Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3287

S5122 should only raise when all origins are allowed

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.1
    • Component/s: Rules
    • Labels:

      Description

      Today S5122 raises on any HTTP CORS headers with any values.

      But the only critical header is Access-Control-Allow-Origin when setted to *

      The code examples in other recent tickets follow this behaviour:
      https://jira.sonarsource.com/browse/SONARJAVA-3223
      https://jira.sonarsource.com/browse/SONARJAVA-3261

      but not the current implementation (see picture in attachment)

      This implies the following changes:

      • HttpServletResponse:┬áraise only when "Access-Control-Allow-Origin" header is set to "*"
      • CorsConfiguration: raises only when addAllowedOrigin("*")
      • @CrossOrigin annotation: raises when origins (and value, since it's an alias) is not set or set to "*". (By default all origins are allowed, see documentation).

      New code examples:
      https://github.com/SonarSource/security-expected-issues/tree/master/java/its/rules-sonarsource-com-code-examples/sonar-java/src/main/java/com/RSPEC_5122

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.jaquier Quentin Jaquier
                Reporter:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: