typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any
semgrep
Author
161
Download Count*
License
Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
Run Locally
Run in CI
Defintion
rules:
- id: nestjs-header-cors-any
message: Access-Control-Allow-Origin response header is set to "*". This will
disable CORS Same Origin Policy restrictions.
metadata:
cwe:
- "CWE-183: Permissive List of Allowed Inputs"
asvs:
section: "V14: Configuration Verification Requirements"
control_id: 14.4.8 Permissive CORS
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements
version: "4"
category: security
technology:
- nestjs
owasp:
- A04:2021 - Insecure Design
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Validation
languages:
- typescript
severity: WARNING
pattern-either:
- pattern: >
class $CN {
@Header("=~/[Aa][Cc][Cc][Ee][Ss][Ss]-[Cc][Oo][Nn][Tt][Rr][Oo][Ll]-[Aa][Ll][Ll][Oo][Ww]-[Oo][Rr][Ii][Gg][Ii][Nn]/", '*')
$FN(...) {
...
}
}
- pattern: |
NestFactory.create($MODULE, {cors: true})
- pattern: |
NestFactory.create($MODULE, {cors: {origin: '*'}})
- pattern: |
$APP.enableCors()
- pattern: |
$APP.enableCors({origin: '*'})
Examples
nestjs-header-cors-any.ts
import { Controller, Get, Header } from '@nestjs/common';
import { NestFactory } from '@nestjs/core';
import { AppService } from './app.service';
import { AppModule } from './app.module';
async function bootstrap1() {
// ruleid:nestjs-header-cors-any
const app = await NestFactory.create(AppModule, {cors: true});
await app.listen(3000);
}
async function bootstrap2() {
const app = await NestFactory.create(AppModule);
// ruleid:nestjs-header-cors-any
app.enableCors();
await app.listen(3000);
}
async function bootstrap3() {
// ruleid:nestjs-header-cors-any
const app = await NestFactory.create(AppModule, {cors: {origin: '*'}});
await app.listen(3000);
}
async function bootstrap4() {
const app = await NestFactory.create(AppModule);
// ruleid:nestjs-header-cors-any
app.enableCors({origin: '*'});
await app.listen(3000);
}
async function bootstrap5() {
const app = await NestFactory.create(AppModule);
// ok:nestjs-header-cors-any
app.enableCors({origin: 'google.com'});
await app.listen(3000);
}
// ruleid:nestjs-header-cors-any
@Controller()
export class AppController1 {
constructor(private readonly appService: AppService) {}
@Get()
@Header('Access-Control-Allow-Origin', '*')
testCtrl1(): string {
return this.appService.getHello();
}
}
// ruleid:nestjs-header-cors-any
@Controller()
export class AppController2 {
constructor(private readonly appService: AppService) {}
@Get()
@Header('access-control-allow-origin', '*')
testCtrl2(): string {
return this.appService.getHello();
}
}
// ok:nestjs-header-cors-any
@Controller()
export class AppController3 {
constructor(private readonly appService: AppService) {}
@Get()
@Header('Access-Control-Allow-Origin', 'google.com')
testCtrlOk(): string {
return this.appService.getHello();
}
}
Short Link: https://sg.run/ljBL