SONARPY-3694 CORSMiddleware should be added last in the middleware chain (#820)

GitOrigin-RevId: 2be4ef23b3215f8e308edbec0273c762d87d23d0

Author: thomas-serre-sonarsource

python-checks/src/main/java/org/sonar/python/checks/CorsMiddlewareOrderingCheck.java

@@ -0,0 +1,158 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Optional;
+import javax.annotation.Nullable;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.v2.SymbolV2;
+import org.sonar.plugins.python.api.symbols.v2.UsageV2;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S8414")
+public class CorsMiddlewareOrderingCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Add CORSMiddleware last in the middleware chain.";
+
+  // Stubs are missing entirely for fastapi/starlette.middleware.cors so we match by FQN for add_middleware
+  private static final TypeMatcher ADD_MIDDLEWARE_MATCHER = TypeMatchers.any(
+    TypeMatchers.withFQN("fastapi.applications.FastAPI.add_middleware"),
+    TypeMatchers.withFQN("starlette.applications.Starlette.add_middleware")
+  );
+
+  private static final TypeMatcher CORS_MIDDLEWARE_MATCHER = TypeMatchers.any(
+    TypeMatchers.withFQN("fastapi.middleware.cors.CORSMiddleware"),
+    TypeMatchers.withFQN("starlette.middleware.cors.CORSMiddleware")
+  );
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, CorsMiddlewareOrderingCheck::checkAddMiddlewareCall);
+  }
+
+  private static void checkAddMiddlewareCall(SubscriptionContext ctx) {
+    CallExpression callExpr = (CallExpression) ctx.syntaxNode();
+
+    if (!ADD_MIDDLEWARE_MATCHER.isTrueFor(callExpr.callee(), ctx)) {
+      return;
+    }
+
+    if (!isCorsMiddleware(ctx, callExpr)) {
+      return;
+    }
+
+    SymbolV2 receiverSymbol = extractReceiverSymbol(callExpr).orElse(null);
+    if (receiverSymbol == null) {
+      return;
+    }
+
+    Tree currentEnclosingScope = getScope(callExpr);
+    if (currentEnclosingScope == null) {
+      return;
+    }
+
+    int currentLine = callExpr.firstToken().line();
+
+    if (hasSubsequentMiddlewareAddition(ctx, receiverSymbol, currentLine, currentEnclosingScope)) {
+      ctx.addIssue(callExpr.callee(), MESSAGE);
+    }
+  }
+
+  private static boolean isCorsMiddleware(SubscriptionContext ctx, CallExpression callExpr) {
+    return TreeUtils.nthArgumentOrKeywordOptional(0, "middleware_class", callExpr.arguments())
+      .map(RegularArgument::expression)
+      .map(expr -> {
+        if (CORS_MIDDLEWARE_MATCHER.isTrueFor(expr, ctx)) {
+          return true;
+        }
+        if (expr instanceof Name name) {
+          Expression assignedValue = Expressions.singleAssignedValue(name);
+          return assignedValue != null && CORS_MIDDLEWARE_MATCHER.isTrueFor(assignedValue, ctx);
+        }
+        return false;
+      })
+      .orElse(false);
+  }
+
+  private static boolean isNameContainingCors(@Nullable Expression expr){
+    if(expr == null){
+      return false;
+    }
+    if(!(expr instanceof Name name)) {
+      return  false;
+    }
+    String simpleName = name.name();
+    return simpleName != null && (simpleName.contains("CORS") || simpleName.contains("Cors"));
+  }
+
+  private static boolean hasSubsequentMiddlewareAddition(
+    SubscriptionContext ctx,
+    SymbolV2 receiverSymbol,
+    int currentLine,
+    Tree currentEnclosingScope) {
+
+    return receiverSymbol.usages().stream()
+      .filter(usage -> usage.kind() == UsageV2.Kind.OTHER)
+      .filter(usage -> usage.tree().firstToken().line() > currentLine)
+      .filter(usage -> isSameScope(usage.tree(), currentEnclosingScope))
+      .anyMatch(usage -> isReceiverOfAddMiddleware(usage, ctx));
+  }
+
+  private static boolean isSameScope(Tree usageTree, Tree currentEnclosingScope) {
+    Tree usageEnclosingScope = getScope(usageTree);
+    return usageEnclosingScope == currentEnclosingScope;
+  }
+
+  private static Tree getScope(Tree tree) {
+    return TreeUtils.firstAncestorOfKind(tree, Tree.Kind.FUNCDEF, Tree.Kind.LAMBDA, Tree.Kind.FILE_INPUT);
+  }
+
+  private static boolean isReceiverOfAddMiddleware(UsageV2 usage, SubscriptionContext ctx) {
+    Tree tree = usage.tree();
+
+    Tree parent = tree.parent();
+    if (!(parent instanceof QualifiedExpression qualifiedExpr)) {
+      return false;
+    }
+
+    Tree qualiifiedParent = qualifiedExpr.parent();
+    if (!(qualiifiedParent instanceof CallExpression parentCall)) {
+      return false;
+    }
+
+    return ADD_MIDDLEWARE_MATCHER.isTrueFor(parentCall.callee(), ctx);
+  }
+
+  private static Optional<SymbolV2> extractReceiverSymbol(CallExpression callExpr) {
+    return Optional.ofNullable(callExpr.callee())
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(QualifiedExpression.class))
+      .map(QualifiedExpression::qualifier)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class))
+      .map(Name::symbolV2);
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -177,6 +177,7 @@ public Stream<Class<?>> getChecks() {
       ConstantValueDictComprehensionCheck.class,
       ControlFlowInTaskGroupCheck.class,
       CorsCheck.class,
+      CorsMiddlewareOrderingCheck.class,
       CsrfDisabledCheck.class,
       DataEncryptionCheck.class,
       DbNoPasswordCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8414.html

@@ -0,0 +1,75 @@
+<p>This is an issue when <code>CORSMiddleware</code> is added to a FastAPI application and then followed by additional middleware using
+<code>add_middleware()</code>.</p>
+<h2>Why is this an issue?</h2>
+<p>In FastAPI, middleware is executed in reverse order of how it’s added to the application. When you call <code>app.add_middleware()</code>, each
+middleware wraps the previous one, forming a stack.</p>
+<p>Think of it like wrapping a gift: the first layer you add becomes the innermost layer, and the last layer you add becomes the outermost layer. When
+processing a request, FastAPI starts from the outermost layer and works its way in.</p>
+<p>CORS (Cross-Origin Resource Sharing) middleware needs to add specific HTTP headers to responses to allow browsers to make cross-origin requests.
+For these headers to be present on all responses - including those modified by other middleware - CORSMiddleware must be the outermost layer.</p>
+<p>If you add other middleware after CORSMiddleware, those middleware will wrap around it and process requests/responses outside of the CORS layer.
+This means:</p>
+<ul>
+  <li> CORS headers may not be added to responses modified by the outer middleware </li>
+  <li> Preflight requests may not be handled correctly </li>
+  <li> Cross-origin requests from browsers will fail </li>
+</ul>
+<h3>What is the potential impact?</h3>
+<p>When CORSMiddleware is not positioned correctly, cross-origin requests from web browsers will fail. This breaks the functionality of web
+applications that need to make API calls from a different domain.</p>
+<p>Users will see errors in their browser console, and features that depend on cross-origin requests will not work. This can affect:</p>
+<ul>
+  <li> Single-page applications (SPAs) hosted on different domains </li>
+  <li> Mobile apps using web views </li>
+  <li> Third-party integrations </li>
+  <li> Development environments where frontend and backend run on different ports </li>
+</ul>
+<h2>How to fix it</h2>
+<p>Move the <code>CORSMiddleware</code> configuration to be the last <code>add_middleware()</code> call in your application setup. Add all other
+middleware before adding CORSMiddleware.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.gzip import GZipMiddleware
+
+app = FastAPI()
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+app.add_middleware(GZipMiddleware)  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.gzip import GZipMiddleware
+
+app = FastAPI()
+
+app.add_middleware(GZipMiddleware)
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> FastAPI CORS Documentation - <a href="https://fastapi.tiangolo.com/tutorial/cors/">Official FastAPI documentation on CORS middleware
+  configuration</a> </li>
+  <li> FastAPI Middleware Documentation - <a href="https://fastapi.tiangolo.com/tutorial/middleware/">Official FastAPI documentation explaining
+  middleware execution order</a> </li>
+  <li> Starlette Middleware Documentation - <a href="https://www.starlette.io/middleware/">Starlette middleware documentation (FastAPI is built on
+  Starlette)</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8414.json

@@ -0,0 +1,27 @@
+{
+  "title": "CORSMiddleware should be added last in the middleware chain",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5 min"
+  },
+  "tags": [
+    "fastapi",
+    "cors",
+    "middleware",
+    "configuration"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8414",
+  "sqKey": "S8414",
+  "scope": "Main",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "BLOCKER",
+      "MAINTAINABILITY": "BLOCKER"
+    },
+    "attribute": "LOGICAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -326,6 +326,7 @@
     "S8411",
     "S8412",
     "S8413",
+    "S8414",
     "S8415"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/CorsMiddlewareOrderingCheckTest.java

@@ -0,0 +1,29 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class CorsMiddlewareOrderingCheckTest {
+  @Test
+  void test() {
+    PythonCheckVerifier.verify(
+        "src/test/resources/checks/corsMiddlewareOrdering.py",
+        new CorsMiddlewareOrderingCheck());
+  }
+}