From 65db589d3b54560a58cb1d2e6cf5d59c99963e46 Mon Sep 17 00:00:00 2001
From: Keshav Malik <33570148+theinfosecguy@users.noreply.github.com>
Date: Wed, 13 Dec 2023 16:35:16 +0530
Subject: [PATCH] Rule for wildcard CORS in FastAPI (#3137)

* Rule for wildcard CORS in FastAPI

* Update test case

* Add rule subcategory

* Add ok: rule-id

* Update wildcard-cors.py

* Update wildcard-cors.py

---------

Co-authored-by: Claudio <claudio@r2c.dev>
Co-authored-by: Vasilii Ermilov <inkz@xakep.ru>
---
 python/fastapi/security/wildcard-cors.py   | 46 ++++++++++++++++++++++
 python/fastapi/security/wildcard-cors.yaml | 37 +++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 python/fastapi/security/wildcard-cors.py
 create mode 100644 python/fastapi/security/wildcard-cors.yaml

diff --git a/python/fastapi/security/wildcard-cors.py b/python/fastapi/security/wildcard-cors.py
new file mode 100644
index 0000000000..489a34c911
--- /dev/null
+++ b/python/fastapi/security/wildcard-cors.py
@@ -0,0 +1,46 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = ["*"]
+
+
+app.add_middleware(
+    CORSMiddleware,
+    # ruleid: wildcard-cors
+    allow_origins=origins,
+    allow_credentials=True,
+    allow=["*"]
+)
+
+
+app.add_middleware(
+    CORSMiddleware,
+    # ruleid: wildcard-cors
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow=["*"]
+)
+
+
+app.add_middleware(
+    CORSMiddleware,
+    # ok: wildcard-cors
+    allow_origins=["https://github.com"],
+    allow_credentials=True,
+    allow=["*"]
+)
+
+app.add_middleware(
+    CORSMiddleware,
+    # ok: wildcard-cors
+    allow_origins=["https://github.com"],
+    allow_credentials=True,
+    allow=["www.semgrep.dev"]
+)
+
+
+@app.get("/")
+async def main():
+    return {"message": "Hello Semgrep"}
diff --git a/python/fastapi/security/wildcard-cors.yaml b/python/fastapi/security/wildcard-cors.yaml
new file mode 100644
index 0000000000..17d30f4d65
--- /dev/null
+++ b/python/fastapi/security/wildcard-cors.yaml
@@ -0,0 +1,37 @@
+rules:
+  - id: wildcard-cors
+    languages:
+      - python
+    message: CORS policy allows any origin (using wildcard '*'). This is insecure
+      and should be avoided.
+    mode: taint
+    pattern-sources:
+      - pattern: '[..., "*", ...]'
+    pattern-sinks:
+      - patterns:
+          - pattern: |
+              $APP.add_middleware(
+                CORSMiddleware,
+                allow_origins=$ORIGIN,
+                ...);
+          - focus-metavariable: $ORIGIN
+    severity: WARNING
+    metadata:
+      cwe:
+        - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
+      owasp:
+        - A05:2021 - Security Misconfiguration
+      category: security
+      technology:
+        - python
+        - fastapi
+      references:
+        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+        - https://cwe.mitre.org/data/definitions/942.html
+      likelihood: HIGH
+      impact: LOW
+      confidence: MEDIUM
+      vulnerability_class:
+        - Configuration
+      subcategory:
+        - vuln