github · Napalys · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025
@@ -75,7 +75,6 @@ ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationL
 ql/javascript/ql/src/experimental/Security/CWE-444/InsecureHttpParser.ql
 ql/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql
 ql/javascript/ql/src/experimental/Security/CWE-918/SSRF.ql
-ql/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
 ql/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
 ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
 ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql

@@ -5,6 +5,13 @@ extensions:
     data:
       - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].AnyMember.AnyMember.AnyMember.Parameter[1]", "remote"]
 
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"]
+      - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].Member[cors].Member[origin]", "cors-misconfiguration"]
+
   - addsTo:
       pack: codeql/javascript-all
       extensible: typeModel
@@ -13,3 +20,9 @@ extensions:
       - ["@apollo/server", "apollo-server-express", ""]
       - ["@apollo/server", "apollo-server-core", ""]
       - ["@apollo/server", "apollo-server", ""]
+      - ["@apollo/server", "@apollo/apollo-server-express", ""]
+      - ["@apollo/server", "apollo-server-express", ""]
+      - ["@apollo/server", "@apollo/server", ""]
+      - ["@apollo/server", "@apollo/apollo-server-core", ""]
+      - ["ApolloServer", "@apollo/server", "Member[ApolloServer]"]
+      - ["GraphQLApollo", "@apollo/server", "Member[gql]"]
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["cors", "Argument[0].Member[origin]", "cors-misconfiguration"]
@@ -1,14 +1,14 @@
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
- * CORS misconfiguration for credentials transfer, as well as
- * extension points for adding your own.
+ * CORS misconfiguration for credentials transfer and overly permissive CORS configurations,
+ * as well as extension points for adding your own.
  */
 
 import javascript
 
 module CorsMisconfigurationForCredentials {
   /**
-   * A data flow source for CORS misconfiguration for credentials transfer.
+   * A data flow source for CORS misconfiguration for credentials transfer and overly permissive CORS configurations.
    */
   abstract class Source extends DataFlow::Node { }
 
@@ -68,11 +68,23 @@ module CorsMisconfigurationForCredentials {
   /**
    * A value that is or coerces to the string "null".
    * This is considered a source because the "null" origin is easy to obtain for an attacker.
+   * An overly permissive value for `origin`
    */
-  class NullToStringValue extends Source {
-    NullToStringValue() {
+  class PermissiveCorsOriginValue extends Source {
+    PermissiveCorsOriginValue() {
+      this.mayHaveStringValue("*") or
+      this.mayHaveBooleanValue(true) or
       this.asExpr() instanceof NullLiteral or
-      this.asExpr().mayHaveStringValue("null")
+      this.asExpr().getStringValue() = "null"
     }
   }
+
+  /**
+   * The value of cors origin configuration.
+   */
+  class CorsOriginSink extends Sink, DataFlow::ValueNode {
+    CorsOriginSink() { this = ModelOutput::getASinkNode("cors-misconfiguration").asSink() }
+
+    override Http::HeaderDefinition getCredentialsHeader() { none() }
+  }
 }
@@ -1,6 +1,6 @@
 /**
  * @name CORS misconfiguration for credentials transfer
- * @description Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.
+ * @description Misconfiguration of CORS HTTP headers allows for leaks of secret credentials and CSRF attacks.
  * @kind path-problem
  * @problem.severity error
  * @security-severity 7.5
@@ -18,6 +18,5 @@ import CorsMisconfigurationFlow::PathGraph
 
 from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink
 where CorsMisconfigurationFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.",
-  sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(),
-  "misconfigured CORS header value"
+select sink.getNode(), source, sink, "CORS misconfiguration due to a $@.", source.getNode(),
+  "permissive or user controlled value"
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query "CORS misconfiguration for credentials transfer" (`js/cors-misconfiguration-for-credentials`) has been expanded to also detect overly permissive CORS configurations.