Merge pull request #17305 from Kwstubbs/CORSMiddleware-Starlette

Python: Add Support for CORS Middlewares

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -632,13 +632,27 @@ module XmlParsingTest implements TestSig {
   }
 }
 
+module CorsMiddlewareTest implements TestSig {
+  string getARelevantTag() { result = "CorsMiddleware" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(Http::Server::CorsMiddleware cm |
+      location = cm.getLocation() and
+      element = cm.toString() and
+      value = cm.getMiddlewareName().toString() and
+      tag = "CorsMiddleware"
+    )
+  }
+}
+
 import MakeTest<MergeTests5<MergeTests5<SystemCommandExecutionTest, DecodingTest, EncodingTest, LoggingTest,
     CodeExecutionTest>,
   MergeTests5<SqlConstructionTest, SqlExecutionTest, XPathConstructionTest, XPathExecutionTest,
     EscapingTest>,
   MergeTests5<HttpServerRouteSetupTest, HttpServerRequestHandlerTest, HttpServerHttpResponseTest,
     HttpServerHttpRedirectResponseTest,
-    MergeTests<HttpServerCookieWriteTest, HttpResponseHeaderWriteTest>>,
+    MergeTests3<HttpServerCookieWriteTest, HttpResponseHeaderWriteTest, CorsMiddlewareTest>>,
   MergeTests5<FileSystemAccessTest, FileSystemWriteAccessTest, PathNormalizationTest,
     SafeAccessCheckTest, PublicKeyGenerationTest>,
   MergeTests5<CryptographicOperationTest, HttpClientRequestTest, CsrfProtectionSettingTest,

python/ql/test/library-tests/frameworks/fastapi/middleware.py

@@ -0,0 +1,10 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "*"
+]
+
+app.add_middleware(CORSMiddleware, allow_origins=origins, allow_credentials=True, allow_methods=["*"], allow_headers=["*"]) # $ CorsMiddleware=CORSMiddleware               

python/ql/test/library-tests/frameworks/starlette/Middleware.py

@@ -0,0 +1,11 @@
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+
+routes = ...
+
+middleware = [
+    Middleware(CORSMiddleware, allow_origins=['*'], allow_credentials=True)  # $ CorsMiddleware=CORSMiddleware
+]
+
+app = Starlette(routes=routes, middleware=middleware)

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected

@@ -0,0 +1,2 @@
+| fastapi.py:10:1:16:1 | ControlFlowNode for Attribute() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests |
+| starlette.py:8:5:8:75 | ControlFlowNode for Middleware() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests |

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-942/CorsMisconfigurationMiddleware.ql

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/fastapi.py

@@ -0,0 +1,21 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "*"
+]
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+@app.get("/")
+async def main():
+    return {"message": "Hello World"}

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/starlette.py

@@ -0,0 +1,11 @@
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+
+routes = ...
+
+middleware = [
+    Middleware(CORSMiddleware, allow_origins=['*'], allow_credentials=True)
+]
+
+app = Starlette(routes=routes, middleware=middleware)