Python Wsgiref Uncontrolled Cors Origin
Description
Detects insecure Cross-Origin Resource Sharing (CORS) configuration in Python applications using the wsgiref library. The vulnerability occurs when the application sets CORS headers with overly permissive values or accepts all origins without proper validation, which could allow malicious websites to make unauthorized requests to the application.
Detection Strategy
• Checks if the wsgiref library is imported in the Python codebase
• Identifies calls to header manipulation methods (like add_header) that set CORS-related headers
• Detects direct assignments to CORS headers with insecure values
• Reports a vulnerability when CORS headers are set without proper origin validation or use overly permissive values
Vulnerable code example
from wsgiref.headers import Headers
from urllib.parse import parse_qs
def vulnerable_app(environ, start_response):
# Get user-controlled input from query string
query_params = parse_qs(environ.get('QUERY_STRING', ''))
origin = query_params.get('origin', [''])[0]
...✅ Secure code example
from wsgiref.headers import Headers
from urllib.parse import parse_qs
# Define allowlist of trusted origins
TRUSTED_ORIGINS = ['https://trusted.com', 'https://partner.com']
def secure_app(environ, start_response):
# Get user-controlled input from query string...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.