Move CORS misconfiguration query from experimental to Security

javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected

@@ -0,0 +1,34 @@
+edges
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | apollo-test.js:8:9:8:59 | user_origin | provenance |  |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | apollo-test.js:8:9:8:59 | user_origin | provenance |  |
+| apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
+| apollo-test.js:8:42:8:45 | true | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:59 | user_origin | provenance |  |
+| express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
+nodes
+| apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
+| apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | semmle.label | url.par ... , true) |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | semmle.label | url.par ... , true) |
+| apollo-test.js:8:33:8:39 | req.url | semmle.label | req.url |
+| apollo-test.js:8:42:8:45 | true | semmle.label | true |
+| apollo-test.js:11:25:11:28 | true | semmle.label | true |
+| apollo-test.js:21:25:21:28 | null | semmle.label | null |
+| apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
+| apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
+| express-test.js:10:9:10:59 | user_origin | semmle.label | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
+| express-test.js:10:33:10:39 | req.url | semmle.label | req.url |
+| express-test.js:26:17:26:19 | '*' | semmle.label | '*' |
+| express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
+subpaths
+#select
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | too permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |

javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref

@@ -0,0 +1 @@
+Security/CWE-942/CorsPermissiveConfiguration.ql

javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js

@@ -0,0 +1,28 @@
+import { ApolloServer } from 'apollo-server';
+var https = require('https'),
+    url = require('url');
+
+var server = https.createServer(function () { });
+
+server.on('request', function (req, res) {
+    let user_origin = url.parse(req.url, true).query.origin;
+    // BAD: CORS too permissive
+    const server_1 = new ApolloServer({
+        cors: { origin: true }
+    });
+
+    // GOOD: restrictive CORS 
+    const server_2 = new ApolloServer({
+        cors: false
+    });
+
+    // BAD: CORS too permissive 
+    const server_3 = new ApolloServer({
+        cors: { origin: null }
+    });
+
+    // BAD: CORS is controlled by user
+    const server_4 = new ApolloServer({
+        cors: { origin: user_origin }
+    });
+});

javascript/ql/test/query-tests/Security/CWE-942/express-test.js

@@ -0,0 +1,36 @@
+const cors = require('cors');
+var express = require('express');
+
+var https = require('https'),
+    url = require('url');
+
+var server = https.createServer(function () { });
+
+server.on('request', function (req, res) {
+    let user_origin = url.parse(req.url, true).query.origin;
+
+    // BAD: CORS too permissive, default value is *
+    var app1 = express();
+    app1.use(cors());
+
+    // GOOD: restrictive CORS 
+    var app2 = express();
+    var corsOptions2 = {
+        origin: ["https://example1.com", "https://example2.com"],
+    };
+    app2.use(cors(corsOptions2));
+
+    // BAD: CORS too permissive 
+    var app3 = express();
+    var corsOption3 = {
+        origin: '*'
+    };
+    app3.use(cors(corsOption3));
+
+    // BAD: CORS is controlled by user
+    var app4 = express();
+    var corsOption4 = {
+        origin: user_origin
+    };
+    app4.use(cors(corsOption4));
+});