From d86fe71fa62023fc37d4535c6b3929ad9c3d95af Mon Sep 17 00:00:00 2001
From: GeekMasher <geekmasher@gmail.com>
Date: Wed, 11 Jun 2025 16:05:52 +0100
Subject: [PATCH 1/2] feat(queries): Add CORS queries

---
 .../CWE-942/InsecureCorsAllHeaders.ql         |  0
 .../CWE-942/InsecureCorsAllMethods.ql         |  0
 .../InsecureCorsAllowCredentialsWildcard.ql   |  0
 .../CWE-942/InsecureCorsWildcardOrigin.ql     |  0
 .../CWE-942/InsecureCorsAllHeaders.expected   |  1 +
 .../CWE-942/InsecureCorsAllHeaders.qlref      |  1 +
 .../CWE-942/InsecureCorsAllMethods.expected   |  0
 .../CWE-942/InsecureCorsAllMethods.qlref      |  1 +
 ...ecureCorsAllowCredentialsWildcard.expected |  0
 ...InsecureCorsAllowCredentialsWildcard.qlref |  1 +
 .../InsecureCorsWildcardOrigin.expected       |  2 +
 .../CWE-942/InsecureCorsWildcardOrigin.qlref  |  1 +
 .../queries-tests/security/CWE-942/app.bicep  | 55 +++++++++++++++++++
 13 files changed, 62 insertions(+)
 create mode 100644 ql/queries/security/CWE-942/InsecureCorsAllHeaders.ql
 create mode 100644 ql/queries/security/CWE-942/InsecureCorsAllMethods.ql
 create mode 100644 ql/queries/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql
 create mode 100644 ql/queries/security/CWE-942/InsecureCorsWildcardOrigin.ql
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.expected
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.qlref
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.expected
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.qlref
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.expected
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.qlref
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.expected
 create mode 100644 ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.qlref
 create mode 100644 ql/test/queries-tests/security/CWE-942/app.bicep

diff --git a/ql/queries/security/CWE-942/InsecureCorsAllHeaders.ql b/ql/queries/security/CWE-942/InsecureCorsAllHeaders.ql
new file mode 100644
index 0000000..e69de29
diff --git a/ql/queries/security/CWE-942/InsecureCorsAllMethods.ql b/ql/queries/security/CWE-942/InsecureCorsAllMethods.ql
new file mode 100644
index 0000000..e69de29
diff --git a/ql/queries/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql b/ql/queries/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql
new file mode 100644
index 0000000..e69de29
diff --git a/ql/queries/security/CWE-942/InsecureCorsWildcardOrigin.ql b/ql/queries/security/CWE-942/InsecureCorsWildcardOrigin.ql
new file mode 100644
index 0000000..e69de29
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.expected b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.expected
new file mode 100644
index 0000000..c01a5f2
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.expected
@@ -0,0 +1 @@
+| app.bicep:42:27:42:33 | Array | CORS policy allows all headers ("*"), which can increase attack surface. |
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.qlref b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.qlref
new file mode 100644
index 0000000..a02f48b
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllHeaders.qlref
@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsAllHeaders.ql
\ No newline at end of file
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.expected b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.expected
new file mode 100644
index 0000000..e69de29
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.qlref b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.qlref
new file mode 100644
index 0000000..86183c0
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllMethods.qlref
@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsAllMethods.ql
\ No newline at end of file
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.expected b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.expected
new file mode 100644
index 0000000..e69de29
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.qlref b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.qlref
new file mode 100644
index 0000000..f370881
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/InsecureCorsAllowCredentialsWildcard.qlref
@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql
\ No newline at end of file
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.expected b/ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.expected
new file mode 100644
index 0000000..a2edafb
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.expected
@@ -0,0 +1,2 @@
+| app.bicep:2:1:27:1 | ContainerResource | CORS policy allows any origin ("*"), which is insecure for sensitive APIs. |
+| app.bicep:30:1:55:1 | ContainerResource | CORS policy allows any origin ("*"), which is insecure for sensitive APIs. |
diff --git a/ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.qlref b/ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.qlref
new file mode 100644
index 0000000..7b5b89b
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/InsecureCorsWildcardOrigin.qlref
@@ -0,0 +1 @@
+security/CWE-942/InsecureCorsWildcardOrigin.ql
\ No newline at end of file
diff --git a/ql/test/queries-tests/security/CWE-942/app.bicep b/ql/test/queries-tests/security/CWE-942/app.bicep
new file mode 100644
index 0000000..b69d4cf
--- /dev/null
+++ b/ql/test/queries-tests/security/CWE-942/app.bicep
@@ -0,0 +1,55 @@
+// Secure CORS example: only specific headers allowed
+resource secureContainerApp 'Microsoft.App/containerApps@2022-03-01' = {
+  name: 'secure-container-app'
+  location: 'eastus'
+  properties: {
+    managedEnvironmentId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.App/managedEnvironments/my-env'
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: 80
+        corsPolicy: {
+          allowCredentials: false
+          allowedOrigins: [ 'https://example.com' ]
+          allowedHeaders: [ 'Authorization', 'Content-Type' ]
+        }
+      }
+    }
+    template: {
+      containers: [
+        {
+          name: 'app'
+          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+        }
+      ]
+    }
+  }
+}
+
+// Insecure CORS example: all headers allowed (should be flagged)
+resource insecureContainerApp 'Microsoft.App/containerApps@2022-03-01' = {
+  name: 'insecure-container-app'
+  location: 'eastus'
+  properties: {
+    managedEnvironmentId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.App/managedEnvironments/my-env'
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: 80
+        corsPolicy: {
+          allowCredentials: false
+          allowedOrigins: [ '*' ]
+          allowedHeaders: [ '*' ]
+        }
+      }
+    }
+    template: {
+      containers: [
+        {
+          name: 'app'
+          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+        }
+      ]
+    }
+  }
+}

From 17e8b817cdf3362e1bfb4c6daacb1f87427bed49 Mon Sep 17 00:00:00 2001
From: GeekMasher <geekmasher@gmail.com>
Date: Wed, 11 Jun 2025 16:08:09 +0100
Subject: [PATCH 2/2] feat(queries): Add CORS Security Queries

---
 .../CWE-942/InsecureCorsAllHeaders.ql         | 22 +++++++++++++++++++
 .../CWE-942/InsecureCorsAllMethods.ql         | 17 ++++++++++++++
 .../InsecureCorsAllowCredentialsWildcard.ql   | 20 +++++++++++++++++
 .../CWE-942/InsecureCorsWildcardOrigin.ql     | 21 ++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 ql/src/security/CWE-942/InsecureCorsAllHeaders.ql
 create mode 100644 ql/src/security/CWE-942/InsecureCorsAllMethods.ql
 create mode 100644 ql/src/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql
 create mode 100644 ql/src/security/CWE-942/InsecureCorsWildcardOrigin.ql

diff --git a/ql/src/security/CWE-942/InsecureCorsAllHeaders.ql b/ql/src/security/CWE-942/InsecureCorsAllHeaders.ql
new file mode 100644
index 0000000..10c2a14
--- /dev/null
+++ b/ql/src/security/CWE-942/InsecureCorsAllHeaders.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Insecure CORS: All Headers Allowed
+ * @description Flags CORS policies that allow all headers ("*"), which can increase attack surface.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/insecure-cors-all-headers
+ * @tags security
+ *       bicep
+ */
+
+import bicep
+
+from Network::CorsPolicy cors, Containers::ContainerResource resource
+where
+  resource.getCorsPolicy() = cors and
+  exists(Array headers | headers = cors.getAllowedHeaders() |
+    exists(StringLiteral header | header = headers.getElements() | header.getValue() = "*")
+  )
+select cors.getAllowedHeaders(),
+  "CORS policy allows all headers (\"*\"), which can increase attack surface."
diff --git a/ql/src/security/CWE-942/InsecureCorsAllMethods.ql b/ql/src/security/CWE-942/InsecureCorsAllMethods.ql
new file mode 100644
index 0000000..7f685b3
--- /dev/null
+++ b/ql/src/security/CWE-942/InsecureCorsAllMethods.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Insecure CORS: All Methods Allowed
+ * @description Flags CORS policies that allow all HTTP methods ("*") which can expose APIs to abuse.
+ * @kind problem
+ * @problem.severity warning
+ * @id bicep/insecure-cors-all-methods
+ */
+
+import bicep
+
+from Network::CorsPolicy cors, Network::Ingress ingress, Resource resource
+where
+  ingress.getCorsPolicy() = cors and
+  exists(Array methods | methods = cors.getAllowedMethods() |
+    exists(StringLiteral method | method = methods.getElements() | method.getValue() = "*")
+  )
+select resource, "CORS policy allows all HTTP methods (\"*\"), which can expose APIs to abuse."
diff --git a/ql/src/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql b/ql/src/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql
new file mode 100644
index 0000000..3966598
--- /dev/null
+++ b/ql/src/security/CWE-942/InsecureCorsAllowCredentialsWildcard.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Insecure CORS: AllowCredentials with Wildcard Origin
+ * @description Flags CORS policies that allow credentials with a wildcard origin, which is insecure.
+ * @kind problem
+ * @problem.severity error
+ * @id bicep/insecure-cors-allowcredentials-wildcard
+ */
+import bicep
+
+from
+  Network::CorsPolicy cors,
+  Network::Ingress ingress,
+  Resource resource
+where
+  ingress.getCorsPolicy() = cors and
+  cors.allowCredentials() = true and
+  exists(Array origins | origins = cors.getAllowedOrigins() |
+    exists(StringLiteral origin | origin = origins.getElements() | origin.getValue() = "*" )
+  )
+select resource, "CORS policy allows credentials with a wildcard origin, which is insecure."
diff --git a/ql/src/security/CWE-942/InsecureCorsWildcardOrigin.ql b/ql/src/security/CWE-942/InsecureCorsWildcardOrigin.ql
new file mode 100644
index 0000000..98cae04
--- /dev/null
+++ b/ql/src/security/CWE-942/InsecureCorsWildcardOrigin.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Insecure CORS: Wildcard Origin
+ * @description Flags CORS policies that allow any origin ("*"), which is insecure for sensitive APIs.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/insecure-cors-wildcard-origin
+ * @tags security
+ *       bicep
+ */
+
+import bicep
+
+from Network::CorsPolicy cors, Network::Ingress ingress, Resource resource
+where
+  ingress.getCorsPolicy() = cors and
+  exists(Array origins | origins = cors.getAllowedOrigins() |
+    exists(StringLiteral origin | origin = origins.getElements() | origin.getValue() = "*")
+  )
+select resource, "CORS policy allows any origin (\"*\"), which is insecure for sensitive APIs."