php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

Run Locally

Run in CI

Defintion

rules:
  - id: symfony-permissive-cors
    patterns:
      - pattern-inside: |
          use Symfony\Component\HttpFoundation\Response;
          ...
      - pattern-either:
          - patterns:
              - pattern-either:
                  - pattern: >
                      new Symfony\Component\HttpFoundation\Response($X, $Y,
                      $HEADERS, ...)
                  - pattern: new Response($X, $Y, $HEADERS, ...)
              - pattern-either:
                  - pattern: new $R($X, $Y, [$KEY => $VALUE], ...)
                  - pattern-inside: |
                      $HEADERS = [$KEY => $VALUE];
                      ...
          - patterns:
              - pattern: $RES->headers->set($KEY, $VALUE)
      - metavariable-regex:
          metavariable: $KEY
          regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*(\'|\")
      - metavariable-regex:
          metavariable: $VALUE
          regex: (\'|\")\s*(\*)\s*(\'|\")
    message: Access-Control-Allow-Origin response header is set to "*". This will
      disable CORS Same Origin Policy restrictions.
    metadata:
      references:
        - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-346: Origin Validation Error"
      category: security
      technology:
        - symfony
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - php
    severity: WARNING

Examples

symfony-permissive-cors.php

<?php
namespace symfony;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Response as FooResponse;

// ruleid: symfony-permissive-cors
$response = new Response('content', Response::HTTP_OK, ['Access-Control-Allow-Origin' => '*']);

// ruleid: symfony-permissive-cors
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => '*'));

// ruleid: symfony-permissive-cors
$response = new response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => '*'));

// ruleid: symfony-permissive-cors
$response = new FooResponse('content', Response::HTTP_OK, ['Access-Control-Allow-Origin' => '*']);


$headers = ['Access-Control-Allow-Origin' => '*'];
// ruleid: symfony-permissive-cors
$response = new Response('content', Response::HTTP_OK, $headers);


// ruleid: symfony-permissive-cors
$response->headers->set('  access-control-allow-origin  ', '  *  ');



$safe = ['foo' => 'bar'];
// ok: symfony-permissive-cors
$response = new Response('content', Response::HTTP_OK, $safe);

// ok: symfony-permissive-cors
$response = new Response('content', Response::HTTP_OK, ['Access-Control-Allow-Origin' => 'https://www.example.com']);

// ok: symfony-permissive-cors
$response = new Response('content', Response::HTTP_OK, ['Other-Property' => '*']);

// ok: symfony-permissive-cors
$response = new Foo('content', Response::HTTP_OK, ['Access-Control-Allow-Origin' => '*']);

// ok: symfony-permissive-cors
$response->headers->set('Access-Control-Allow-Origin', 'foo');

// ok: symfony-permissive-cors
$response->headers->set('Other-Property', '*');