Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods :: Recipe Details

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods

Description:

Allowing unsafe methods puts the application at risk

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

By using the wildcard "*", or by setting allowedMethods() to use unsafe methods, such as PUT or DELETE, the application could become the target of code injection and/or other attacks. Spring by default only allows GET, HEAD, and POST methods.

Before

registry.allowedMethods("*");

After

registry.allowedMethods();

References

Fortify Taxonomy - HTML5: CORS Unsafe Methods Allowed

Recipe

id: scw:spring:security:cors:CorsRegistry#allowedMethods
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods'
  shortDescription: Allowing unsafe methods puts the application at risk
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCorsRegistryallowedMethods.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  methodcall:
    name: allowedMethods
    anyOf:
    - args:
        1:
          value:
            stringified: '*'
    - args:
        1:
          value:
            stringified:
              caseSensitive: false
              matches: PUT|DELETE
    type: org.springframework.web.servlet.config.annotation.CorsRegistration
availableFixes:
- name: Set to allow default simple HTTP methods
  actions:
  - rewrite:
      to: |-
        {{{ qualifier }}}
        .allowedMethods()