Go: CORS Bypass due to incorrect checks

Question

Go: CORS Bypass due to incorrect checks

porcupineyhairs opened this issue 8 months ago · 2 comments

porcupineyhairs commented 8 months ago

Query PR

github/codeql#16813

Language

GoLang

CVE(s) ID list

CVE-2023-28109
CVE-2024-27302.

CWE

CWE-639

Report

Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below

https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91

https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80

In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302.

This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability.

The databases to verify the same can be downloaded from

https://file.io/OQX8Q3H3hMd4
https://filetransfer.io/data-package/wAfSEvZu#link

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response