Permissive Cross-domain Policy with Untrusted Domains
Description
The Apollo GraphQL server is setup with a CORS policy that does not deny all origins. Carefully review the origins to see if any of them are incorrectly setup (third-party websites, bad regexes, functions that reflect every origin, etc.).
Examples
Insecure Code
js
const { ApolloServer } = require('apollo-server');
const server = new ApolloServer({
cors: {
origin: ['*']
}
});Secure Code
js
const { ApolloServer } = require('apollo-server');
const server = new ApolloServer({
cors: {
origin: ['https://example.com']
}
});Remediation
Review and restrict the CORS policy to only allow trusted domains.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0223 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-942 |
| Confidence | LOW |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | cors, security |
| OWASP | N/A |