Add S5734 Require nosniff header in web.config

Author: tomasz-tylenda-sonarsource

its/ruling/src/test/resources/expected/xml-S5734.json

@@ -0,0 +1,5 @@
+{
+"project:asp.net-web-application/web.config": [
+1
+]
+}

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/CheckList.java

@@ -40,6 +40,7 @@
 import org.sonar.plugins.xml.checks.security.web.BasicAuthenticationCheck;
 import org.sonar.plugins.xml.checks.security.web.CrossOriginResourceSharingCheck;
 import org.sonar.plugins.xml.checks.security.web.HttpOnlyOnCookiesCheck;
+import org.sonar.plugins.xml.checks.security.web.MimeNosniffCheck;
 import org.sonar.plugins.xml.checks.security.web.ValidationFiltersCheck;
 import org.sonar.plugins.xml.checks.spring.DefaultMessageListenerContainerCheck;
 import org.sonar.plugins.xml.checks.spring.SingleConnectionFactoryCheck;
@@ -89,7 +90,8 @@ public static List<Class<?>> getCheckClasses() {
       FixmeCommentCheck.class,
       ValidationFiltersCheck.class,
       DisallowedDependenciesCheck.class,
-      CommentedOutCodeCheck.class
+      CommentedOutCodeCheck.class,
+      MimeNosniffCheck.class
     );
   }
 

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/web/BaseWebCheck.java

@@ -0,0 +1,75 @@
+/*
+ * SonarQube XML Plugin
+ * Copyright (C) 2010-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.plugins.xml.checks.security.web;
+
+import org.sonar.plugins.xml.Xml;
+import org.sonarsource.analyzer.commons.xml.XmlFile;
+import org.sonarsource.analyzer.commons.xml.checks.SimpleXPathBasedCheck;
+
+/**
+ * Base class for checks targeting Java's web.xml and .NET web.config files.
+ */
+public class BaseWebCheck extends SimpleXPathBasedCheck {
+  protected static final String WEB_XML_ROOT = "web-app";
+
+  @Override
+  public final void scanFile(XmlFile file) {
+    if (isWebXmlFile(file)) {
+      scanWebXml(file);
+    } else if (Xml.isDotNetApplicationConfig(file.getInputFile())) {
+      scanWebConfig(file);
+    }
+  }
+
+  /** Scan Java's web.xml. */
+  protected void scanWebXml(XmlFile file) {
+    // Ignored by default.
+  }
+
+  /** Scan .NET's web.config. */
+  protected void scanWebConfig(XmlFile file) {
+    // Ignored by default.
+  }
+
+  private static boolean isWebXmlFile(XmlFile file) {
+    return "web.xml".equalsIgnoreCase(file.getInputFile().filename());
+  }
+
+  /**
+   * Builds an XPath expression that matches the deepest existing node.
+   *
+   * For example, for segments "a", "b", "c", the resulting expression is:
+   * <pre>
+   *   /a/b/c | /a/b[not(c)] | /a[not(b)]
+   * </pre>
+   */
+  protected String getDeepestExistingNode(String ... segments) {
+    StringBuilder expression = new StringBuilder();
+    for (int len = segments.length; len > 0; len--) {
+      for (int i = 0; i < len; i++) {
+        expression.append("/").append(segments[i]);
+      }
+      if (len < segments.length) {
+        expression.append("[not(").append(segments[len]).append(")]");
+      }
+      if (len > 1) {
+        expression.append("|");
+      }
+    }
+    return expression.toString();
+  }
+}

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/web/BasicAuthenticationCheck.java

@@ -23,7 +23,7 @@
 import org.w3c.dom.Document;
 
 @Rule(key = "S2647")
-public class BasicAuthenticationCheck extends AbstractWebXmlCheck {
+public class BasicAuthenticationCheck extends BaseWebCheck {
 
   private XPathExpression authMethodBasicExpression = XPathBuilder
     .forExpression("/j:web-app/j:login-config/j:auth-method[.='BASIC']")
@@ -36,7 +36,7 @@ public class BasicAuthenticationCheck extends AbstractWebXmlCheck {
     .build();
 
   @Override
-  void scanWebXml(XmlFile file) {
+  protected void scanWebXml(XmlFile file) {
     Document webApp = file.getDocument();
     if (!evaluateAsList(httpsEnabledExpression, webApp).isEmpty()) {
       return;

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/web/CrossOriginResourceSharingCheck.java

@@ -23,7 +23,7 @@
 import org.sonarsource.analyzer.commons.xml.XmlFile;
 
 @Rule(key = "S5122")
-public class CrossOriginResourceSharingCheck extends AbstractWebXmlCheck {
+public class CrossOriginResourceSharingCheck extends BaseWebCheck {
 
   private static final Pattern STAR_IN_COMMA_SEPARATED_LIST_REGEX = Pattern.compile("(^|,)\\*(,|$)");
 
@@ -37,7 +37,7 @@ public class CrossOriginResourceSharingCheck extends AbstractWebXmlCheck {
     .build();
 
   @Override
-  void scanWebXml(XmlFile file) {
+  protected void scanWebXml(XmlFile file) {
     evaluateAsList(corsAllowedOrigins, file.getDocument()).stream()
       .filter(node -> STAR_IN_COMMA_SEPARATED_LIST_REGEX.matcher(node.getNodeValue()).find())
       .forEach(node -> reportIssue(node, "Make sure this permissive CORS policy is safe here."));

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/web/HttpOnlyOnCookiesCheck.java

@@ -24,7 +24,7 @@
 import org.w3c.dom.Node;
 
 @Rule(key = "S3330")
-public class HttpOnlyOnCookiesCheck extends AbstractWebXmlCheck {
+public class HttpOnlyOnCookiesCheck extends BaseWebCheck {
 
   private XPathExpression sessionConfigCookieConfigExpression = XPathBuilder
     .forExpression("/n:web-app/n:session-config/n:cookie-config")
@@ -36,7 +36,7 @@ public class HttpOnlyOnCookiesCheck extends AbstractWebXmlCheck {
     .build();
 
   @Override
-  void scanWebXml(XmlFile file) {
+  protected void scanWebXml(XmlFile file) {
     evaluateAsList(sessionConfigCookieConfigExpression, file.getDocument()).forEach(this::checkHttpOnly);
   }
 

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/web/MimeNosniffCheck.java

@@ -0,0 +1,61 @@
+/*
+ * SonarQube XML Plugin
+ * Copyright (C) 2010-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.plugins.xml.checks.security.web;
+
+import org.sonar.check.Rule;
+import org.sonarsource.analyzer.commons.xml.XPathBuilder;
+import org.sonarsource.analyzer.commons.xml.XmlFile;
+import org.w3c.dom.Document;
+import org.w3c.dom.NodeList;
+
+import javax.xml.xpath.XPathExpression;
+
+/**
+ * Ensure that the X-Content-Type-Options header is set to "nosniff" to prevent MIME type sniffing.
+ * The check applies to .NET web.config files.
+ */
+@Rule(key = "S5734")
+public class MimeNosniffCheck extends BaseWebCheck {
+  private final XPathExpression httpCookiesExpression = XPathBuilder
+    .forExpression(
+      "/configuration"
+      + "/system.webServer"
+      + "/httpProtocol"
+      + "/customHeaders"
+      + "/add[@name=\"X-Content-Type-Options\" and @value=\"nosniff\"]")
+    .build();
+
+  /** Attach the issue to the closest existing node. */
+  private final XPathExpression reportNodeExpression = XPathBuilder
+    .forExpression(getDeepestExistingNode("configuration", "system.webServer", "httpProtocol", "customHeaders"))
+    .build();
+
+  @Override
+  protected void scanWebConfig(XmlFile file) {
+    Document document = file.getDocument();
+    NodeList expectedNodes = evaluate(httpCookiesExpression, document);
+
+    // null is returned on internal errors, and we don't want to raise a false positive in that case.
+    if (expectedNodes != null && expectedNodes.getLength() == 0) {
+      evaluateAsList(reportNodeExpression, document)
+        .stream()
+        .findFirst()
+        .ifPresent(target ->
+          reportIssue(target, "Global <httpCookies> tag is missing or its 'httpOnlyCookies' attribute is not set to true."));
+    }
+  }
+}

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/web/ValidationFiltersCheck.java

@@ -27,7 +27,7 @@
 
 @Rule(key = "S3355")
 @DeprecatedRuleKey(repositoryKey = "java", ruleKey = "S3355")
-public class ValidationFiltersCheck extends AbstractWebXmlCheck {
+public class ValidationFiltersCheck extends BaseWebCheck {
   private XPathExpression filterNamesFromFilterExpression = getXPathExpression(WEB_XML_ROOT + "/filter/filter-name");
   private XPathExpression filterNamesFromFilterMappingExpression = getXPathExpression(WEB_XML_ROOT + "/filter-mapping/filter-name");
 

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S5734.html

@@ -0,0 +1,66 @@
+<p><a href="https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/">MIME confusion</a> attacks occur when an
+attacker successfully tricks a web-browser to interpret a resource as a different type than the one expected. To correctly interpret a resource
+(script, image, stylesheet …​) web browsers look for the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type">Content-Type
+header</a> defined in the HTTP response received from the server, but often this header is not set or is set with an incorrect value. To avoid
+content-type mismatch and to provide the best user experience, web browsers try to deduce the right content-type, generally by inspecting the content
+of the resources (the first bytes). This "guess mechanism" is called <a href="https://en.wikipedia.org/wiki/Content_sniffing">MIME type
+sniffing</a>.</p>
+<p>Attackers can take advantage of this feature when a website ("example.com" here) allows to upload arbitrary files. In that case, an attacker can
+upload a malicious image <em>fakeimage.png</em> (containing malicious JavaScript code or <a
+href="https://docs.microsoft.com/fr-fr/archive/blogs/ieinternals/script-polyglots">a polyglot content</a> file) such as:</p>
+<pre>
+&lt;script&gt;alert(document.cookie)&lt;/script&gt;
+</pre>
+<p>When the victim will visit the website showing the uploaded image, the malicious script embedded into the image will be executed by web browsers
+performing MIME type sniffing.</p>
+<h2>Ask Yourself Whether</h2>
+<ul>
+  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type">Content-Type</a> header is not systematically set for all
+  resources. </li>
+  <li> Content of resources can be controlled by users. </li>
+</ul>
+<p>There is a risk if you answered yes to any of those questions.</p>
+<h2>Recommended Secure Coding Practices</h2>
+<p>Implement <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options">X-Content-Type-Options</a> header with
+<em>nosniff</em> value (the only existing value for this header) which is supported by all modern browsers and will prevent browsers from performing
+MIME type sniffing, so that in case of Content-Type header mismatch, the resource is not interpreted. For example within a &lt;script&gt; object
+context, JavaScript MIME types are expected (like <em>application/javascript</em>) in the Content-Type header.</p>
+<h2>Sensitive Code Example</h2>
+<p>The following ASP.NET website configuration is sensitive, because it does not set the <code>X-Content-Type-Options</code> HTTP response header to
+<code>nosniff</code>:</p>
+<pre>
+&lt;?xml version="1.0" encoding="utf-8"?&gt;
+&lt;configuration&gt; &lt;!-- Sensitive --&gt;
+  &lt;system.webServer&gt;
+    &lt;!-- ... --&gt;
+  &lt;/system.webServer&gt;
+&lt;/configuration&gt;
+</pre>
+<h2>Compliant Solution</h2>
+<p>To mitigate this finding, set <code>nosniff</code> globally for all pages in the application in the <code>web.config</code> file. While it is also
+possible to configure the header individually in the application code, or per <code>&lt;location&gt;</code> element, setting it globally is less
+error-prone and therefore recommended.</p>
+<pre>
+&lt;?xml version="1.0" encoding="utf-8"?&gt;
+&lt;configuration&gt;
+  &lt;system.webServer&gt;
+    &lt;httpProtocol&gt;
+      &lt;customHeaders&gt;
+        &lt;add name="X-Content-Type-Options" value="nosniff"/&gt;
+      &lt;/customHeaders&gt;
+    &lt;/httpProtocol&gt;
+    &lt;!-- ... --&gt;
+  &lt;/system.webServer&gt;
+&lt;/configuration&gt;
+</pre>
+<h2>See</h2>
+<ul>
+  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
+  Misconfiguration</a> </li>
+  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options">developer.mozilla.org</a> - X-Content-Type-Options
+  </li>
+  <li> <a href="https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/">blog.mozilla.org</a> - Mitigating MIME
+  Confusion Attacks in Firefox </li>
+</ul>
+

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S5734.json

@@ -0,0 +1,28 @@
+{
+  "title": "Allowing browsers to sniff MIME types is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "code": {
+    "impacts": {
+      "SECURITY": "LOW"
+    },
+    "attribute": "COMPLETE"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [],
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-5734",
+  "sqKey": "S5734",
+  "scope": "Main",
+  "securityStandards": {
+    "OWASP": [
+      "A6"
+    ],
+    "OWASP Top 10 2021": [
+      "A5"
+    ]
+  }
+}