Merge pull request #7 from GitHubSecurityLab/cors

feat(queries): Add CORS queries

Author: GeekMasher

ql/queries/security/CWE-942/InsecureCorsAllHeaders.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Insecure CORS: All Headers Allowed
+ * @description Flags CORS policies that allow all headers ("*"), which can increase attack surface.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/insecure-cors-all-headers
+ * @tags security
+ *       bicep
+ */
+
+import bicep
+
+from Network::CorsPolicy cors, Containers::ContainerResource resource
+where
+  resource.getCorsPolicy() = cors and
+  exists(Array headers | headers = cors.getAllowedHeaders() |
+    exists(StringLiteral header | header = headers.getElements() | header.getValue() = "*")
+  )
+select cors.getAllowedHeaders(),
+  "CORS policy allows all headers (\"*\"), which can increase attack surface."

ql/queries/security/CWE-942/InsecureCorsAllMethods.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Insecure CORS: All Methods Allowed
+ * @description Flags CORS policies that allow all HTTP methods ("*") which can expose APIs to abuse.
+ * @kind problem
+ * @problem.severity warning
+ * @id bicep/insecure-cors-all-methods
+ */
+
+import bicep
+
+from Network::CorsPolicy cors, Network::Ingress ingress, Resource resource
+where
+  ingress.getCorsPolicy() = cors and
+  exists(Array methods | methods = cors.getAllowedMethods() |
+    exists(StringLiteral method | method = methods.getElements() | method.getValue() = "*")
+  )
+select resource, "CORS policy allows all HTTP methods (\"*\"), which can expose APIs to abuse."

ql/queries/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Insecure CORS: AllowCredentials with Wildcard Origin
+ * @description Flags CORS policies that allow credentials with a wildcard origin, which is insecure.
+ * @kind problem
+ * @problem.severity error
+ * @id bicep/insecure-cors-allowcredentials-wildcard
+ */
+import bicep
+
+from
+  Network::CorsPolicy cors,
+  Network::Ingress ingress,
+  Resource resource
+where
+  ingress.getCorsPolicy() = cors and
+  cors.allowCredentials() = true and
+  exists(Array origins | origins = cors.getAllowedOrigins() |
+    exists(StringLiteral origin | origin = origins.getElements() | origin.getValue() = "*" )
+  )
+select resource, "CORS policy allows credentials with a wildcard origin, which is insecure."

ql/queries/security/CWE-942/InsecureCorsWildcardOrigin.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Insecure CORS: Wildcard Origin
+ * @description Flags CORS policies that allow any origin ("*"), which is insecure for sensitive APIs.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/insecure-cors-wildcard-origin
+ * @tags security
+ *       bicep
+ */
+
+import bicep
+
+from Network::CorsPolicy cors, Network::Ingress ingress, Resource resource
+where
+  ingress.getCorsPolicy() = cors and
+  exists(Array origins | origins = cors.getAllowedOrigins() |
+    exists(StringLiteral origin | origin = origins.getElements() | origin.getValue() = "*")
+  )
+select resource, "CORS policy allows any origin (\"*\"), which is insecure for sensitive APIs."

ql/src/security/CWE-942/InsecureCorsAllHeaders.ql

@@ -0,0 +1 @@
+| app.bicep:42:27:42:33 | Array | CORS policy allows all headers ("*"), which can increase attack surface. |

ql/src/security/CWE-942/InsecureCorsAllMethods.ql

@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsAllHeaders.ql

ql/src/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql

@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsAllMethods.ql

ql/src/security/CWE-942/InsecureCorsWildcardOrigin.ql

@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql

ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.expected

@@ -0,0 +1,2 @@
+| app.bicep:2:1:27:1 | ContainerResource | CORS policy allows any origin ("*"), which is insecure for sensitive APIs. |
+| app.bicep:30:1:55:1 | ContainerResource | CORS policy allows any origin ("*"), which is insecure for sensitive APIs. |

ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.qlref

@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsWildcardOrigin.ql

ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.expected

@@ -0,0 +1,55 @@
+// Secure CORS example: only specific headers allowed
+resource secureContainerApp 'Microsoft.App/containerApps@2022-03-01' = {
+  name: 'secure-container-app'
+  location: 'eastus'
+  properties: {
+    managedEnvironmentId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.App/managedEnvironments/my-env'
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: 80
+        corsPolicy: {
+          allowCredentials: false
+          allowedOrigins: [ 'https://example.com' ]
+          allowedHeaders: [ 'Authorization', 'Content-Type' ]
+        }
+      }
+    }
+    template: {
+      containers: [
+        {
+          name: 'app'
+          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+        }
+      ]
+    }
+  }
+}
+
+// Insecure CORS example: all headers allowed (should be flagged)
+resource insecureContainerApp 'Microsoft.App/containerApps@2022-03-01' = {
+  name: 'insecure-container-app'
+  location: 'eastus'
+  properties: {
+    managedEnvironmentId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.App/managedEnvironments/my-env'
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: 80
+        corsPolicy: {
+          allowCredentials: false
+          allowedOrigins: [ '*' ]
+          allowedHeaders: [ '*' ]
+        }
+      }
+    }
+    template: {
+      containers: [
+        {
+          name: 'app'
+          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+        }
+      ]
+    }
+  }
+}