typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any

profile photo of semgrepsemgrep
Author
161
Download Count*

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

Run Locally

Run in CI

Defintion

rules:
  - id: nestjs-header-cors-any
    message: Access-Control-Allow-Origin response header is set to "*". This will
      disable CORS Same Origin Policy restrictions.
    metadata:
      cwe:
        - "CWE-183: Permissive List of Allowed Inputs"
      asvs:
        section: "V14: Configuration Verification Requirements"
        control_id: 14.4.8 Permissive CORS
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements
        version: "4"
      category: security
      technology:
        - nestjs
      owasp:
        - A04:2021 - Insecure Design
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation
    languages:
      - typescript
    severity: WARNING
    pattern-either:
      - pattern: >
          class $CN {
              @Header("=~/[Aa][Cc][Cc][Ee][Ss][Ss]-[Cc][Oo][Nn][Tt][Rr][Oo][Ll]-[Aa][Ll][Ll][Oo][Ww]-[Oo][Rr][Ii][Gg][Ii][Nn]/", '*')
              $FN(...) {
                  ...
              }
          }
      - pattern: |
          NestFactory.create($MODULE, {cors: true})
      - pattern: |
          NestFactory.create($MODULE, {cors: {origin: '*'}})
      - pattern: |
          $APP.enableCors()
      - pattern: |
          $APP.enableCors({origin: '*'})

Examples

nestjs-header-cors-any.ts

import { Controller, Get, Header } from '@nestjs/common';
import { NestFactory } from '@nestjs/core';
import { AppService } from './app.service';
import { AppModule } from './app.module';

async function bootstrap1() {
  // ruleid:nestjs-header-cors-any
  const app = await NestFactory.create(AppModule, {cors: true});
  await app.listen(3000);
}

async function bootstrap2() {
  const app = await NestFactory.create(AppModule);
  // ruleid:nestjs-header-cors-any
  app.enableCors();
  await app.listen(3000);
}

async function bootstrap3() {
  // ruleid:nestjs-header-cors-any
  const app = await NestFactory.create(AppModule, {cors: {origin: '*'}});
  await app.listen(3000);
}

async function bootstrap4() {
  const app = await NestFactory.create(AppModule);
  // ruleid:nestjs-header-cors-any
  app.enableCors({origin: '*'});
  await app.listen(3000);
}

async function bootstrap5() {
  const app = await NestFactory.create(AppModule);
  // ok:nestjs-header-cors-any
  app.enableCors({origin: 'google.com'});
  await app.listen(3000);
}

// ruleid:nestjs-header-cors-any
@Controller()
export class AppController1 {
  constructor(private readonly appService: AppService) {}

  @Get()
  @Header('Access-Control-Allow-Origin', '*')
  testCtrl1(): string {
    return this.appService.getHello();
  }

}

// ruleid:nestjs-header-cors-any
@Controller()
export class AppController2 {
  constructor(private readonly appService: AppService) {}

  @Get()
  @Header('access-control-allow-origin', '*')
  testCtrl2(): string {
    return this.appService.getHello();
  }
}

// ok:nestjs-header-cors-any
@Controller()
export class AppController3 {
  constructor(private readonly appService: AppService) {}

  @Get()
  @Header('Access-Control-Allow-Origin', 'google.com')
  testCtrlOk(): string {
    return this.appService.getHello();
  }
}