semgrep-rules/swift/insecure-url-host-hassuffix-check.yaml at main · trailofbits/semgrep-rules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
rules:
  - id: insecure-url-host-hassuffix-check
    message: >
      Potentially insecure URL host suffix check. Using hasSuffix("domain.com") without
      a leading dot can match unintended domains like "fakedomain.com"
    languages: [swift]
    severity: WARNING
    metadata:
      category: security
      cwe: CWE-697
      technology: [swift, ios]
      subcategory: [audit]
      confidence: HIGH
      likelihood: HIGH
      impact: MEDIUM
      references:
        - https://developer.apple.com/documentation/foundation/url/host(percentencoded:)
        - https://developer.apple.com/documentation/foundation/nsstring/hassuffix(_:)
        - https://pentesterlab.com/blog/rust-cors-vulnerabilities
    pattern-either:
      # Pattern 1: Any .host property followed by hasSuffix
      - patterns:
          - pattern: $X.hasSuffix($SUFFIX)
          - metavariable-regex:
              metavariable: $SUFFIX
              regex: '^"(?!\.)[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)+"$'
          - metavariable-regex:
              metavariable: $X
              regex: '.*\.host'

      # Pattern 2: Inside URL extension
      - patterns:
          - pattern-either:
              - pattern: host?.hasSuffix($SUFFIX)
              - pattern: host.hasSuffix($SUFFIX)
              - pattern: self.host?.hasSuffix($SUFFIX)
              - pattern: self.host.hasSuffix($SUFFIX)
              - pattern: host?.hasSuffix($SUFFIX) ?? $D
          - metavariable-regex:
              metavariable: $SUFFIX
              regex: '^"(?!\.)[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)+"$'
          - pattern-inside: |
              extension URL { ... }

      # Pattern 3: Variables bound from URL.host
      - patterns:
          - pattern: $VAR.hasSuffix($SUFFIX)
          - metavariable-regex:
              metavariable: $SUFFIX
              regex: '^"(?!\.)[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)+"$'
          - pattern-either:
              - pattern-inside: |
                  if let $VAR = $_.host { ... }
              - pattern-inside: |
                  guard let $VAR = $_.host else { ... }
                  ...
              - pattern-inside: |
                  guard ..., let $VAR = $_.host, ... else { ... }
                  ...
              - pattern-inside: |
                  let $VAR = $_.host
                  ...
              - pattern-inside: |
                  var $VAR = $_.host
                  ...