|
} |
|
|
|
@CrossOrigin(origins = "*") |
|
@RequestMapping(value = "/comments", method = RequestMethod.POST, produces = "application/json", consumes = "application/json") |
|
Comment createComment(@RequestHeader(value="x-auth-token") String token, @RequestBody CommentRequest input) { |
|
return Comment.create(input.username, input.body); |
|
} |
|
|
|
@CrossOrigin(origins = "*") |
|
@RequestMapping(value = "/comments/{id}", method = RequestMethod.DELETE, produces = "application/json") |
|
Boolean deleteComment(@RequestHeader(value="x-auth-token") String token, @PathVariable("id") String id) { |
Filename: CommentsController.java
Line: 26
CWE: 942 (Permissive Cross-domain Policy with Untrusted Domains ('Authorization Issues'))
Cross-origin resource sharing (CORS) is a technique implemented by modern browsers to relax principles of same-origin policy, so that legitimate sites with different origins can interact with each other. Spring provides this support via @crossorigin annotation. Not restricting access to web resources (@crossorigin("*")), opens it up for attackers to inadvertently access restricted resources. An application should always check the origin of a request to be coming from a trusted source, before serving it. Please restrict the allowed domains which can access this resource References: CWE CORS support in Spring Framework REST Security Cheat Sheet at OWASP /nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
vulnado//src/main/java/com/scalesec/vulnado/CommentsController.java
Lines 21 to 31 in b790dcd
Filename: CommentsController.java
Line: 26
CWE: 942 (Permissive Cross-domain Policy with Untrusted Domains ('Authorization Issues'))
Cross-origin resource sharing (CORS) is a technique implemented by modern browsers to relax principles of same-origin policy, so that legitimate sites with different origins can interact with each other. Spring provides this support via @crossorigin annotation. Not restricting access to web resources (@crossorigin("*")), opens it up for attackers to inadvertently access restricted resources. An application should always check the origin of a request to be coming from a trusted source, before serving it. Please restrict the allowed domains which can access this resource References: CWE CORS support in Spring Framework REST Security Cheat Sheet at OWASP /nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode