Unsanitized user input in Access-Control-Allow-Origin

Rule ID: php_lang_insecure_allow_origin
Languages: php
Source: insecure_allow_origin.yml

Description

Using unverified user-defined input to set the Access-Control-Allow-Origin header can result in unauthorized access to sensitive data. This vulnerability exposes your application to potential security risks by allowing attackers to specify origins that can access resources.

Remediations

Do not use user input to define the Access-Control-Allow-Origin header without validation. This practice can inadvertently grant access to sensitive information.
```
header("Access-Control-Allow-Origin: {$_GET['untrusted']}", true); // unsafe
```

Do validate user input if it must be used to set the Access-Control-Allow-Origin header. Ensure that only trusted origins are allowed by implementing a safelist of approved origins.

  $allowedOrigins = ['http://www.example.com', 'https://www.secure.example.com'];

  $origin = $_GET['someParam'];

  if (in_array($origin, $allowedOrigins)) {
    header("Access-Control-Allow-Origin: $origin");
  }

References

OWASP Origin & Access-Control-Allow-Origin

Associated CWE

CWE-346: Origin Validation Error

OWASP Top 10

A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_insecure_allow_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_insecure_allow_origin