WIP: Python: CORS Bypass

This PR adds a query to detect a Cross Origin Resource Sharing(CORS) policy bypass due to an incorrect check. This PR attempts to detect the vulnerability pattern found in CVE-2022-3457 ```python if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']: origin = request.headers.get('Origin', None) if origin and not origin.startswith(request.base): raise cherrypy.HTTPError(403, 'Unexpected Origin header') ``` In this case, a value obtained from a header is compared using `startswith` call. This comparision is easily bypassed resulting in a CORS bypass. Given that similar bugs have been found in other languages as well, I think this PR would be a great addition to the exisitng python query pack. The databases for CVE-2022-3457 can be downloaded from ``` https://filetransfer.io/data-package/i4Mfepls#link https://file.io/V67T4SSgmExF ```
2026-04-28 10:15:14 +02:00 · 2024-06-24 03:40:15 +05:30
parent ffab199ea8
commit f86570f6e7
7 changed files with 174 additions and 0 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-346/Cors.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-346/Cors.py
@@ -0,0 +1,17 @@
+import cherrypy
+
+def bad():
+    request = cherrypy.request
+    validCors = "domain.com"
+    if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
+        origin = request.headers.get('Origin', None)
+        if origin.startswith(validCors):
+            print("Origin Valid")
+
+def good():
+    request = cherrypy.request
+    validOrigin = "domain.com"
+    if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
+        origin = request.headers.get('Origin', None)
+        if origin == validOrigin:
+            print("Origin Valid")
--- a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected
@@ -0,0 +1,13 @@
+edges
+| Cors.py:7:9:7:14 | ControlFlowNode for origin | Cors.py:8:12:8:17 | ControlFlowNode for origin | provenance |  |
+| Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | provenance | Config |
+| Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | provenance | dict.get |
+| Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | Cors.py:7:9:7:14 | ControlFlowNode for origin | provenance |  |
+nodes
+| Cors.py:7:9:7:14 | ControlFlowNode for origin | semmle.label | ControlFlowNode for origin |
+| Cors.py:7:18:7:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| Cors.py:8:12:8:17 | ControlFlowNode for origin | semmle.label | ControlFlowNode for origin |
+subpaths
+#select
+| Cors.py:8:12:8:17 | ControlFlowNode for origin | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. |
--- a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-346/CorsBypass.ql
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-346/CorsBypass.ql`