javascript.express.security.cors-misconfiguration.cors-misconfiguration

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cors-misconfiguration
    message: By letting user input control CORS parameters, there is a risk that
      software does not properly verify that the source of data or communication
      is valid. Use literal values for CORS settings.
    metadata:
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-346: Origin Validation Error"
      category: security
      references:
        - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
      technology:
        - express
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - javascript
      - typescript
    severity: WARNING
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: function ... ($REQ, $RES) {...}
              - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
              - patterns:
                  - pattern-either:
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
                      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: ^(get|post|put|head|delete|options)$
          - pattern-either:
              - pattern: $REQ.query
              - pattern: $REQ.body
              - pattern: $REQ.params
              - pattern: $REQ.cookies
              - pattern: $REQ.headers
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
                  {...}
              - pattern-inside: |
                  ({ $REQ }: Request,$RES: Response) => {...}
          - focus-metavariable: $REQ
          - pattern-either:
              - pattern: params
              - pattern: query
              - pattern: cookies
              - pattern: headers
              - pattern: body
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern: $RES.set($HEADER, $X)
              - pattern: $RES.header($HEADER, $X)
              - pattern: $RES.setHeader($HEADER, $X)
              - pattern: |
                  $RES.set({$HEADER: $X}, ...)
              - pattern: |
                  $RES.writeHead($STATUS, {$HEADER: $X}, ...)
          - focus-metavariable: $X
          - metavariable-regex:
              metavariable: $HEADER
              regex: .*(Access-Control-Allow-Origin|access-control-allow-origin).*

Examples

cors-misconfiguration.js

const express = require('express');

const app = express();

app.get('/test1', function (req, res) {
    const origin = req.query.origin;
    // ruleid: cors-misconfiguration
    res.writeHead(200, { 'Access-Control-Allow-Origin': origin });
});

app.get('/test2', function (req, res) {
    res.set({
        'Content-Length': 123,
        // ruleid: cors-misconfiguration
        'access-control-allow-origin': req.body.origin,
        'ETag': '12345'
    })
});

app.get('/test3', function (req, res) {
    let origin = req.query.origin
    // ruleid: cors-misconfiguration
    res.set('access-control-allow-origin', origin)
});

app.get('/okTest1', function (req, res) {
    foobar()
    // ok: cors-misconfiguration
    res.set('access-control-allow-origin', 'xyz.com')
});