26 lines
850 B
YAML
26 lines
850 B
YAML
rules:
|
|
- id: php-permissive-cors
|
|
patterns:
|
|
- pattern: header($VALUE,...)
|
|
- pattern-either:
|
|
- pattern: header("...",...)
|
|
- pattern-inside: |
|
|
$VALUE = "...";
|
|
...
|
|
- metavariable-regex:
|
|
metavariable: $VALUE
|
|
regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*:\s*(\*)\s*(\'|\")
|
|
message: >-
|
|
Access-Control-Allow-Origin response header is set to "*".
|
|
This will disable CORS Same Origin Policy restrictions.
|
|
metadata:
|
|
references:
|
|
- https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
|
|
owasp: "A6: Security Misconfiguration"
|
|
cwe: "CWE-346: Origin Validation Error"
|
|
category: security
|
|
technology:
|
|
- php
|
|
languages: [php]
|
|
severity: WARNING
|