@@ -28,6 +28,14 @@ private predicate setsAllowCredentials(MethodAccess header) {
2828 header .getArgument ( 1 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = "true"
2929}
3030
31+ class CorsProbableCheckAccess extends MethodAccess {
32+ CorsProbableCheckAccess ( ) {
33+ getMethod ( ) .getName ( ) = [ "contains" , "equals" ] and
34+ getMethod ( ) .getDeclaringType ( ) .getQualifiedName ( ) =
35+ [ "java.util.List<String>" , "java.util.ArrayList<String>" , "java.lang.String" ]
36+ }
37+ }
38+
3139private Expr getAccessControlAllowOriginHeaderName ( ) {
3240 result .( CompileTimeConstantExpr ) .getStringValue ( ) .toLowerCase ( ) = "access-control-allow-origin"
3341}
@@ -49,6 +57,21 @@ class CorsOriginConfig extends TaintTracking::Configuration {
4957 sink .asExpr ( ) = corsheader .getArgument ( 1 )
5058 )
5159 }
60+
61+ /*
62+ * This should ideally check, the origin being validated against a list/array-list.
63+ * or function being used to validate the origin, which has a flow from its parameter to any of the CorsProbableCheckAccess functions
64+ */
65+
66+ override predicate isSanitizer ( DataFlow:: Node node ) {
67+ node .asExpr ( ) = any ( CorsProbableCheckAccess ma ) .getAnArgument ( )
68+ or
69+ exists ( MethodAccess ma , CorsProbableCheckAccess ca |
70+ ma .getMethod ( ) .calls ( ca .getMethod ( ) ) and
71+ DataFlow:: localExprFlow ( ma .getMethod ( ) .getAParameter ( ) .getAnAccess ( ) , ca .getAnArgument ( ) ) and
72+ ( node .asExpr ( ) = ma .getAnArgument ( ) or node .asExpr ( ) = ma .getAnArgument ( ) .getAChildExpr ( ) )
73+ )
74+ }
5275}
5376
5477from DataFlow:: PathNode source , DataFlow:: PathNode sink , CorsOriginConfig conf
0 commit comments