terraform.azure.security.appservice.azure-appservice-disallowed-cors.azure-appservice-disallowed-cors

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure that CORS disallows every resource to access app services

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-appservice-disallowed-cors
    patterns:
      - pattern: |
          ["*"]
      - pattern-inside: allowed_origins = ...
      - pattern-inside: |
          $RESOURCE "azurerm_app_service" "..." {
          ...
          }
    message: Ensure that CORS disallows every resource to access app services
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A05:2021 - Security Misconfiguration
      cwe:
        - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation

Examples

azure-appservice-disallowed-cors.tf

# fail
resource "azurerm_app_service" "example" {
    name                = "example-app-service"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    app_service_plan_id = azurerm_app_service_plan.example.id

    site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    cors {
        # ruleid: azure-appservice-disallowed-cors
        allowed_origins = ["*"]
    }
    }

    app_settings = {
    "SOME_KEY" = "some-value"
    }

    connection_string {
    name  = "Database"
    type  = "SQLServer"
    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
    }
}

# pass
resource "azurerm_app_service" "example" {
    name                = "example-app-service"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    app_service_plan_id = azurerm_app_service_plan.example.id

    site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    cors {
        allowed_origins = ["192.0.0.1"]
    }
    }

    app_settings = {
    "SOME_KEY" = "some-value"
    }

    connection_string {
    name  = "Database"
    type  = "SQLServer"
    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
    }
}

# pass
resource "azurerm_app_service" "example" {
    name                = "example-app-service"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    app_service_plan_id = azurerm_app_service_plan.example.id

    site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    }

    app_settings = {
    "SOME_KEY" = "some-value"
    }

    connection_string {
    name  = "Database"
    type  = "SQLServer"
    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
    }
}