Semgrep generic rules¶
rules_lgpl_oc_other_rule-ios-self-signed-ssl¶
Summary:
Use of potentially dangerous function
Severity: Critical
CWE: CWE-676
Description:
App allows self signed or invalid SSL certificates by using patterns such as
continueWithoutCredentialForAuthenticationChallenge, kCFStreamSSLAllowsAnyRoot,
kCFStreamSSLAllowsExpiredCertificates, or validatesSecureCertificate = NO. This
makes the app vulnerable to MITM attacks where an attacker could impersonate the
server and intercept sensitive data.
Remediation:
Consider implementing proper SSL certificate validation in your iOS app.
Recommended to use NSURLSession with default security settings and avoid
disabling certificate validation. Remove any usage of
continueWithoutCredentialForAuthenticationChallenge, kCFStreamSSLAllowsAnyRoot,
or similar patterns that bypass certificate checks. Set
configuration.TLSMinimumSupportedProtocol = kTLSProtocol12 to enforce modern
TLS versions.
OWASP:
- A9:2017-Using Components with Known Vulnerabilities
- A06:2021-Vulnerable and Outdated Components
rules_lgpl_oc_other_rule-ios-webview-ignore-ssl¶
Summary:
Improper certificate validation
Severity: Critical
CWE: CWE-295
Description:
UIWebView in app ignores SSL errors and accepts any SSL certificate using patterns
such as allowsAnyHTTPSCertificateForHost, loadingUnvalidatedHTTPSPage = YES, or
allowsAnyHTTPSCertificate = YES. This makes the app vulnerable to MITM attacks
where an attacker could impersonate the server and intercept sensitive data.
Remediation:
Consider implementing proper SSL certificate validation for WebView components.
Recommended to use WKWebView with default security settings instead of
deprecated UIWebView. Remove any usage of allowsAnyHTTPSCertificateForHost,
loadingUnvalidatedHTTPSPage, or allowsAnyHTTPSCertificate settings. Use
NSURLSession with TLSMinimumSupportedProtocol = kTLSProtocol12 for secure
network communications.
OWASP:
- A6:2017-Security Misconfiguration
- A05:2021-Security Misconfiguration
html_django_rule_reflected_xss¶
Summary:
Improper neutralization of user input rendered in HTML ('XSS')
Severity: High
CWE: CWE-79
Description:
The HTML template is disabling Django's automatic HTML escaping using {% autoescape off %}
or {% autoescape None %}, or bypassing escaping for specific variables using the | safe
or | escapejs filters. This creates Cross-Site Scripting (XSS) vulnerabilities when
user-controlled data is rendered in these unescaped contexts. The | safe filter marks
strings as safe HTML that won't be escaped, while | escapejs is designed for JavaScript
string contexts but doesn't provide HTML protection. Additionally, the rule detects
unquoted template variables in HTML attributes like {{ variable }} which can break out
of the attribute context even with auto-escaping enabled. Django's default auto-escaping
protects against XSS, and these patterns bypass that critical protection.
Remediation:
Consider keeping Django's default auto-escaping enabled by removing {% autoescape off %}
blocks or using {% autoescape on %} explicitly. Avoid using the | safe filter on
any user-supplied data - reserve it only for trusted HTML from your application code.
The | escapejs filter is meant for JavaScript string contexts and should not be used
as general XSS protection. Always quote template variables in HTML attributes using
single or double quotes like <div class="{{ css_class }}"> to prevent attribute
breakout attacks. For rich user-generated content that requires HTML, use a whitelist-based
sanitizer like bleach or nh3 to clean the HTML before marking it safe. Implement
Content Security Policy (CSP) headers in your Django settings as defense-in-depth
protection against XSS attacks even if escaping is accidentally bypassed.
OWASP:
- A7:2017-Cross-Site Scripting (XSS)
- A03:2021-Injection