gitlab.find_sec_bugs.PERMISSIVE_CORS-1

rules:
  - id: find_sec_bugs.PERMISSIVE_CORS-1
    patterns:
      - pattern-either:
          - pattern: (HttpServletResponse $RES).setHeader("$HEADER", "$VAL")
          - pattern: (HttpServletResponse $RES).addHeader("$HEADER", "$VAL")
      - metavariable-regex:
          metavariable: $HEADER
          regex: (?i)(Access-Control-Allow-Origin)
      - metavariable-regex:
          metavariable: $VAL
          regex: (\*|null)
    message: >
      Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures
      that in order for

      JavaScript to access the contents of a Web page, both the JavaScript and the Web page must

      originate from the same domain. Without the Same Origin Policy, a malicious website could serve

      up JavaScript that loads sensitive information from other websites using a client's

      credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible

      for JavaScript to access data across domains if a new HTTP header called

      Access-Control-Allow-Origin is defined. With this header, a Web server defines which other

      domains are allowed to access its domain using cross-origin requests. However, caution should

      be taken when defining the header because an overly permissive CORS policy will allow a

      malicious application to communicate with the victim application in an inappropriate way,

      leading to spoofing, data theft, relay and other attacks.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
      category: security
      technology:
        - java
      primary_identifier: find_sec_bugs.PERMISSIVE_CORS-1
      secondary_identifiers:
        - name: Find Security Bugs-PERMISSIVE_CORS
          type: find_sec_bugs_type
          value: PERMISSIVE_CORS
      license: MIT