Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule for wildcard CORS in FastAPI #3137

Merged
merged 12 commits into from
Dec 13, 2023
Merged

Rule for wildcard CORS in FastAPI #3137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6628de0
Rule for wildcard CORS in FastAPI
theinfosecguy Oct 1, 2023
df11dee
Update test case
theinfosecguy Oct 1, 2023
8aab805
Merge branch 'develop' into develop
p4p3r Oct 2, 2023
a06439c
Merge branch 'develop' into develop
p4p3r Oct 2, 2023
6e5fd23
Merge branch 'develop' into develop
inkz Oct 9, 2023
78d97a9
Merge branch 'develop' into develop
theinfosecguy Dec 9, 2023
0946bf7
Add rule subcategory
theinfosecguy Dec 9, 2023
cbb6ec6
Add ok: rule-id
theinfosecguy Dec 9, 2023
1cf9374
Merge branch 'develop' into develop
inkz Dec 13, 2023
773b896
Update wildcard-cors.py
theinfosecguy Dec 13, 2023
74130e9
Update wildcard-cors.py
theinfosecguy Dec 13, 2023
15d1e2f
Merge branch 'develop' into develop
inkz Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions python/fastapi/security/wildcard-cors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

origins = ["*"]


app.add_middleware(
CORSMiddleware,
# ruleid: wildcard-cors
allow_origins=origins,
allow_credentials=True,
allow=["*"]
)


app.add_middleware(
CORSMiddleware,
# ruleid: wildcard-cors
allow_origins=["*"],
allow_credentials=True,
allow=["*"]
)


app.add_middleware(
CORSMiddleware,
# ok: wildcard-cors
allow_origins=["https://github.com"],
allow_credentials=True,
allow=["*"]
)

app.add_middleware(
CORSMiddleware,
# ok: wildcard-cors
allow_origins=["https://github.com"],
allow_credentials=True,
allow=["www.semgrep.dev"]
)


@app.get("/")
async def main():
return {"message": "Hello Semgrep"}
37 changes: 37 additions & 0 deletions python/fastapi/security/wildcard-cors.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
rules:
- id: wildcard-cors
languages:
- python
message: CORS policy allows any origin (using wildcard '*'). This is insecure
and should be avoided.
mode: taint
pattern-sources:
- pattern: '[..., "*", ...]'
pattern-sinks:
- patterns:
- pattern: |
$APP.add_middleware(
CORSMiddleware,
allow_origins=$ORIGIN,
...);
- focus-metavariable: $ORIGIN
severity: WARNING
metadata:
cwe:
- "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
owasp:
- A05:2021 - Security Misconfiguration
category: security
technology:
- python
- fastapi
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
- https://cwe.mitre.org/data/definitions/942.html
likelihood: HIGH
impact: LOW
confidence: MEDIUM
vulnerability_class:
- Configuration
subcategory:
- vuln
Loading