# Permissive Cross-domain Policy with Untrusted Domains (CWE-942)

The product uses a cross-domain policy file that includes domains that should not be trusted.

**Stack:** Python

- Prevalence: Alta Frecuentemente explotada
- Impact: Alto 1 reglas de severidad alta
- Prevention: Documentada 9 ejemplos de corrección

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

A cross-domain policy file specifies the permissions for a web client to handle data across multiple domains. When overly permissive settings are used, malicious sites can abuse these permissions to access sensitive data or perform unauthorized actions on behalf of the user.

## Prevention

### Python

Restrict CORS to specific trusted origins instead of wildcard '*'

Restrict Flask-CORS to specific trusted origins instead of wildcard '*'

Use an explicit origin allowlist instead of wildcard '*' for CORS

## Warning Signs

- [HIGH] CORS validation uses weak pattern matching that can be bypassed
- [HIGH] CORS implementations using weak regex patterns, prefix/suffix matching,
or substring checks that can
- [MEDIUM] FastAPI uses CORSMiddleware with allow_origins=['*'] and allow_credentials=True
- [MEDIUM] overly permissive CORS configuration in FastAPI applications
- [MEDIUM] Flask application uses CORS(*, supports_credentials=True) which allows any origin to make authenticated requests
- [MEDIUM] overly permissive CORS (Cross-Origin Resource Sharing) configurations
that allow any origin (*) with

## Consequences

- Leer datos de la aplicación
- Eludir mecanismo de protección
- Modificar datos de la aplicación

## Mitigations

- Evalúa cuidadosamente las políticas de acceso y limita los dominios en el archivo de política cross-domain
- No uses comodines (*) para permitir todos los dominios
- Revisa y restringe las cabeceras CORS solo a orígenes confiables

## Detection

- Total rules: 9
- Languages: python, go

## Rules by Language

### Python (4 rules)

- **FastAPI CORS Misconfiguration** [MEDIUM]: Detects overly permissive CORS configuration in FastAPI applications.
Allowing all origins (*) with credentials enabled can lead to CSRF
and data theft.
  - Remediation: Restrict CORS to specific origins:

```python
from fastapi.middleware.cors import CORSMiddleware

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com", "https://app.example.com"],
    allow_credentials=True,
    allow_methods=["GET", "POST"],
    allow_headers=["*"],
)
```
- **Flask CORS Misconfiguration** [MEDIUM]: Detects overly permissive CORS configuration in Flask applications using
flask-cors. Allowing all origins (*) with credentials enabled can lead to
cross-site request forgery and data theft.
  - Remediation: Restrict CORS to specific trusted origins:

```python
# GOOD: Restrict to specific origins
CORS(app, resources={
    r"/api/*": {
        "origins": ["https://example.com", "https://app.example.com"],
        "supports_credentials": True
    }
})
```
- **CORS Misconfiguration** [MEDIUM]: Detects overly permissive CORS (Cross-Origin Resource Sharing) configurations
that allow any origin (*) with credentials, or reflect the Origin header without
validation. This can expose sensitive data to malicious sites.
  - Remediation: Use an explicit origin whitelist instead of wildcard (*).

```python
ALLOWED_ORIGINS = {
    'https://example.com',
    'https://app.example.com',
}

@app.after_request
def add_cors(response):
    origin = request.headers.get('Origin')
    if origin in ALLOWED_ORIGINS:
        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Credentials'] = 'true'
    return response
```

Learn more: https://shoulder.dev/learn/python/cwe-942/cors-misconfiguration
- **CORS Regex Bypass Vulnerability** [HIGH]: Detects CORS implementations using weak regex patterns, prefix/suffix matching,
or substring checks that can be bypassed by attackers to allow unauthorized
cross-origin access from malicious domains.

Common bypass patterns:
1. Unanchored regex: r"https://.*\.example\.com" matches "https://evil.com/.example.com"
2. Unescaped dots: r"https://app.trusted.com" matches "https://appXtrusted.com"
3. Prefix matching: startswith("https://trusted.com") allows "https://trusted.com.evil.com"
4. Suffix matc
  - Remediation: Use strict origin validation with exact matching against an allowlist:

```python
ALLOWED_ORIGINS = {
    "https://app.example.com",
    "https://api.example.com",
}

@app.middleware("http")
async def cors_middleware(request: Request, call_next):
    response = await call_next(request)
    origin = request.headers.get("origin", "")

    # SAFE: Exact match against allowlist
    if origin in ALLOWED_ORIGINS:
        response.headers["Access-Control-Allow-Origin"] = origin
        response.headers["Access-Control-Allow-Credentials"] = "true"

    return response
```

If you must use regex, ensure:
1. Use fullmatch() not match()
2. Anchor patterns with ^ and $
3. Escape all dots as \.
4. Don't use .* wildcards in domain positions