typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard

profile photo of semgrepsemgrep
Author
225
Download Count*
LGPL Commons Clause
License

Unescaped '.' character in CORS domain regex $CORS: $PATTERN

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cors-regex-wildcard
    message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
    metadata:
      cwe:
        - "CWE-183: Permissive List of Allowed Inputs"
      category: security
      technology:
        - cors
      owasp:
        - A04:2021 - Insecure Design
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation
    languages:
      - ts
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: $CORS = [...,/$PATTERN/,...]
          - pattern: $CORS = /$PATTERN/
      - focus-metavariable: $PATTERN
      - metavariable-regex:
          metavariable: $PATTERN
          regex: .+?(?<!\\).\..+(?<!\\)\..+
      - metavariable-regex:
          metavariable: $CORS
          regex: (?i)cors

Examples

cors-regex-wildcard.tsx

const corsDomains = [
  /localhost\:/,
  /(.+\.)*foo\.com$/,
  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
  // ruleid: cors-regex-wildcard
  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
  /^(http|https):\/\/www\.bar\.com$/,
  // ruleid: cors-regex-wildcard
  /^(http|https):\/\/www.foo.com$/,
];

const CORS = [
  /localhost\:/,
  /(.+\.)*foo\.com$/,
  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
  // ruleid: cors-regex-wildcard
  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
  /^(http|https):\/\/www\.bar\.com$/,
  // ruleid: cors-regex-wildcard
  /^(http|https):\/\/www.foo.com$/,
];

// ruleid: cors-regex-wildcard
const corsOrigin = /^(http|https):\/\/www.foo.com$/;

const urls = [
  /localhost\:/,
  /(.+\.)*foo\.com$/,
  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
  /^(http|https):\/\/www\.bar\.com$/,
  /^(http|https):\/\/www.foo.com$/,
];