Add support for vulnerable CORS middlewares

2026-04-25 16:55:19 +02:00 · 2024-08-26 21:30:48 -07:00
parent e81fdc951a
commit 8bf8893307
11 changed files with 337 additions and 0 deletions
--- a/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddleware.qhelp
+++ b/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddleware.qhelp
@@ -0,0 +1,64 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+	Web browsers, by default, disallow cross-origin resource sharing via direct HTTP requests (i.e. using a JavaScript HTTP client).
+	Still, to satisfy some needs that arose with the growth of the web, an expedient was created to make exceptions possible.
+	CORS (Cross-origin resource sharing) is a mechanism that allows resources of a web endpoint (let's call it "Peer A")
+	to be accessed from another web page belonging to a different domain ("Peer B").
+</p>
+<p>
+	For that to happen, Peer A needs to make available its CORS configuration via special headers on the desired endpoint
+	via the OPTIONS method.
+</p>
+<p>
+	This configuration can also allow the inclusion of cookies on the cross-origin request,
+	(i.e. when the <code>Access-Control-Allow-Credentials</code> header is set to true) 
+	meaning that Peer B can send a request to Peer A that will include the cookies as if the request was executed by the user.
+</p>
+<p>
+	That can have dangerous effects if Peer B origin is not restricted correctly. 
+	An example of a dangerous scenario is when <code>Access-Control-Allow-Origin</code> header is set to a value gotten from the Peer B's request 
+	(and not correctly validated), or is set to special values such as <code>*</code> or <code>null</code>. 
+	The above values can allow any Peer B to send requests to the misconfigured Peer A on behalf of the user.
+</p>
+<p>
+	Example scenario:
+	User is client of a bank that has its API misconfigured to accept CORS requests from any domain.
+	When the user loads an evil page, the evil page sends a request to the bank's API to transfer all funds
+	to evil party's account.
+	Given that the user was already logged in to the bank website, and had its session cookies set,
+	the evil party's request succeeds.
+</p>
+</overview>
+<recommendation>
+<p>
+	When configuring CORS that allow credentials passing,
+	it's best not to use user-provided values for the allowed origins response header,
+	especially if the cookies grant session permissions on the user's account.
+</p>
+<p>
+	It also can be very dangerous to set the allowed origins to <code>null</code> (which can be bypassed).
+</p>
+</recommendation>
+<example>
+<p>
+	The first example shows a few possible CORS misconfiguration cases:
+</p>
+<sample src="CorsMisconfigurationMiddlewareBad.py"/>
+<p>
+	The second example show better configurations:
+</p>
+<sample src="CorsMisconfigurationMiddlewareGood.py"/>
+</example>
+<references>
+<li>
+	Reference 1: <a href="https://portswigger.net/web-security/cors">PortSwigger Web Security Academy on CORS</a>.
+</li>
+<li>
+	Reference 2: <a href="https://www.youtube.com/watch?v=wgkj4ZgxI4c">AppSec EU 2017 Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle</a>.
+</li>
+</references>
+</qhelp>
--- a/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddleware.ql
+++ b/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddleware.ql
@@ -0,0 +1,36 @@
+/**
+ * @name SOP protection weak with credentials
+ * @description Disabling or weakening SOP protection may make the application
+ *              vulnerable to a CORS attack.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.8
+ * @precision high
+ * @id py/insecure-cors-setting
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+ import python
+ import semmle.python.Concepts
+ private import semmle.python.dataflow.new.DataFlow
+ predicate containsStar(DataFlow::Node array){
+     (array.asExpr() instanceof List and 
+     array.asExpr().getASubExpression().(StringLiteral).getText().matches("*")) or
+     (array.asExpr().(StringLiteral).getText().matches(["*", "null"]))
+
+ }
+ 
+ predicate isCorsMiddleware(Http::Server::CorsMiddleware middleware){
+     middleware.middleware_name().matches("CORSMiddleware")
+ }
+ 
+ predicate credentialsAllowed(Http::Server::CorsMiddleware  middleware){
+     middleware.allowed_credentials().asExpr() instanceof True
+ }
+ 
+ from Http::Server::CorsMiddleware a
+ where credentialsAllowed(a) and 
+ containsStar(a.allowed_origins().getALocalSource()) and
+ isCorsMiddleware(a)
+ select a, "This CORS middleware uses a vulnerable configuration that leaves it open to attacks from arbitrary websites"
--- a/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddlewareBad.py
+++ b/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddlewareBad.py
@@ -0,0 +1,21 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "*"
+]
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+@app.get("/")
+async def main():
+    return {"message": "Hello World"}
--- a/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddlewareGood.py
+++ b/python/ql/src/experimental/Security/CWE-942/CorsMisconfigurationMiddlewareGood.py
@@ -0,0 +1,24 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "http://localhost.tiangolo.com",
+    "https://localhost.tiangolo.com",
+    "http://localhost",
+    "http://localhost:8080",
+]
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+@app.get("/")
+async def main():
+    return {"message": "Hello World"}