From 5174d1dc609321d02dd8539d4c3a12bf04a81f4e Mon Sep 17 00:00:00 2001 From: Phil Sturgeon <67381+philsturgeon@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:15:10 +0000 Subject: [PATCH] added owasp-api8-2023-define-cors-origin --- ...owasp-api8-2023-define-cors-origin.test.ts | 83 +++++++++++++++++++ src/ruleset.ts | 19 ++++- 2 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 __tests__/owasp-api8-2023-define-cors-origin.test.ts diff --git a/__tests__/owasp-api8-2023-define-cors-origin.test.ts b/__tests__/owasp-api8-2023-define-cors-origin.test.ts new file mode 100644 index 0000000..f602a85 --- /dev/null +++ b/__tests__/owasp-api8-2023-define-cors-origin.test.ts @@ -0,0 +1,83 @@ +import { DiagnosticSeverity } from "@stoplight/types"; +import testRule from "./__helpers__/helper"; + +testRule("owasp:api8:2023-define-cors-origin", [ + { + name: "valid case", + document: { + openapi: "3.1.0", + info: { version: "1.0", contact: {} }, + paths: { + "/": { + get: { + responses: { + "200": { + description: "ok", + headers: { + "Access-Control-Allow-Origin": { + schema: { + type: "string", + examples: ["*"], + }, + }, + }, + }, + }, + }, + }, + }, + }, + errors: [], + }, + + { + name: "invalid case", + document: { + openapi: "3.1.0", + info: { version: "1.0", contact: {} }, + paths: { + "/a": { + get: { + responses: { + "200": { + description: "ok", + headers: { + "Some-Other-Headers": { + schema: { + type: "string", + examples: ["*"], + }, + }, + }, + }, + }, + }, + }, + "/b": { + get: { + responses: { + "200": { + description: "ok", + headers: {}, + }, + }, + }, + }, + }, + }, + errors: [ + { + message: + "Header `headers.Access-Control-Allow-Origin` should be defined on all responses.", + path: ["paths", "/a", "get", "responses", "200", "headers"], + severity: DiagnosticSeverity.Error, + }, + { + message: + "Header `headers.Access-Control-Allow-Origin` should be defined on all responses.", + path: ["paths", "/b", "get", "responses", "200", "headers"], + severity: DiagnosticSeverity.Error, + }, + ], + }, +]); diff --git a/src/ruleset.ts b/src/ruleset.ts index 78dd61f..4f12c1b 100644 --- a/src/ruleset.ts +++ b/src/ruleset.ts @@ -732,7 +732,7 @@ export default { * - ❌ Unhardened images * - ✅ Missing, outdated, or misconfigured TLS * - ❌ Exposed storage or server management panels - * - 🟠 Missing CORS policy or security headers + * - ✅ Missing CORS policy or security headers * https://github.com/stoplightio/spectral-owasp-ruleset/issues/5 * - 🟠 Error messages with stack traces * https://github.com/stoplightio/spectral-owasp-ruleset/issues/12 @@ -740,6 +740,21 @@ export default { * */ + /** + * @author: Phil Sturgeon (https://github.com/philsturgeon) + */ + "owasp:api8:2023-define-cors-origin": { + message: "Header `{{property}}` should be defined on all responses.", + description: + 'Setting up CORS headers will control which websites can make browser-based HTTP requests to your API, using either the wildcard "*" to allow any origin, or "null" to disable any origin. Alternatively you can use "Access-Control-Allow-Origin: https://example.com" to indicate that only requests originating from the specified domain (https://example.com) are allowed to access its resources.\n\nMore about CORS here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.', + given: "$..headers", + then: { + field: "Access-Control-Allow-Origin", + function: truthy, + }, + severity: DiagnosticSeverity.Error, + }, + /** * @author: Andrzej */ @@ -754,7 +769,7 @@ export default { function: schema, functionOptions: { schema: { - type: "string", + type: "string", enum: ["https", "wss"], }, },