feat: add symfony insecure allow origin rule

Bearer · Oct 10, 2023 · f05584e · f05584e
1 parent d70e30d
commit f05584e
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 0 deletions.
diff --git a/rules/php/symfony/insecure_allow_origin.yml b/rules/php/symfony/insecure_allow_origin.yml
@@ -0,0 +1,37 @@
+imports:
+  - php_shared_lang_user_input
+patterns:
+  - pattern: $<HEADERS>->set($<NAME>, $<VALUE>)
+    filters:
+      - variable: HEADERS
+        detection: php_symfony_insecure_allow_origin_headers
+        scope: cursor
+      - variable: NAME
+        string_regex: (?i)\Aaccess-control-allow-origin\z
+      - variable: VALUE
+        detection: php_shared_lang_user_input
+        scope: result
+auxiliary:
+  - id: php_symfony_insecure_allow_origin_headers
+    patterns:
+      - $<_>->headers
+languages:
+  - php
+metadata:
+  description: "Insecure Access-Control-Allow-Origin detected."
+  remediation_message: |
+    ## Description
+    Do not use unverified user-defined input to define Access-Control-Allow-Origin.
+    This can lead to unintended user access to sensitive data.
+
+    ## Remediations
+    ❌ Avoid defining origins with user input wherever possible.
+
+    ✅ If unavoidable, be sure to verify the input or to use a safe-list.
+
+    ## Resources
+    - [OWASP Origin & Access-Control-Allow-Origin](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)
+  cwe_id:
+    - 346
+  id: php_symfony_insecure_allow_origin
+  documentation_url: https://docs.bearer.com/reference/rules/php_symfony_insecure_allow_origin
diff --git a/tests/php/symfony/insecure_allow_origin/__snapshots__/test.js.snap b/tests/php/symfony/insecure_allow_origin/__snapshots__/test.js.snap
@@ -0,0 +1,44 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`php_symfony_insecure_allow_origin bad 1`] = `
+"{
+  "low": [
+    {
+      "cwe_ids": [
+        "346"
+      ],
+      "id": "php_symfony_insecure_allow_origin",
+      "title": "Insecure Access-Control-Allow-Origin detected.",
+      "description": "## Description\\nDo not use unverified user-defined input to define Access-Control-Allow-Origin.\\nThis can lead to unintended user access to sensitive data.\\n\\n## Remediations\\n❌ Avoid defining origins with user input wherever possible.\\n\\n✅ If unavoidable, be sure to verify the input or to use a safe-list.\\n\\n## Resources\\n- [OWASP Origin & Access-Control-Allow-Origin](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_insecure_allow_origin",
+      "line_number": 10,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 10,
+        "end": 10,
+        "column": {
+          "start": 9,
+          "end": 75
+        }
+      },
+      "sink": {
+        "start": 10,
+        "end": 10,
+        "column": {
+          "start": 9,
+          "end": 75
+        },
+        "content": "$response->headers->set('Access-Control-Allow-Origin', $userInput)"
+      },
+      "parent_line_number": 10,
+      "snippet": "$response->headers->set('Access-Control-Allow-Origin', $userInput)",
+      "fingerprint": "4daf8ef3005e0061d4b706ec9e9bee07_0",
+      "old_fingerprint": "602b58527543a5e981d696b795cc7037_0",
+      "code_extract": "        $response->headers->set('Access-Control-Allow-Origin', $userInput);"
+    }
+  ]
+}"
+`;
+
+exports[`php_symfony_insecure_allow_origin ok 1`] = `"{}"`;
diff --git a/tests/php/symfony/insecure_allow_origin/test.js b/tests/php/symfony/insecure_allow_origin/test.js
@@ -0,0 +1,16 @@
+const { createInvoker, getEnvironment } = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createInvoker(ruleId, ruleFile, testBase)
+
+  test("bad", () => {
+    const testCase = "bad.php"
+    expect(invoke(testCase)).toMatchSnapshot()
+  })
+
+  test("ok", () => {
+    const testCase = "ok.php"
+    expect(invoke(testCase)).toMatchSnapshot()
+  })
+})
diff --git a/tests/php/symfony/insecure_allow_origin/testdata/bad.php b/tests/php/symfony/insecure_allow_origin/testdata/bad.php
@@ -0,0 +1,13 @@
+<?php
+
+use \Symfony\Component\HttpFoundation\Response;
+
+$userInput = $_GET["foo"];
+
+class Controller {
+    public function action() {
+        $response = new Response();
+        $response->headers->set('Access-Control-Allow-Origin', $userInput);
+        return $response;
+    }
+}
diff --git a/tests/php/symfony/insecure_allow_origin/testdata/ok.php b/tests/php/symfony/insecure_allow_origin/testdata/ok.php
@@ -0,0 +1,11 @@
+<?php
+
+use \Symfony\Component\HttpFoundation\Response;
+
+class Controller {
+    public function action() {
+        $response = new Response();
+        $response->headers->set('Access-Control-Allow-Origin', $ok);
+        return $response;
+    }
+}