Use config.getCorsConfiguration().getOrigin())

maikypedia · erik-krogh · web-flow · commit 191766a47bf1 · 2023-12-18T12:38:39.000+01:00
Co-authored-by: Erik Krogh Kristensen &lt;erik-krogh@github.com&gt;
diff --git a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
@@ -68,6 +68,8 @@ module CorsPermissiveConfiguration {
    * The value of cors origin when initializing the application.
    */
   class ExpressCors extends Sink, DataFlow::ValueNode {
-    ExpressCors() { exists(Express::CorsConfiguration config | this = config.getOrigin()) }
+    ExpressCors() {
+      exists(Express::CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,8 @@ module CorsPermissiveConfiguration {`
`68`	`68`	`* The value of cors origin when initializing the application.`
`69`	`69`	`*/`
`70`	`70`	`class ExpressCors extends Sink, DataFlow::ValueNode {`
`71`		`- ExpressCors() { exists(Express::CorsConfiguration config \| this = config.getOrigin()) }`
	`71`	`+ ExpressCors() {`
	`72`	`+ exists(Express::CorsConfiguration config \| this = config.getCorsConfiguration().getOrigin())`
	`73`	`+ }`
`72`	`74`	`}`
`73`	`75`	`}`