terraform.azure.security.azure-functionapp-disallow-cors.azure-functionapp-disallow-cors

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

ensure that CORS disallows all resources to access Function app

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-functionapp-disallow-cors
    patterns:
      - pattern: |
          ["*"]
      - pattern-inside: allowed_origins = ...
      - pattern-inside: |
          $RESOURCE "azurerm_function_app" "..." {
          ...
          }
    message: ensure that CORS disallows all resources to access Function app
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A05:2021 - Security Misconfiguration
      cwe:
        - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation

Examples

azure-functionapp-disallow-cors.tf

# fail
resource "azurerm_function_app" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
  site_config {
    cors {
        # ruleid: azure-functionapp-disallow-cors
        allowed_origins = ["*"]
    }
  }
}

# pass
resource "azurerm_function_app" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
  site_config {
    cors {
        allowed_origins = ["192.0.0.1"]
    }
  }
}

# pass
resource "azurerm_function_app" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
}