terraform.lang.security.s3-cors-all-origins.all-origins-allowed

Community Favorite
profile photo of semgrepsemgrep
Author
61,526
Download Count*
LGPL Commons Clause
License

CORS rule on bucket permits any origin

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: all-origins-allowed
    patterns:
      - pattern-inside: cors_rule { ... }
      - pattern: allowed_origins = ["*"]
    languages:
      - hcl
    severity: WARNING
    message: CORS rule on bucket permits any origin
    metadata:
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors
      cwe:
        - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A05:2021 - Security Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation

Examples

s3-cors-all-origins.tf

resource "aws_s3_bucket" "a" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "private"

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT", "POST"]
    # ok: all-origins-allowed
    allowed_origins = ["https://s3-website-test.hashicorp.com"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}

resource "aws_s3_bucket" "b" {
  bucket = "s3-website-test-open.hashicorp.com"
  acl    = "private"

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT", "POST"]
    # ruleid: all-origins-allowed
    allowed_origins = ["*"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}