Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3103

FN: S5122 should consider CorsConfiguration.addAllowedOrigin(...)

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.13
    • Component/s: Rules
    • Labels:
      None

      Description

      org.springframework.web.cors.CorsConfiguration.addAllowedOrigin(...) is used to configure cross-origin requests.

      By default, a newly created CorsConfiguration is safe because it doesn't allow any cross-origin requests.

      RSPEC-5122 should raise an issue when addAllowedOrigin(...) or applyPermitDefaultValues() is called.
      When both are called in the same method, issue should be raised on addAllowedOrigin and secondary location on applyPermitDefaultValues.

      Code sample extracted from https://gitlab.com/crafts-records/pangloss/pangloss-backend-java-springboot1:

          @Bean
          public CorsFilter corsFilter() {
              UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
              CorsConfiguration config = new CorsConfiguration();
              config.setAllowCredentials(true);
              config.addAllowedOrigin("*"); // Noncompliant
              config.addAllowedHeader("*");
              config.addAllowedMethod("*");
              source.registerCorsConfiguration("/**", config);
              return new CorsFilter(source);
          }
      

      Reference: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tibor.blenessy Tibor Blenessy
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: