Merge pull request #20146 from Napalys/js/move-cors-query-from-experimental

JS: Move cors-misconfiguration query from experimental to Security
2026-04-28 02:05:14 +02:00 · 2025-09-08 09:32:38 +02:00
parent 66379deadd b2feaaceea
commit 8c34b7eaea
25 changed files with 287 additions and 379 deletions
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref
@@ -1 +0,0 @@
-./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -1,3 +1,12 @@
+#select
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin allows broad access due to $@. | apollo-test.js:11:25:11:28 | true | permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin allows broad access due to $@. | apollo-test.js:21:25:21:28 | null | permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin allows broad access due to $@. | apollo-test.js:8:33:8:39 | req.url | permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin allows broad access due to $@. | apollo-test.js:8:42:8:45 | true | permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin allows broad access due to $@. | express-test.js:26:17:26:19 | '*' | permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin allows broad access due to $@. | express-test.js:10:33:10:39 | req.url | permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:42:10:45 | true | express-test.js:33:17:33:27 | user_origin | CORS Origin allows broad access due to $@. | express-test.js:10:42:10:45 | true | permissive or user controlled value |
+| express-test.js:48:17:48:19 | '*' | express-test.js:48:17:48:19 | '*' | express-test.js:48:17:48:19 | '*' | CORS Origin allows broad access due to $@. | express-test.js:48:17:48:19 | '*' | permissive or user controlled value |
 edges
 | apollo-test.js:8:9:8:19 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
 | apollo-test.js:8:9:8:19 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
@@ -6,8 +15,11 @@ edges
 | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
 | apollo-test.js:8:42:8:45 | true | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
 | express-test.js:10:9:10:19 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:9:10:19 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:19 | user_origin | provenance |  |
 | express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:19 | user_origin | provenance |  |
 | express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
+| express-test.js:10:42:10:45 | true | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
 nodes
 | apollo-test.js:8:9:8:19 | user_origin | semmle.label | user_origin |
 | apollo-test.js:8:9:8:19 | user_origin | semmle.label | user_origin |
@@ -20,15 +32,13 @@ nodes
 | apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
 | apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
 | express-test.js:10:9:10:19 | user_origin | semmle.label | user_origin |
+| express-test.js:10:9:10:19 | user_origin | semmle.label | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
 | express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
 | express-test.js:10:33:10:39 | req.url | semmle.label | req.url |
+| express-test.js:10:42:10:45 | true | semmle.label | true |
 | express-test.js:26:17:26:19 | '*' | semmle.label | '*' |
 | express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
+| express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
+| express-test.js:48:17:48:19 | '*' | semmle.label | '*' |
 subpaths
-#select
-| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
-| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
-| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
-| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | too permissive or user controlled value |
-| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
-| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |
--- a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref
@@ -0,0 +1,2 @@
+query: Security/CWE-942/CorsPermissiveConfiguration.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/javascript/ql/test/experimental/Security/CWE-942/apollo-test.js
+++ b/javascript/ql/test/experimental/Security/CWE-942/apollo-test.js
@@ -5,10 +5,10 @@ var https = require('https'),
 var server = https.createServer(function () { });

 server.on('request', function (req, res) {
-    let user_origin = url.parse(req.url, true).query.origin;
+    let user_origin = url.parse(req.url, true).query.origin; // $ Source
    // BAD: CORS too permissive
    const server_1 = new ApolloServer({
-        cors: { origin: true }
+        cors: { origin: true } // $ Alert
    });

    // GOOD: restrictive CORS 
@@ -18,11 +18,11 @@ server.on('request', function (req, res) {

    // BAD: CORS too permissive 
    const server_3 = new ApolloServer({
-        cors: { origin: null }
+        cors: { origin: null } // $ Alert
    });

    // BAD: CORS is controlled by user
    const server_4 = new ApolloServer({
-        cors: { origin: user_origin }
+        cors: { origin: user_origin } // $ Alert
    });
 });
--- a/javascript/ql/test/experimental/Security/CWE-942/express-test.js
+++ b/javascript/ql/test/experimental/Security/CWE-942/express-test.js
@@ -7,7 +7,7 @@ var https = require('https'),
 var server = https.createServer(function () { });

 server.on('request', function (req, res) {
-    let user_origin = url.parse(req.url, true).query.origin;
+    let user_origin = url.parse(req.url, true).query.origin; // $ Source

    // BAD: CORS too permissive, default value is *
    var app1 = express();
@@ -23,14 +23,30 @@ server.on('request', function (req, res) {
    // BAD: CORS too permissive 
    var app3 = express();
    var corsOption3 = {
-        origin: '*'
+        origin: '*' // $ Alert
    };
    app3.use(cors(corsOption3));

    // BAD: CORS is controlled by user
    var app4 = express();
    var corsOption4 = {
-        origin: user_origin
+        origin: user_origin // $ Alert
    };
    app4.use(cors(corsOption4));
+
+    // GOOD: CORS allows any origin but credentials are disabled (safe pattern)
+    var app5 = express();
+    var corsOption5 = {
+        origin: '*',
+        credentials: false
+    };
+    app5.use(cors(corsOption5));
+
+    // BAD: CORS allows any origin with credentials enabled
+    var app6 = express();
+    var corsOption6 = {
+        origin: '*',       // $ Alert  
+        credentials: true
+    };
+    app6.use(cors(corsOption6));
 });
				`@@ -1 +0,0 @@`
				`./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql`