JS: Move cors-misconfiguration query from experimental to Security #20146
Conversation
|
QHelp previews: javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelpPermissive CORS configurationA server can use CORS (Cross-Origin Resource Sharing) to relax the restrictions imposed by the Same-Origin Policy, allowing controlled, secure cross-origin requests when necessary. A server with an overly permissive CORS configuration may inadvertently expose sensitive data or enable CSRF attacks, which allow attackers to trick users into performing unwanted operations on websites they're authenticated to. RecommendationWhen the When the If the ExampleIn the following example, import { ApolloServer } from 'apollo-server';
var https = require('https'),
url = require('url');
var server = https.createServer(function () { });
server.on('request', function (req, res) {
// BAD: origin is too permissive
const server_1 = new ApolloServer({
cors: { origin: true }
});
let user_origin = url.parse(req.url, true).query.origin;
// BAD: CORS is controlled by user
const server_2 = new ApolloServer({
cors: { origin: user_origin }
});
});To fix these issues, import { ApolloServer } from 'apollo-server';
var https = require('https'),
url = require('url');
var server = https.createServer(function () { });
server.on('request', function (req, res) {
// GOOD: origin is restrictive
const server_1 = new ApolloServer({
cors: { origin: false }
});
let user_origin = url.parse(req.url, true).query.origin;
// GOOD: user data is properly sanitized
const server_2 = new ApolloServer({
cors: { origin: (user_origin === "https://allowed1.com" || user_origin === "https://allowed2.com") ? user_origin : false }
});
});References
|
There was a problem hiding this comment.
Pull Request Overview
This PR moves the CORS misconfiguration query from experimental to the main Security suite, making it part of the default security analysis.
- Relocates the CORS permissive configuration query and supporting files from
experimental/Security/CWE-942/toSecurity/CWE-942/ - Updates library imports to use the standard location and removes deprecated functionality
- Adds Apollo Server modeling through external model files instead of custom QL code
Reviewed Changes
Copilot reviewed 16 out of 20 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql |
Updates query imports and improves naming from "overly CORS configuration" to "Permissive CORS configuration" |
javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp |
Adds comprehensive help documentation with improved formatting and clearer explanations |
javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll |
Removes deprecated Configuration class and flow label classes |
javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll |
Updates imports to use standard Cors framework and replaces custom Apollo modeling with model-based approach |
javascript/ql/lib/ext/apollo-server.model.yml |
Adds Apollo Server type models and sink models to replace custom QL implementations |
javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref |
Creates new test reference pointing to the moved query location |
| Multiple test expectation files | Updates expected query suite contents to include the new security query |
Comments suppressed due to low confidence (1)
javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql:2
- The query name should be 'CORS misconfiguration' to match the title mentioned in the change notes and maintain consistency with existing naming conventions.
* @name Permissive CORS configuration
Moved cors-misconfiguration query outside experimental