Merged CorsPermissiveConfig to CorsMisconfigurationForCredentials

Napalys · Napalys · commit 3e8f32c7e7a6 · 2025-08-19T09:55:26.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
@@ -1,14 +1,15 @@
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
- * CORS misconfiguration for credentials transfer, as well as
- * extension points for adding your own.
+ * CORS misconfiguration for credentials transfer and overly permissive CORS configurations,
+ * as well as extension points for adding your own.
  */
 
 import javascript
+private import semmle.javascript.frameworks.Cors
 
 module CorsMisconfigurationForCredentials {
   /**
-   * A data flow source for CORS misconfiguration for credentials transfer.
+   * A data flow source for CORS misconfiguration for credentials transfer and overly permissive CORS configurations.
    */
   abstract class Source extends DataFlow::Node { }
 
@@ -75,4 +76,58 @@ module CorsMisconfigurationForCredentials {
       this.asExpr().mayHaveStringValue("null")
     }
   }
+
+  /** An overly permissive value for `origin` (Apollo) */
+  class TrueNullValue extends Source {
+    TrueNullValue() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
+  }
+
+  /** An overly permissive value for `origin` (Express) */
+  class WildcardValue extends Source {
+    WildcardValue() { this.mayHaveStringValue("*") }
+  }
+
+  /**
+   * The value of cors origin when initializing the application.
+   */
+  class CorsApolloServer extends Sink, DataFlow::ValueNode {
+    CorsApolloServer() {
+      exists(API::NewNode agql |
+        agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and
+        this =
+          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
+      )
+    }
+
+    override Http::HeaderDefinition getCredentialsHeader() { none() }
+  }
+
+  /**
+   * The value of cors origin when initializing the application.
+   */
+  class ExpressCors extends Sink, DataFlow::ValueNode {
+    ExpressCors() {
+      exists(CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
+    }
+
+    override Http::HeaderDefinition getCredentialsHeader() { none() }
+  }
+
+  /**
+   * An express route setup configured with the `cors` package.
+   */
+  class CorsConfiguration extends DataFlow::MethodCallNode {
+    Cors::Cors corsConfig;
+
+    CorsConfiguration() {
+      exists(Express::RouteSetup setup | this = setup |
+        if setup.isUseCall()
+        then corsConfig = setup.getArgument(0)
+        else corsConfig = setup.getArgument(any(int i | i > 0))
+      )
+    }
+
+    /** Gets the expression that configures `cors` on this route setup. */
+    Cors::Cors getCorsConfiguration() { result = corsConfig }
+  }
 }
diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
@@ -1,6 +1,6 @@
 /**
  * @name CORS misconfiguration for credentials transfer
- * @description Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.
+ * @description Misconfiguration of CORS HTTP headers allows for leaks of secret credentials and CSRF attacks.
  * @kind path-problem
  * @problem.severity error
  * @security-severity 7.5
@@ -18,6 +18,5 @@ import CorsMisconfigurationFlow::PathGraph
 
 from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink
 where CorsMisconfigurationFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.",
-  sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(),
-  "misconfigured CORS header value"
+select sink.getNode(), source, sink, 
+  "CORS misconfiguration due to a $@.", source.getNode(), "permissive or user controlled value"
diff --git a/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected
@@ -1,15 +1,46 @@
 #select
-| tst.js:13:50:13:55 | origin | tst.js:12:28:12:34 | req.url | tst.js:13:50:13:55 | origin | $@ leak vulnerability due to a $@. | tst.js:14:5:14:59 | res.set ... , true) | Credential | tst.js:12:28:12:34 | req.url | misconfigured CORS header value |
-| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | $@ leak vulnerability due to a $@. | tst.js:19:5:19:59 | res.set ... , true) | Credential | tst.js:18:50:18:53 | null | misconfigured CORS header value |
-| tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" | $@ leak vulnerability due to a $@. | tst.js:24:5:24:59 | res.set ... , true) | Credential | tst.js:23:50:23:55 | "null" | misconfigured CORS header value |
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:42:10:45 | true | express-test.js:33:17:33:27 | user_origin | CORS misconfiguration due to a $@. | express-test.js:10:42:10:45 | true | permissive or user controlled value |
+| tst.js:13:50:13:55 | origin | tst.js:12:28:12:34 | req.url | tst.js:13:50:13:55 | origin | CORS misconfiguration due to a $@. | tst.js:12:28:12:34 | req.url | permissive or user controlled value |
+| tst.js:13:50:13:55 | origin | tst.js:12:37:12:40 | true | tst.js:13:50:13:55 | origin | CORS misconfiguration due to a $@. | tst.js:12:37:12:40 | true | permissive or user controlled value |
+| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | CORS misconfiguration due to a $@. | tst.js:18:50:18:53 | null | permissive or user controlled value |
+| tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" | CORS misconfiguration due to a $@. | tst.js:23:50:23:55 | "null" | permissive or user controlled value |
 edges
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | apollo-test.js:8:9:8:59 | user_origin | provenance |  |
+| apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
+| apollo-test.js:8:42:8:45 | true | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:59 | user_origin | provenance |  |
+| express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
+| express-test.js:10:42:10:45 | true | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
 | tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin | provenance |  |
 | tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:9:12:54 | origin | provenance |  |
 | tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) | provenance |  |
+| tst.js:12:37:12:40 | true | tst.js:12:18:12:41 | url.par ... , true) | provenance |  |
 nodes
+| apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | semmle.label | url.par ... , true) |
+| apollo-test.js:8:33:8:39 | req.url | semmle.label | req.url |
+| apollo-test.js:8:42:8:45 | true | semmle.label | true |
+| apollo-test.js:11:25:11:28 | true | semmle.label | true |
+| apollo-test.js:21:25:21:28 | null | semmle.label | null |
+| apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
+| express-test.js:10:9:10:59 | user_origin | semmle.label | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
+| express-test.js:10:33:10:39 | req.url | semmle.label | req.url |
+| express-test.js:10:42:10:45 | true | semmle.label | true |
+| express-test.js:26:17:26:19 | '*' | semmle.label | '*' |
+| express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
 | tst.js:12:9:12:54 | origin | semmle.label | origin |
 | tst.js:12:18:12:41 | url.par ... , true) | semmle.label | url.par ... , true) |
 | tst.js:12:28:12:34 | req.url | semmle.label | req.url |
+| tst.js:12:37:12:40 | true | semmle.label | true |
 | tst.js:13:50:13:55 | origin | semmle.label | origin |
 | tst.js:18:50:18:53 | null | semmle.label | null |
 | tst.js:23:50:23:55 | "null" | semmle.label | "null" |
diff --git a/javascript/ql/test/query-tests/Security/CWE-346/apollo-test.js b/javascript/ql/test/query-tests/Security/CWE-346/apollo-test.js
@@ -5,10 +5,10 @@ var https = require('https'),
 var server = https.createServer(function () { });
 
 server.on('request', function (req, res) {
-    let user_origin = url.parse(req.url, true).query.origin; // $ MISSING: Source
+    let user_origin = url.parse(req.url, true).query.origin; // $ Source
     // BAD: CORS too permissive
     const server_1 = new ApolloServer({
-        cors: { origin: true } // $ MISSING: Alert
+        cors: { origin: true } // $ Alert
     });
 
     // GOOD: restrictive CORS 
@@ -18,11 +18,11 @@ server.on('request', function (req, res) {
 
     // BAD: CORS too permissive 
     const server_3 = new ApolloServer({
-        cors: { origin: null } // $ MISSING: Alert
+        cors: { origin: null } // $ Alert
     });
 
     // BAD: CORS is controlled by user
     const server_4 = new ApolloServer({
-        cors: { origin: user_origin } // $ MISSING: Alert
+        cors: { origin: user_origin } // $ Alert
     });
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-346/express-test.js b/javascript/ql/test/query-tests/Security/CWE-346/express-test.js
@@ -7,7 +7,7 @@ var https = require('https'),
 var server = https.createServer(function () { });
 
 server.on('request', function (req, res) {
-    let user_origin = url.parse(req.url, true).query.origin; // $ MISSING: Source
+    let user_origin = url.parse(req.url, true).query.origin; // $ Source
 
     // BAD: CORS too permissive, default value is *
     var app1 = express();
@@ -23,14 +23,14 @@ server.on('request', function (req, res) {
     // BAD: CORS too permissive 
     var app3 = express();
     var corsOption3 = {
-        origin: '*' // $ MISSING: Alert
+        origin: '*' // $ Alert
     };
     app3.use(cors(corsOption3));
 
     // BAD: CORS is controlled by user
     var app4 = express();
     var corsOption4 = {
-        origin: user_origin // $ MISSING: Alert
+        origin: user_origin // $ Alert
     };
     app4.use(cors(corsOption4));
 });
