|
private String secret; |
|
|
|
@CrossOrigin(origins = "*") |
|
@RequestMapping(value = "/comments", method = RequestMethod.GET, produces = "application/json") |
|
List<Comment> comments(@RequestHeader(value="x-auth-token") String token) { |
|
User.assertAuth(secret, token); |
|
return Comment.fetch_all(); |
|
} |
|
|
|
@CrossOrigin(origins = "*") |
|
@RequestMapping(value = "/comments", method = RequestMethod.POST, produces = "application/json", consumes = "application/json") |
Filename: CommentsController.java
Line: 19
CWE: 942 (Permissive Cross-domain Policy with Untrusted Domains ('Authorization Issues'))
Cross-origin resource sharing (CORS) is a technique implemented by modern browsers to relax principles of same-origin policy, so that legitimate sites with different origins can interact with each other. Spring provides this support via @crossorigin annotation. Not restricting access to web resources (@crossorigin("*")), opens it up for attackers to inadvertently access restricted resources. An application should always check the origin of a request to be coming from a trusted source, before serving it. Please restrict the allowed domains which can access this resource References: CWE CORS support in Spring Framework REST Security Cheat Sheet at OWASP /nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
vulnado//src/main/java/com/scalesec/vulnado/CommentsController.java
Lines 14 to 24 in b790dcd
Filename: CommentsController.java
Line: 19
CWE: 942 (Permissive Cross-domain Policy with Untrusted Domains ('Authorization Issues'))
Cross-origin resource sharing (CORS) is a technique implemented by modern browsers to relax principles of same-origin policy, so that legitimate sites with different origins can interact with each other. Spring provides this support via @crossorigin annotation. Not restricting access to web resources (@crossorigin("*")), opens it up for attackers to inadvertently access restricted resources. An application should always check the origin of a request to be coming from a trusted source, before serving it. Please restrict the allowed domains which can access this resource References: CWE CORS support in Spring Framework REST Security Cheat Sheet at OWASP /nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode