contrib.nodejsscan.header_cors_star.generic_cors
returntocorpAuthor
99
Download Count*
License
Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
Run Locally
Run in CI
Defintion
rules:
- id: generic_cors
message: Access-Control-Allow-Origin response header is set to "*". This will
disable CORS Same Origin Policy restrictions.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: LOW
confidence: LOW
category: security
cwe:
- "CWE-346: Origin Validation Error"
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
technology:
- web
subcategory:
- vuln
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
patterns:
- pattern: |
$APP.options('*', cors(...))
Examples
header_cors_star.js
const express = require('express');
const app = express();
// ruleid:generic_cors
app.options('*', cors())
app.get('/', function (req, res) {
res.set(ffff)
});
app.get('/', function (req, res) {
var y = 1;
var x = '*';
//sgrep bug - https://github.com/returntocorp/sgrep/issues/512
// ruleid:express_cors
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' });
// ruleid:express_cors
res.set('access-control-allow-origin', '*');
//do not match - sgrep bug -rewrite-rule
res.set('Access-Control-Allow-Origin', 'google.com');
// ruleid:express_cors
res.set('Access-Control-Allow-Origin', '*');
// ruleid:express_cors
res.set({
'Content-Length': 123,
'access-control-allow-origin': '*',
'ETag': '12345'
})
// ruleid:express_cors
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' })
// ruleid:express_cors
res.set('access-control-allow-origin', x);
// do not detect - sgrep bug
res.set('access-control-allow-origin', 'xyz.com');
//do not detect - sgrep bug
res.set('access-control-allow-origin', null);
});
Short Link: https://sg.run/kXje