php.lang.security.php-permissive-cors.php-permissive-cors

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: php-permissive-cors
    patterns:
      - pattern: header($VALUE,...)
      - pattern-either:
          - pattern: header("...",...)
          - pattern-inside: |
              $VALUE = "...";
              ...
      - metavariable-regex:
          metavariable: $VALUE
          regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*:\s*(\*)\s*(\'|\")
    message: Access-Control-Allow-Origin response header is set to "*". This will
      disable CORS Same Origin Policy restrictions.
    metadata:
      references:
        - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-346: Origin Validation Error"
      category: security
      technology:
        - php
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: WARNING

Examples

php-permissive-cors.php

<?php
namespace testing;

// ruleid: php-permissive-cors
header("Access-Control-Allow-Origin: *");

// ruleid: php-permissive-cors
header("Access-Control-Allow-Origin:* ");

// todoruleid: php-permissive-cors
Header("access-control-allow-origin: *");

// ok: php-permissive-cors
header("Access-Control-Allow-Origin: *something*");

// ok: php-permissive-cors
header("Other-Property: *");