# CORS Regex Bypass Vulnerability

- ID: python-cors-regex-bypass
- Severity: HIGH
- CWE: CWE-942 (CWE-942)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects CORS implementations using weak regex patterns, prefix/suffix matching,
or substring checks that can be bypassed by attackers to allow unauthorized
cross-origin access from malicious domains.

Common bypass patterns:
1. Unanchored regex: r"https://.*\.example\.com" matches "https://evil.com/.example.com"
2. Unescaped dots: r"https://app.trusted.com" matches "https://appXtrusted.com"
3. Prefix matching: startswith("https://trusted.com") allows "https://trusted.com.evil.com"
4. Suffix matching: endswith(".trusted.com") can be abused with subdomain takeover
5. Contains check: "trusted.com" in origin matches "nottrusted.com"

## Detection Message

CORS validation uses weak pattern matching that can be bypassed

## Remediation

Use strict origin validation with exact matching against an allowlist:

```python
ALLOWED_ORIGINS = {
    "https://app.example.com",
    "https://api.example.com",
}

@app.middleware("http")
async def cors_middleware(request: Request, call_next):
    response = await call_next(request)
    origin = request.headers.get("origin", "")

    # SAFE: Exact match against allowlist
    if origin in ALLOWED_ORIGINS:
        response.headers["Access-Control-Allow-Origin"] = origin
        response.headers["Access-Control-Allow-Credentials"] = "true"

    return response
```

If you must use regex, ensure:
1. Use fullmatch() not match()
2. Anchor patterns with ^ and $
3. Escape all dots as \.
4. Don't use .* wildcards in domain positions

## Documentation

[object Object]

## Related Rules

- **FastAPI CORS Misconfiguration** [MEDIUM]: 
- **Flask CORS Misconfiguration** [MEDIUM]: 
- **Chi Permissive CORS** [MEDIUM]: 
- **Echo Permissive CORS** [MEDIUM]: 
- **Fiber Permissive CORS** [MEDIUM]: