Permissive Cross-domain Policy with Untrusted Domains
Description
The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws. This could allow malicious scripts to make unauthorized requests on behalf of the user.
Examples
Insecure Code
js
const { ApolloServer } = require('apollo-server-express');
const server = new ApolloServer({
typeDefs,
resolvers,
cors: true
});Secure Code
js
const { ApolloServer } = require('apollo-server-express');
const server = new ApolloServer({
typeDefs,
resolvers,
cors: {
origin: 'https://example.com'
}
});Remediation
Set up a restrictive CORS policy that only allows trusted domains to make requests.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0285 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-942 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | cors, apollo-server |
| OWASP | N/A |