hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 20:58:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Wildcard origin does not allow Access-Control-Allow-Credentials: true

Browse Source
This commit is contained in:
Slavomir
2021-06-05 10:40:28 +02:00
parent 4662358b8d
commit 824b5a4b52
6 changed files with 12 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ql/src/experimental/CWE-942/CorsMisconfiguration.qhelp
View File

@@ -40,7 +40,7 @@
especially if the cookies grant session permissions on the user's account.
</p>
<p>
It also can be very dangerous to set the allowed origins to <code>*</code> or <code>null</code> (which can be bypassed).
It also can be very dangerous to set the allowed origins to <code>null</code> (which can be bypassed).
</p>
</recommendation>
<example>

8
ql/src/experimental/CWE-942/CorsMisconfiguration.ql
View File

@@ -92,11 +92,11 @@ predicate flowsFromUntrustedToAllowOrigin(HTTP::HeaderWrite allowOriginHW, strin
/**
* Holds if the provided `allowOriginHW` HeaderWrite is for a `Access-Control-Allow-Origin`
* header and the value is set to `*` or `null`.
* header and the value is set to `null`.
*/
predicate allowOriginIsWildcardOrNull(HTTP::HeaderWrite allowOriginHW, string message) {
predicate allowOriginIsNull(HTTP::HeaderWrite allowOriginHW, string message) {
allowOriginHW.getHeaderName() = headerAllowOrigin() and
allowOriginHW.getHeaderValue().toLowerCase() = ["*", "null"] and
allowOriginHW.getHeaderValue().toLowerCase() = "null" and
message =
headerAllowOrigin() + " header is set to `" + allowOriginHW.getHeaderValue() + "`, and " +
headerAllowCredentials() + " is set to `true`"
@@ -108,7 +108,7 @@ where
(
flowsFromUntrustedToAllowOrigin(allowOriginHW, message)
or
allowOriginIsWildcardOrNull(allowOriginHW, message)
allowOriginIsNull(allowOriginHW, message)
) and
not exists(ControlFlow::ConditionGuardNode cgn |
cgn.ensures(any(AllowedFlag f).getAFlag().getANode(), _)

12
ql/src/experimental/CWE-942/CorsMisconfigurationBad.go
View File

@@ -4,17 +4,7 @@ import "net/http"
func main() {}
// bad is an example of a bad implementation
func bad1() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: all origins are allowed,
// and Access-Control-Allow-Credentials is set to 'true'.
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Credentials", "true")
})
}
func bad2() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: 'null' origin is allowed,
// and Access-Control-Allow-Credentials is set to 'true'.
@@ -23,7 +13,7 @@ func bad2() {
})
}
func bad3() {
func bad2() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: the `Access-Control-Allow-Origin` header is set using a user-defined value,
// and `Access-Control-Allow-Credentials` is set to 'true':

19
ql/src/experimental/CWE-942/CorsMisconfigurationGood.go
View File

@@ -2,26 +2,7 @@ package main
import "net/http"
// good1 is an example of a good implementation
func good1() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// OK-ish: all origins are allowed,
// but Access-Control-Allow-Credentials is not set.
w.Header().Set("Access-Control-Allow-Origin", "*")
})
}
func good2() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// OK-ish: all origins are allowed,
// and some write methods are allowed,
// BUT `Access-Control-Allow-Credentials` is not set:
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT")
})
}
func good3() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// OK-ish: the `Access-Control-Allow-Origin` header is set using a user-defined value,
// BUT `Access-Control-Allow-Credentials` is set to 'false':

13
ql/test/experimental/CWE-942/CorsMisconfiguration.expected
View File

@@ -1,8 +1,5 @@
| CorsMisconfiguration.go:15:4:15:53 | call to Set | access-control-allow-origin header is set to `*`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:21:4:21:41 | call to Set | access-control-allow-origin header is set to `*`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:41:4:41:56 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:47:4:47:42 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:68:4:68:53 | call to Set | access-control-allow-origin header is set to `*`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:86:4:86:44 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:93:4:93:56 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:100:5:100:57 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:23:4:23:56 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:29:4:29:42 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:50:4:50:44 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:57:4:57:56 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |
| CorsMisconfiguration.go:64:5:64:57 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |

38
ql/test/experimental/CWE-942/CorsMisconfiguration.go
View File

@@ -9,24 +9,6 @@ const (
func main() {
{
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: all origins are allowed,
// and Access-Control-Allow-Credentials is set to 'true'.
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Credentials", "true")
})
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: all origins are allowed,
// and `Access-Control-Allow-Credentials` is set to 'true':
w.Header().Set(HeaderAllowOrigin, "*")
w.Header().Set("Access-Control-Allow-Credentials", "true")
})
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// OK: all origins are allowed,
// but Access-Control-Allow-Credentials is set to 'false'.
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Credentials", "false")
})
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// OK: all origins are allowed,
// but Access-Control-Allow-Credentials is not set.
@@ -60,24 +42,6 @@ func main() {
})
}
{
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: all origins are allowed,
// and some write methods are allowed,
// and `Access-Control-Allow-Credentials` is set to 'true':
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT")
w.Header().Set("Access-Control-Allow-Credentials", "true")
})
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// OK: all origins are allowed,
// and some write methods are allowed,
// BUT `Access-Control-Allow-Credentials` is not set:
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT")
})
}
{
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
// BAD: the `Access-Control-Allow-Origin` header is set using a user-defined value,
@@ -149,8 +113,8 @@ func main() {
w.Header().Set("Access-Control-Allow-Origin", "*")
} else if allowedHost {
w.Header().Set("Access-Control-Allow-Origin", origin)
w.Header().Set(HeaderAllowCredentials, "true")
}
w.Header().Set(HeaderAllowCredentials, "true")
})
}
}