a/javascript/ql/src/Electron/DisablingWebSecurity.ql
+++ b/javascript/ql/src/Electron/DisablingWebSecurity.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Disabling Electron webSecurity
+ * @description Disabling webSecurity can cause critical security vulnerabilities.
+ * @kind problem
+ * @problem.severity error
+ * @precision very-high
+ * @tags security
+ *       frameworks/electron
+ * @id js/disabling-electron-websecurity
+ */
+
+import javascript
+
+from DataFlow::PropWrite webSecurity, Electron::WebPreferences preferences
+where webSecurity = preferences.getAPropertyWrite("webSecurity")
+  and webSecurity.getRhs().mayHaveBooleanValue(false)
+select webSecurity, "Disabling webSecurity is strongly discouraged."
--- a/javascript/ql/src/Electron/examples/AllowRunningInsecureContent.js
+++ b/javascript/ql/src/Electron/examples/AllowRunningInsecureContent.js
@@ -0,0 +1,5 @@
+const mainWindow = new BrowserWindow({
+  webPreferences: {
+    allowRunningInsecureContent: true
+  }
+})
--- a/javascript/ql/src/Electron/examples/DisablingWebSecurity.js
+++ b/javascript/ql/src/Electron/examples/DisablingWebSecurity.js
@@ -0,0 +1,5 @@
+const mainWindow = new BrowserWindow({
+  webPreferences: {
+    webSecurity: false
+  }
+})