|
| 1 | +/** |
| 2 | + * @name Cors header being set from remote source |
| 3 | + * @description Cors header is being set from remote source, allowing to control the origin. |
| 4 | + * @kind path-problem |
| 5 | + * @problem.severity error |
| 6 | + * @precision high |
| 7 | + * @id java/unvalidated-cors-origin-set |
| 8 | + * @tags security |
| 9 | + * external/cwe/cwe-346 |
| 10 | + */ |
| 11 | + |
| 12 | +import java |
| 13 | +import semmle.code.java.dataflow.FlowSources |
| 14 | +import semmle.code.java.frameworks.Servlets |
| 15 | +import semmle.code.java.dataflow.TaintTracking |
| 16 | +import DataFlow::PathGraph |
| 17 | + |
| 18 | +// Check for Access-Control-Allow-Credentials as well, this ensures fair chances of exploitability. |
| 19 | +predicate satisfyAllowCredentials(MethodAccess header, MethodAccess check) { |
| 20 | + header.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() = |
| 21 | + "access-control-allow-credentials" and |
| 22 | + header.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "true" and |
| 23 | + header.getEnclosingCallable() = check.getEnclosingCallable() |
| 24 | +} |
| 25 | + |
| 26 | +predicate checkAccessControlAllowOriginHeader(Expr expr) { |
| 27 | + expr.(CompileTimeConstantExpr).getStringValue().toLowerCase() = "access-control-allow-origin" |
| 28 | +} |
| 29 | + |
| 30 | +class CorsOriginConfig extends TaintTracking::Configuration { |
| 31 | + CorsOriginConfig() { this = "CORSOriginConfig" } |
| 32 | + |
| 33 | + override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } |
| 34 | + |
| 35 | + override predicate isSink(DataFlow::Node sink) { |
| 36 | + exists(ResponseSetHeaderMethod h, MethodAccess m | |
| 37 | + m = h.getAReference() and |
| 38 | + checkAccessControlAllowOriginHeader(m.getArgument(0)) and |
| 39 | + satisfyAllowCredentials(h.getAReference(), m) and |
| 40 | + sink.asExpr() = m.getArgument(1) |
| 41 | + ) |
| 42 | + or |
| 43 | + exists(ResponseAddHeaderMethod a, MethodAccess m | |
| 44 | + m = a.getAReference() and |
| 45 | + checkAccessControlAllowOriginHeader(m.getArgument(0)) and |
| 46 | + satisfyAllowCredentials(a.getAReference(), m) and |
| 47 | + sink.asExpr() = m.getArgument(1) |
| 48 | + ) |
| 49 | + } |
| 50 | +} |
| 51 | + |
| 52 | +from DataFlow::PathNode source, DataFlow::PathNode sink, CorsOriginConfig conf |
| 53 | +where conf.hasFlowPath(source, sink) |
| 54 | +select sink.getNode(), source, sink, "Cors header is being set using user controlled value $@.", |
| 55 | + source.getNode(), "user-provided value" |
0 commit comments