added owasp-api8-2023-define-cors-origin

stoplightio · Feb 5, 2024 · 32f93a4 · 32f93a4
1 parent 7bf6508
commit 32f93a4
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 1 deletion.
diff --git a/__tests__/owasp-api8-2023-define-cors-origin.test.ts b/__tests__/owasp-api8-2023-define-cors-origin.test.ts
@@ -0,0 +1,83 @@
+import { DiagnosticSeverity } from "@stoplight/types";
+import testRule from "./__helpers__/helper";
+
+testRule("owasp:api8:2023-define-cors-origin", [
+  {
+    name: "valid case",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0", contact: {} },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "200": {
+                description: "ok",
+                headers: {
+                  "Access-Control-Allow-Origin": {
+                    schema: {
+                      type: "string",
+                      examples: ["*"],
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
+  {
+    name: "invalid case",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0", contact: {} },
+      paths: {
+        "/a": {
+          get: {
+            responses: {
+              "200": {
+                description: "ok",
+                headers: {
+                  "Some-Other-Headers": {
+                    schema: {
+                      type: "string",
+                      examples: ["*"],
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+        "/b": {
+          get: {
+            responses: {
+              "200": {
+                description: "ok",
+                headers: {},
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [
+      {
+        message:
+          "Header `headers.Access-Control-Allow-Origin` should be defined on all responses.",
+        path: ["paths", "/a", "get", "responses", "200", "headers"],
+        severity: DiagnosticSeverity.Error,
+      },
+      {
+        message:
+          "Header `headers.Access-Control-Allow-Origin` should be defined on all responses.",
+        path: ["paths", "/b", "get", "responses", "200", "headers"],
+        severity: DiagnosticSeverity.Error,
+      },
+    ],
+  },
+]);
diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -732,14 +732,29 @@ export default {
      * - ❌ Unhardened images
      * - ✅ Missing, outdated, or misconfigured TLS
      * - ❌ Exposed storage or server management panels
-     * - 🟠 Missing CORS policy or security headers
+     * - ✅ Missing CORS policy or security headers
      * https://github.com/stoplightio/spectral-owasp-ruleset/issues/5
      * - 🟠 Error messages with stack traces
      * https://github.com/stoplightio/spectral-owasp-ruleset/issues/12
      * - ❌ Unnecessary features enabled
      *
      */
 
+    /**
+     * @author: Phil Sturgeon (https://github.com/philsturgeon)
+     */
+    "owasp:api8:2023-define-cors-origin": {
+      message: "Header `{{property}}` should be defined on all responses.",
+      description:
+        'Setting up CORS headers will control which websites can make browser-based HTTP requests to your API, using either the wildcard "*" to allow any origin, or "null" to disable any origin. Alternatively you can use "Access-Control-Allow-Origin: https://example.com" to indicate that only requests originating from the specified domain (https://example.com) are allowed to access its resources.\n\nMore about CORS here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.',
+      given: "$..headers",
+      then: {
+        field: "Access-Control-Allow-Origin",
+        function: truthy,
+      },
+      severity: DiagnosticSeverity.Error,
+    },
+
     /**
      * @author: Andrzej <https://github.com/jerzyn>
      */