[JS]: Overly Permissive CORS Query

[maikypedia]

Query PR

github/codeql#14342

Language

Javascript

CVE(s) ID list

-GHSA-2p3c-p3qw-69r4 (CVE WIP)

CWE

CWE-942

Report

The query covers Overly Permissive CORS vulnerability, occurs when the server CORS configuration is too permissive , potentially leading to CSRF attacks. Consequently, an attacker might force authenticated users to submit a request to a Web application against which they are currently authenticated.

I used a dataflow configuration looking for RemoteFlowSource, true and null flowing to the CORS configuration.

The library covered is apollo server. I plan to include 1/2 more.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[Kwstubbs]

@maikypedia can you please provide a vulnerable apollo database. I will take a look once the codeql reviews finish. Feel free to ping me once you think its ready for review.

[maikypedia]

Hello @Kwstubbs sorry for the delay, I used the app apollographql has in getting-started and I put the cors https://ufile.io/38f2b2zr.

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[Kwstubbs]

@maikypedia I apologize, but it seems the link to the database has expired. That is my fault for taking so long to get to this bounty. Would you be able to send it again? I have run the query and everything looks good. I have two comments. It seems these frameworks can added to the js/cors-misconfiguration-for-credentials if you check for the credentials field. Let me know if you are interested in doing that. Secondly, you can avoid some FPs by adding a Sanitizer Guard that checks for process.env.NODE_ENV == development, though overall the FP is as good as any of the other queries we have accepted so it might not be worth your time. Thanks

[Kwstubbs]

@maikypedia Pinging again for database

[maikypedia]

Hi sorry for the delay https://ufile.io/uga8p9wb @Kwstubbs

[maikypedia]

I think I will leave the query as it is, the PR is ready for merge, but I think it might have been overlooked.

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2590109 for bounty 594469 : [793] [JS]: Overly Permissive CORS Query