Add YAML Configurations for Security Rules Against File Access Vulnerabilities

[ESS-ENN]

Summary by CodeRabbit

• New Features
  • Introduced security rules for Swift to prevent file access from web views and mitigate XML External Entity (XXE) attacks.
• Tests
  • Added test cases for validating web view configurations and XML parsing scenarios related to file access and XXE prevention.

[coderabbitai]

Walkthrough

This pull request introduces new YAML configuration files for Swift that define security rules aimed at preventing vulnerabilities related to file access in webviews and XML External Entity (XXE) attacks. The configurations specify conditions under which warnings are issued when insecure practices are detected, along with corresponding test cases to validate these rules. Additionally, snapshot files are created to capture the behavior of the relevant functions and parser instances, ensuring adherence to security best practices.

Changes

File Path	Change Summary
rules/swift/security/swift-webview-config-allows-file-access-swift.yml	New rule added: swift-webview-config-allows-file-access-swift to warn about file access in webviews.
rules/swift/security/swift-xxe-prevention-swift.yml	New rule added: swift-xxe-prevention-swift to warn against XML External Entity (XXE) vulnerabilities.
tests/snapshots/swift-webview-config-allows-file-access-swift-snapshot.yml	New snapshot added for enableFileAccessFromFileURLs function, capturing its configuration.
tests/snapshots/swift-xxe-prevention-swift-snapshot.yml	New snapshot added for XML parsing with various shouldResolveExternalEntities settings.
tests/swift/swift-webview-config-allows-file-access-swift-test.yml	New test case added for validating web view file access configurations, with invalid examples.
tests/swift/swift-xxe-prevention-swift-test.yml	New test case added for validating XML parsing configurations to prevent XXE vulnerabilities.

Possibly related PRs

• [Update ast-grep CLI & add Java cookie management rules #7] Update ast-grep CLI & add Java cookie management rules: Introduces a new YAML configuration for Java addressing security rules, possibly relevant to the Swift configurations.
• [New Rules #2 #9] New Rules Add security rules to ast-grep-essentials repository #2: Adds new security rules in JavaScript and TypeScript, enhancing security practices in code.
• [One java and one rust rule #13] One java and one rust rule: Includes security rules for Java focusing on vulnerabilities, similar to the Swift configurations.
• [Rules - One go and one java rule - 11Oct2024 #18] Rules - One go and one java rule - 11Oct2024: Introduces security rules in Go and Java, aligning with the security focus of this PR.
• [Rules - One php and one java rule #20] Rules - One php and one java rule: Adds security rules for PHP and Java, maintaining the theme of enhancing security practices.
• [Rules - file-access-before-action-c/cpp #23] Rules - file-access-before-action-c/cpp: Introduces rules for C and C++ addressing file access security, relevant to the concerns raised in this PR.
• [Two openai go rules #29] Two openai go rules: Introduces rules for Go focusing on hard-coded secrets, a security concern also addressed in this PR.
• [Two python rules 16Oct2024 #31] Two python rules 16Oct2024: Adds rules for Python detecting hard-coded secrets, aligning with the security focus of this PR.
• [Rules - One C rule and one Ruby rule #34] Rules - One C rule and one Ruby rule: Introduces a rule for C addressing potential vulnerabilities, relevant to this PR's security context.

🐇 In the meadow, we hop and play,
New rules for Swift have come our way!
With webviews safe and XML clear,
Security's strong, there’s nothing to fear!
So let’s celebrate, with joy and cheer,
For safe coding practices are finally here! 🌟

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (8)

tests/swift/swift-webview-config-allows-file-access-swift-test.yml (1)

1-4: Consider documenting valid use cases or remove empty section.

The empty valid section might benefit from documentation explaining why there are no valid cases, or if there are specific scenarios where allowing file access might be necessary (e.g., for testing or specific development environments).

tests/swift/swift-xxe-prevention-swift-test.yml (1)

3-7: Consider enhancing the valid test case documentation.

While the test case correctly demonstrates secure XML parsing, consider adding:

1. Comments explaining why setting shouldResolveExternalEntities = false is the secure approach
2. Validation of parser results to ensure successful parsing

  - |
+   // Secure configuration: Disable external entity resolution to prevent XXE attacks
    let parser2 = XMLParser(data: xmlData)
    parser2.shouldResolveExternalEntities = false
    parser2.delegate = self
-   parser2.parse()
+   let success = parser2.parse()
+   assert(success, "Parser should successfully parse secure XML")

rules/swift/security/swift-webview-config-allows-file-access-swift.yml (2)

1-11: Enhance security context in documentation.

Consider adding more context about the security implications and specific remediation steps.

Apply this diff to improve the documentation:

 note: >-
   [CWE-272]: Least Privilege Violation
   [REFERENCES]
        https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/
+  [IMPACT]
+       Allowing file access in WebViews can lead to local file system exposure
+  [REMEDIATION]
+       1. Set allowFileAccessFromFileURLs to false
+       2. Use content security policies
+       3. Implement proper origin validation

---

46-48: Consider enhancing rule coverage.

The rule could be expanded to:

1. Detect secure configurations and provide positive feedback
2. Check for related security properties like allowUniversalAccessFromFileURLs
3. Implement severity levels based on the context (e.g., debug vs. release builds)

Would you like me to help implement these additional security checks?

tests/__snapshots__/swift-xxe-prevention-swift-snapshot.yml (2)

54-103: Consider adding security context for URL-based initialization.

This test case correctly captures the URL-based initialization vulnerability. However, it would be valuable to add comments explaining that this represents a double risk:

1. Untrusted URL source
2. External entity resolution enabled

Consider adding these comments to help developers understand the security implications:

+ # This case demonstrates compound risk:
+ # 1. Parser initialized with potentially untrusted URL
+ # 2. External entity resolution enabled, allowing XXE attacks
  var parser3 = XMLParser(contentsOfURL: url)

---

104-153: LGTM! Excellent edge case coverage.

This test case effectively captures the security bypass pattern where an initially safe configuration is later undermined. It's particularly valuable for detecting attempts to circumvent security controls.

Consider adding one more variation where the unsafe configuration is set in a different method or callback to ensure the analysis can track property changes across method boundaries:

  ? |
    var parser7 = XMLParser(contentsOfURL: url)
    parser7.delegate = self
    parser7.shouldResolveExternalEntities = false
    configureParser(parser7)  // where configureParser sets shouldResolveExternalEntities = true
    parser7.parse()

rules/swift/security/swift-xxe-prevention-swift.yml (2)

1-14: LGTM! Consider adding CVSS score reference.

The rule metadata is well-structured with clear messaging and relevant references.

Consider adding a CVSS (Common Vulnerability Scoring System) score reference for XXE vulnerabilities to help teams better assess the risk level. The base CVSS score for XXE vulnerabilities typically ranges from 6.5 to 8.2 depending on the implementation context.

---

1-114: Consider adding test cases for edge cases.

While the rule implementation is solid, it would be beneficial to ensure comprehensive test coverage for various XMLParser configurations and initialization patterns.

Consider adding test cases for:

1. XMLParser initialization through dependency injection
2. Subclassed XMLParser implementations
3. Parser configurations in different Swift versions
4. Integration with third-party XML parsing libraries

Would you like me to help create these test cases?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 3195f93 and bd548fb.

📒 Files selected for processing (6)

• rules/swift/security/swift-webview-config-allows-file-access-swift.yml (1 hunks)
• rules/swift/security/swift-xxe-prevention-swift.yml (1 hunks)
• tests/snapshots/swift-webview-config-allows-file-access-swift-snapshot.yml (1 hunks)
• tests/snapshots/swift-xxe-prevention-swift-snapshot.yml (1 hunks)
• tests/swift/swift-webview-config-allows-file-access-swift-test.yml (1 hunks)
• tests/swift/swift-xxe-prevention-swift-test.yml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• tests/snapshots/swift-webview-config-allows-file-access-swift-snapshot.yml

🔇 Additional comments (9)

tests/swift/swift-webview-config-allows-file-access-swift-test.yml (1)

1-14: Verify coverage of related security configurations.

Consider expanding the test cases to include related WebView security settings that are often misconfigured together:

• allowUniversalAccessFromFileURLs
• javaScriptEnabled
• File scheme handling

Let's check for related security configurations in the codebase:

tests/swift/swift-xxe-prevention-swift-test.yml (2)

1-2: LGTM! Well-structured test configuration.

The test configuration follows a clear and organized structure with a descriptive ID that matches its security focus.

---

1-24: Verify comprehensive security coverage.

While the test cases focus on XXE prevention through shouldResolveExternalEntities, let's verify if there are other related security settings or best practices that should be included in these tests.

✅ Verification successful

Test cases adequately cover XMLParser security settings

The test cases in swift-xxe-prevention-swift-test.yml comprehensively cover the critical security aspects of XMLParser:

• Tests both data and URL-based parser initialization
• Verifies proper handling of shouldResolveExternalEntities flag
• Includes negative test cases for unsafe configurations
• Covers the edge case of flag reassignment

No additional security settings specific to XMLParser were found in the codebase that would warrant inclusion in these test cases.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other XMLParser security-related configurations in Swift files
rg -t swift "XMLParser.*security|XMLParser.*secure" 

# Search for related security rules in other YAML configurations
fd -e yml -e yaml | xargs rg "XMLParser|XXE|entity"

Length of output: 3354

rules/swift/security/swift-webview-config-allows-file-access-swift.yml (2)

1-48: Verify integration with test suite.

Let's ensure this rule is properly covered by tests and integrates well with other security rules.

✅ Verification successful

Rule is properly integrated with comprehensive test coverage

The security rule is well-integrated with appropriate test coverage:

• Test file includes valid/invalid test cases covering different patterns of allowFileAccessFromFileURLs usage
• Snapshot tests validate the rule's behavior with detailed labels and style annotations
• This is the only WebView security rule in the swift/security directory, so no coordination issues exist

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify test coverage and rule integration

# Test 1: Check for corresponding test files
fd -e yml "swift-webview-config-allows-file-access-swift.*test"

# Test 2: Check for similar security rules that might need coordination
fd -e yml . rules/swift/security | grep -i "webview"

# Test 3: Verify snapshot tests exist
fd -e yml "swift-webview-config-allows-file-access-swift.*snapshot"

Length of output: 4119

---

Script:

#!/bin/bash
# Let's verify test coverage and related rules more precisely

# Check for test file content
cat tests/swift/swift-webview-config-allows-file-access-swift-test.yml

# Check for other webview security rules
fd -e yml . rules/swift/security | grep -i webview

# Check snapshot test content
cat tests/__snapshots__/swift-webview-config-allows-file-access-swift-snapshot.yml

Length of output: 3970

---

12-45: Consider expanding pattern matching coverage.

The current pattern might miss some variations of setting this property. Let's verify the coverage and potentially expand it.

✅ Verification successful

The initial results show the common pattern using setValue(forKey:), but we should verify if there are other ways this property might be set in Swift code, such as direct property access or during initialization.

---

Current pattern coverage is sufficient

Based on the comprehensive search results from both rounds of verification:

1. The property is consistently set using setValue(_:forKey:) pattern
2. No alternative patterns (direct property access, initialization-time setting) were found
3. The case sensitivity in the regex pattern (^allowFileAccessFromFileURLs$) matches the exact string found in all test cases

The current AST pattern in the rule correctly captures the common and apparently only way this property is set in Swift code. The pattern's specificity is actually a strength here, not a limitation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for different variations of setting allowFileAccessFromFileURLs
# to ensure we're not missing any cases

# Test 1: Check for different case variations
rg -i "allowfileaccessfromfileurls" 

# Test 2: Check for alternative ways of setting the property
ast-grep --pattern 'preferences.setValue($_, forKey: "allowFileAccessFromFileURLs")'

Length of output: 4119

---

Script:

#!/bin/bash
# Let's check for other potential variations of setting this property

# Check for direct property access
rg "\.allowFileAccessFromFileURLs\s*=" -A 2

# Check for alternative setValue patterns
ast-grep --pattern 'setValue($_, forKey: $_)'

# Check for preferences initialization patterns
ast-grep --pattern 'WKPreferences().allowFileAccessFromFileURLs'

# Check for alternative configuration patterns
ast-grep --pattern 'WKWebViewConfiguration().preferences.allowFileAccessFromFileURLs'

Length of output: 248

tests/__snapshots__/swift-xxe-prevention-swift-snapshot.yml (2)

1-2: LGTM! File structure is well-organized.

The snapshot file is properly structured with a clear identifier matching the security rule.

---

3-53: Verify test coverage for additional XMLParser initialization methods.

While this test case correctly captures the basic unsafe usage, consider adding test cases for other common initialization methods like XMLParser(stream:) to ensure comprehensive coverage.

Consider also adding a test case that demonstrates the secure pattern (keeping shouldResolveExternalEntities = false) as a positive example in the snapshots.

rules/swift/security/swift-xxe-prevention-swift.yml (2)

112-114: LGTM! Rule definition is correct.

The rule definition properly references the pattern and follows the standard format.

---

17-111: Verify pattern coverage for XMLParser configurations.

The pattern matching logic looks comprehensive for direct assignments, but let's verify it catches all XMLParser initialization scenarios.

✅ Verification successful

Pattern verification for XMLParser is sufficient

The rule appears to be a security pattern definition in YAML format, and our verification attempts show no actual Swift source files in the repository, which is expected as this is a rules repository. The pattern itself is comprehensive and correctly structured to:

1. Match XMLParser instantiations
2. Detect unsafe shouldResolveExternalEntities = true assignments
3. Include checks for both preceding and following assignments
4. Handle property declarations and direct assignments

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the pattern covers all XMLParser configurations in the codebase
# Test: Search for XMLParser instantiations and shouldResolveExternalEntities assignments
# Expect: Pattern should match all relevant cases

# Find all XMLParser instantiations
echo "Checking XMLParser instantiations:"
ast-grep --pattern 'XMLParser($$$)'

# Find all shouldResolveExternalEntities assignments
echo -e "\nChecking shouldResolveExternalEntities assignments:"
rg 'shouldResolveExternalEntities.*=.*true' -t swift

Length of output: 534

---

Script:

#!/bin/bash
# Let's try a different approach to find Swift files and XMLParser usage

# First, find Swift files
echo "Swift files in the repository:"
fd -e swift

# Search for XMLParser pattern with more context
echo -e "\nXMLParser usage in Swift files:"
rg "XMLParser" -t swift -A 3 -B 3

# Search for shouldResolveExternalEntities with broader pattern
echo -e "\nChecking shouldResolveExternalEntities in Swift files:"
rg "shouldResolveExternalEntities" -t swift -A 3 -B 3

# Check test files that might contain example usages
echo -e "\nChecking test files for XMLParser:"
fd -e swift test

Length of output: 778