Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#1521)

* Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection

Adds new SSA-only analyzer G121 to detect unsafe usage of
AddInsecureBypassPattern in net/http.CrossOriginProtection.
Flags:
overbroad static bypass patterns (for example /, /*, empty/wildcard-like
values),
request-derived dynamic bypass patterns.
Wires G121 into default analyzer registration, analyzer test suite, CWE
mapping (CWE-346), README rule list, and dedicated sample fixtures.
Includes a narrow lint suppression for a G101 false positive in analyzer
message constants.
Validation: analyzer tests pass and golangci-lint reports 0 issues.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

* Ignore false positive warnings

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

---------

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

Author: ccojocar

README.md

@@ -199,6 +199,7 @@ directory you can supply `./...` as the input argument.
 - G118: Context propagation failure leading to goroutine/resource leaks
 - G119: Unsafe redirect policy may propagate sensitive headers
 - G120: Unbounded form parsing in HTTP handlers can cause memory exhaustion
+- G121: Unsafe CrossOriginProtection bypass patterns
 - G201: SQL query construction using format string
 - G202: SQL query construction using string concatenation
 - G203: Use of unescaped data in HTML templates

analyzers/analyzers_test.go

@@ -71,6 +71,10 @@ var _ = Describe("gosec analyzers", func() {
 			runner("G120", testutils.SampleCodeG120)
 		})
 
+		It("should detect unsafe CORS bypass patterns", func() {
+			runner("G121", testutils.SampleCodeG121)
+		})
+
 		It("should detect hardcoded nonce/IV", func() {
 			runner("G407", testutils.SampleCodeG407)
 		})

analyzers/analyzerslist.go

@@ -118,6 +118,7 @@ var defaultAnalyzers = []AnalyzerDefinition{
 	{"G118", "Context propagation failure leading to goroutine/resource leaks", newContextPropagationAnalyzer},
 	{"G119", "Unsafe redirect policy may propagate sensitive headers", newRedirectHeaderPropagationAnalyzer},
 	{"G120", "Unbounded form parsing in HTTP handlers can cause memory exhaustion", newFormParsingLimitAnalyzer},
+	{"G121", "Unsafe CrossOriginProtection bypass patterns", newCORSBypassPatternAnalyzer},
 	{"G602", "Possible slice bounds out of range", newSliceBoundsAnalyzer},
 	{"G407", "Use of hardcoded IV/nonce for encryption", newHardCodedNonce},
 	{"G408", "Stateful misuse of ssh.PublicKeyCallback leading to auth bypass", newSSHCallbackAnalyzer},

analyzers/cors_bypass_pattern.go

@@ -0,0 +1,206 @@
+// (c) Copyright gosec's authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package analyzers
+
+import (
+	"go/token"
+	"go/types"
+	"strings"
+
+	"golang.org/x/tools/go/analysis"
+	"golang.org/x/tools/go/analysis/passes/buildssa"
+	"golang.org/x/tools/go/ssa"
+
+	"github.com/securego/gosec/v2/internal/ssautil"
+	"github.com/securego/gosec/v2/issue"
+)
+
+const (
+	msgOverbroadBypassPattern = "Overbroad AddInsecureBypassPattern disables cross-origin protections for too many paths"                  // #nosec G101 -- Message string includes API name, not credentials.
+	msgRequestBypassPattern   = "AddInsecureBypassPattern argument derived from request data can allow bypass of cross-origin protections" // #nosec G101 -- Message string includes API name, not credentials.
+)
+
+func newCORSBypassPatternAnalyzer(id string, description string) *analysis.Analyzer {
+	return &analysis.Analyzer{
+		Name:     id,
+		Doc:      description,
+		Run:      runCORSBypassPatternAnalysis,
+		Requires: []*analysis.Analyzer{buildssa.Analyzer},
+	}
+}
+
+func runCORSBypassPatternAnalysis(pass *analysis.Pass) (any, error) {
+	ssaResult, err := ssautil.GetSSAResult(pass)
+	if err != nil {
+		return nil, err
+	}
+
+	issuesByPos := make(map[token.Pos]*issue.Issue)
+
+	for _, fn := range collectAnalyzerFunctions(ssaResult.SSA.SrcFuncs) {
+		requestParam := findHTTPRequestParam(fn)
+
+		for _, block := range fn.Blocks {
+			for _, instr := range block.Instrs {
+				callInstr, ok := instr.(ssa.CallInstruction)
+				if !ok {
+					continue
+				}
+
+				common := callInstr.Common()
+				if common == nil {
+					continue
+				}
+
+				if !isAddInsecureBypassPatternCall(common) {
+					continue
+				}
+
+				if len(common.Args) < 2 {
+					continue
+				}
+
+				patternArg := common.Args[1]
+				if pattern, ok := extractStringValue(patternArg, 0); ok {
+					if isOverbroadBypassPattern(pattern) {
+						addG121Issue(issuesByPos, pass, instr.Pos(), msgOverbroadBypassPattern, issue.High, issue.High)
+					}
+					continue
+				}
+
+				if requestParam != nil && valueDependsOn(patternArg, requestParam, 0) {
+					addG121Issue(issuesByPos, pass, instr.Pos(), msgRequestBypassPattern, issue.High, issue.Medium)
+				}
+			}
+		}
+	}
+
+	if len(issuesByPos) == 0 {
+		return nil, nil
+	}
+
+	issues := make([]*issue.Issue, 0, len(issuesByPos))
+	for _, i := range issuesByPos {
+		issues = append(issues, i)
+	}
+
+	return issues, nil
+}
+
+func addG121Issue(issues map[token.Pos]*issue.Issue, pass *analysis.Pass, pos token.Pos, what string, severity issue.Score, confidence issue.Score) {
+	if pos == token.NoPos {
+		return
+	}
+	if _, exists := issues[pos]; exists {
+		return
+	}
+	issues[pos] = newIssue(pass.Analyzer.Name, what, pass.Fset, pos, severity, confidence)
+}
+
+func findHTTPRequestParam(fn *ssa.Function) *ssa.Parameter {
+	if fn == nil {
+		return nil
+	}
+	for _, param := range fn.Params {
+		if param == nil {
+			continue
+		}
+		if isHTTPRequestPointerType(param.Type()) {
+			return param
+		}
+	}
+	return nil
+}
+
+func isAddInsecureBypassPatternCall(call *ssa.CallCommon) bool {
+	callee := call.StaticCallee()
+	if callee == nil || callee.Name() != "AddInsecureBypassPattern" {
+		return false
+	}
+
+	sig := callee.Signature
+	if sig == nil || sig.Recv() == nil {
+		return false
+	}
+
+	return isCrossOriginProtectionType(sig.Recv().Type())
+}
+
+func isCrossOriginProtectionType(t types.Type) bool {
+	if ptr, ok := t.(*types.Pointer); ok {
+		t = ptr.Elem()
+	}
+
+	named, ok := t.(*types.Named)
+	if !ok {
+		return false
+	}
+	obj := named.Obj()
+	if obj == nil || obj.Name() != "CrossOriginProtection" {
+		return false
+	}
+	pkg := obj.Pkg()
+	return pkg != nil && pkg.Path() == "net/http"
+}
+
+func extractStringValue(v ssa.Value, depth int) (string, bool) {
+	if v == nil || depth > MaxDepth {
+		return "", false
+	}
+
+	if value := extractStringConst(v); value != "" {
+		return value, true
+	}
+
+	switch x := v.(type) {
+	case *ssa.ChangeType:
+		return extractStringValue(x.X, depth+1)
+	case *ssa.MakeInterface:
+		return extractStringValue(x.X, depth+1)
+	case *ssa.TypeAssert:
+		return extractStringValue(x.X, depth+1)
+	case *ssa.Phi:
+		if len(x.Edges) == 0 {
+			return "", false
+		}
+		var candidate string
+		for _, edge := range x.Edges {
+			val, ok := extractStringValue(edge, depth+1)
+			if !ok {
+				return "", false
+			}
+			if candidate == "" {
+				candidate = val
+				continue
+			}
+			if candidate != val {
+				return "", false
+			}
+		}
+		return candidate, true
+	}
+
+	return "", false
+}
+
+func isOverbroadBypassPattern(pattern string) bool {
+	normalized := strings.TrimSpace(pattern)
+	switch normalized {
+	case "", "/", "*", "/*", "/**", ".*", "/.*":
+		return true
+	default:
+		return false
+	}
+}

issue/issue.go

@@ -72,6 +72,7 @@ var ruleToCWE = map[string]string{
 	"G118": "400",
 	"G119": "200",
 	"G120": "400",
+	"G121": "346",
 	"G201": "89",
 	"G202": "89",
 	"G203": "79",

testutils/g121_samples.go

@@ -0,0 +1,69 @@
+package testutils
+
+import "github.com/securego/gosec/v2"
+
+// SampleCodeG121 - Unsafe CORS bypass patterns via CrossOriginProtection
+var SampleCodeG121 = []CodeSample{
+	// Vulnerable: overbroad root bypass
+	{[]string{`
+package main
+
+import "net/http"
+
+func setup() {
+	var cop http.CrossOriginProtection
+	cop.AddInsecureBypassPattern("/")
+}
+`}, 1, gosec.NewConfig()},
+
+	// Vulnerable: overbroad wildcard bypass
+	{[]string{`
+package main
+
+import "net/http"
+
+func setup() {
+	var cop http.CrossOriginProtection
+	cop.AddInsecureBypassPattern("/*")
+}
+`}, 1, gosec.NewConfig()},
+
+	// Vulnerable: user-controlled bypass pattern from request data
+	{[]string{`
+package main
+
+import "net/http"
+
+func handler(w http.ResponseWriter, r *http.Request) {
+	_ = w
+	var cop http.CrossOriginProtection
+	pattern := r.URL.Query().Get("bypass")
+	cop.AddInsecureBypassPattern(pattern)
+}
+`}, 1, gosec.NewConfig()},
+
+	// Safe: narrow static bypass
+	{[]string{`
+package main
+
+import "net/http"
+
+func setup() {
+	var cop http.CrossOriginProtection
+	cop.AddInsecureBypassPattern("/healthz")
+}
+`}, 0, gosec.NewConfig()},
+
+	// Safe: multiple narrow static bypasses
+	{[]string{`
+package main
+
+import "net/http"
+
+func setup() {
+	var cop http.CrossOriginProtection
+	cop.AddInsecureBypassPattern("/status")
+	cop.AddInsecureBypassPattern("/metrics")
+}
+`}, 0, gosec.NewConfig()},
+}