# Permissive Cross-domain Policy with Untrusted Domains (CWE-942)

The product uses a cross-domain policy file that includes domains that should not be trusted.

**Stack:** Go

- Prevalence: High Frequently exploited
- Impact: High 1 high-severity rules
- Prevention: Documented 9 fix examples

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

A cross-domain policy file specifies the permissions for a web client to handle data across multiple domains. When overly permissive settings are used, malicious sites can abuse these permissions to access sensitive data or perform unauthorized actions on behalf of the user.

## Prevention

### Go

Configure specific allowed origins in Chi CORS middleware

Configure specific allowed origins in Echo CORS middleware

Configure specific allowed origins in Fiber CORS middleware

## Warning Signs

- [MEDIUM] Gin CORS middleware configured with wildcard origin
- [MEDIUM] CORS policy allows untrusted origins

## Consequences

- Read Application Data
- Bypass Protection Mechanism
- Modify Application Data

## Mitigations

- Carefully evaluate access policies and limit domains in the cross-domain policy file
- Do not use wildcards (*) to allow all domains
- Review and restrict CORS headers to only trusted origins

## Detection

- Total rules: 9
- Languages: python, go

## Rules by Language

### Go (5 rules)

- **Chi Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
  - Remediation: Specify allowed origins instead of wildcard.

```go
r.Use(cors.Handler(cors.Options{
    AllowedOrigins: []string{
        "https://example.com",
        "https://app.example.com",
    },
}))
```

Learn more: https://shoulder.dev/learn/go/cwe-942/cors
- **Echo Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
  - Remediation: Specify allowed origins instead of wildcard.

```go
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
    AllowOrigins: []string{
        "https://example.com",
        "https://app.example.com",
    },
}))
```

Learn more: https://shoulder.dev/learn/go/cwe-942/cors
- **Fiber Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
  - Remediation: Specify allowed origins instead of wildcard.

```go
app.Use(cors.New(cors.Config{
    AllowOrigins: "https://example.com,https://app.example.com",
}))
```

Learn more: https://shoulder.dev/learn/go/cwe-942/cors
- **Gin Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
  - Remediation: Specify allowed origins instead of wildcard.

```go
config := cors.DefaultConfig()
config.AllowOrigins = []string{
    "https://example.com",
    "https://app.example.com",
}
r.Use(cors.New(config))
```

Learn more: https://shoulder.dev/learn/go/cwe-942/cors
- **Permissive CORS Configuration** [MEDIUM]: CORS allows wildcard origin or reflects Origin header without validation.
  - Remediation: Whitelist specific allowed origins instead of using wildcards.

```go
allowedOrigins := map[string]bool{
    "https://app.example.com": true,
}

origin := r.Header.Get("Origin")
if allowedOrigins[origin] {
    w.Header().Set("Access-Control-Allow-Origin", origin)
}
```

Learn more: https://shoulder.dev/learn/go/cwe-942/permissive-cors