Fixed tests

Kwstubbs · Kwstubbs · commit ed2c7781d9a1 · 2024-12-09T17:52:09.000-08:00
diff --git a/csharp/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/csharp/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -1,12 +1,12 @@
 /**
- * @name CORS misconfiguration
- * @description Keeping an open CORS policy may result in security issues as third party website may be able to
- *              access other websites.
+ * @name Credentialed CORS Misconfiguration
+ * @description Allowing any origin while allowing credentials may result in security issues as third party website may be able to
+ *              access private resources.
  * @kind problem
  * @problem.severity error
  * @security-severity 7.5
  * @precision high
- * @id cs/web/cors-misconfiguration
+ * @id cs/web/cors-misconfiguration-credentials
  * @tags security
  *       external/cwe/cwe-942
  */
@@ -37,22 +37,22 @@ private predicate alwaysReturnsTrue(Callable c) {
 }
 
 /**
- * Holds if the application uses a vulnerable CORS policy.
+ * Holds if the application allows an origin using "*" origin.
  */
-private predicate hasDangerousOrigins(MethodCall m) {
+private predicate allowAnyOrigin(MethodCall m) {
   m.getTarget()
       .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
-        "WithOrigins") and
-  m.getAnArgument().getValue() = ["null", "*"]
+        "AllowAnyOrigin")
 }
 
 /**
- * Holds if the application allows an origin using "*" origin.
+ * Holds if the application uses a vulnerable CORS policy.
  */
-private predicate allowAnyOrigin(MethodCall m) {
+private predicate hasDangerousOrigins(MethodCall m) {
   m.getTarget()
       .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
-        "AllowAnyOrigin")
+        "WithOrigins") and
+  m.getAnArgument().getValue() = ["null", "*"]
 }
 
 /**
@@ -64,25 +64,30 @@ private predicate configIsUsed(MethodCall add_policy) {
         .hasFullyQualifiedName("Microsoft.AspNetCore.Builder.CorsMiddlewareExtensions", "UseCors") and
     (
       uc.getArgument(1).getValue() = add_policy.getArgument(0).getValue() or
+      uc.getArgument(1).(VariableAccess).getTarget() =
+        add_policy.getArgument(0).(VariableAccess).getTarget() or
       localFlow(DataFlow::exprNode(add_policy.getArgument(0)), DataFlow::exprNode(uc.getArgument(1)))
     )
   )
 }
 
-from MethodCall add_policy, MethodCall m
+from MethodCall add_policy, MethodCall m, MethodCall allowsCredentials
 where
   (
     add_policy
         .getTarget()
         .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions", "AddPolicy") and
     add_policy.getArgument(1) = m.getParent*() and
-    configIsUsed(add_policy)
+    configIsUsed(add_policy) and
+    add_policy.getArgument(1) = allowsCredentials.getParent*()
     or
     add_policy
         .getTarget()
         .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions",
           "AddDefaultPolicy") and
-    add_policy.getArgument(0) = m.getParent*()
+    add_policy.getArgument(0) = m.getParent*() and
+    add_policy.getArgument(0) = allowsCredentials.getParent*()
   ) and
   (hasDangerousOrigins(m) or allowAnyOrigin(m) or functionAlwaysReturnsTrue(m))
-select add_policy, "The following CORS policy may be vulnerable to 3rd party websites"
+select add_policy,
+  "The following CORS policy may allow credentialed requests from 3rd party websites"
diff --git a/csharp/ql/test/experimental/CWE-942/CorsMiconfigurationCredentials.cs b/csharp/ql/test/experimental/CWE-942/CorsMiconfigurationCredentials.cs
@@ -1,18 +1,25 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Mvc;
 using System;
+using Microsoft.Extensions.DependencyInjection;
 
+
+
+public class Startup
+{
+    public void ConfigureServices(string[] args)
+    {
 var builder = WebApplication.CreateBuilder(args);
 var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
 
 
 builder.Services.AddCors(options =>
 {
-    options.AddPolicy(MyAllowSpecificOrigins,
-                      policy =>
-                      {
-                          policy.SetIsOriginAllowed(test => true).AllowCredentials().AllowAnyHeader().AllowAnyMethod();
-                      });
+    options.AddPolicy(MyAllowSpecificOrigins,
+                      policy =>
+                      {
+                          policy.SetIsOriginAllowed(test => true).AllowCredentials().AllowAnyHeader().AllowAnyMethod();
+                      });
 });
 
 var app = builder.Build();
@@ -22,4 +29,6 @@
 app.MapGet("/", () => "Hello World!");
 app.UseCors(MyAllowSpecificOrigins);
 
-app.Run();
+app.Run();
+    }
+}
diff --git a/csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.cs b/csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.cs
@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Mvc;
+using System;
+using Microsoft.Extensions.DependencyInjection;
+
+
+
+public class Test
+{
+    public void ConfigureServices(string[] args)
+    {
+var builder = WebApplication.CreateBuilder(args);
+var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
+
+
+builder.Services.AddCors(options =>
+{
+    options.AddPolicy(MyAllowSpecificOrigins,
+                      policy =>
+                      {
+                          policy.AllowAnyOrigin().AllowCredentials().AllowAnyHeader().AllowAnyMethod();
+                      });
+});
+
+var app = builder.Build();
+
+
+
+app.MapGet("/", () => "Hello World!");
+app.UseCors(MyAllowSpecificOrigins);
+
+app.Run();
+    }
+}
diff --git a/csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.expected b/csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.expected
@@ -0,0 +1,2 @@
+| CorsMiconfigurationCredentials.cs:18:5:22:24 | call to method AddPolicy | The following CORS policy may allow credentialed requests from 3rd party websites |
+| CorsMisconfiguration.cs:18:5:22:24 | call to method AddPolicy | The following CORS policy may allow credentialed requests from 3rd party websites |
diff --git a/csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.qlref b/csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.qlref
@@ -0,0 +1 @@
+experimental/CWE-942/CorsMisconfiguration.ql
diff --git a/csharp/ql/test/experimental/CWE-942/CorsMisconfigurationCredentials.expected b/csharp/ql/test/experimental/CWE-942/CorsMisconfigurationCredentials.expected
@@ -0,0 +1 @@
+| CorsMiconfigurationCredentials.cs:18:5:22:24 | call to method AddPolicy | The following CORS policy may allow credentialed requests from 3rd party websites |
diff --git a/csharp/ql/test/experimental/CWE-942/options b/csharp/ql/test/experimental/CWE-942/options
@@ -1,5 +1,4 @@
 semmle-extractor-options: /nostdlib /noconfig
 semmle-extractor-options: --load-sources-from-project:${testdir}/../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
 semmle-extractor-options: --load-sources-from-project:../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
-semmle-extractor-options: --load-sources-from-project:../../resources/stubs/Microsoft.Extensions.DependencyInjection.Abstractions/6.0.0/Microsoft.Extensions.DependencyInjection.Abstractions.csproj
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| CorsMiconfigurationCredentials.cs:18:5:22:24 \| call to method AddPolicy \| The following CORS policy may allow credentialed requests from 3rd party websites \|`
	`2`	`+\| CorsMisconfiguration.cs:18:5:22:24 \| call to method AddPolicy \| The following CORS policy may allow credentialed requests from 3rd party websites \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/CWE-942/CorsMisconfiguration.ql`