Summary / 概述
The daemon server has overly permissive CORS configuration that allows requests from any origin.
守护进程服务器的CORS配置过于宽松,允许来自任何来源的请求。
Vulnerability Details / 漏洞详情
Location / 位置
File / 文件: plugins/daemon.ts
Lines / 行号: 153-155
res.setHeader("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
res.setHeader("Access-Control-Allow-Headers", "Content-Type");
Issues / 问题
- Wildcard Origin / 通配符来源:
Access-Control-Allow-Origin: * allows any website to make requests / 允许任何网站发起请求
- No Credentials / 无凭证: Cannot use cookies or authentication headers / 无法使用cookie或认证头
- Potential CSRF / 潜在CSRF: Cross-site request forgery attacks are possible / 可能发生跨站请求伪造攻击
Impact / 影响
- Medium / 中危: Cross-origin attacks from malicious websites / 来自恶意网站的跨域攻击
- Low / 低危: Information disclosure about daemon status / 守护进程状态信息泄露
Recommended Fix / 修复建议
Option 1 / 方案 1: Restrict to Localhost / 限制为本地访问
const allowedOrigins = [
'http://localhost:20086', // FRONTEND_PORT
'http://127.0.0.1:20086',
];
const origin = req.headers.origin;
if (origin && allowedOrigins.includes(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
res.setHeader("Access-Control-Allow-Credentials", "true");
}
Option 2 / 方案 2: Dynamic Origin Validation / 动态来源验证
function isAllowedOrigin(origin: string | undefined): boolean {
if (!origin) return false;
// Allow localhost with any port / 允许本地访问任意端口
const url = new URL(origin);
return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
}
const origin = req.headers.origin;
if (isAllowedOrigin(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
res.setHeader("Access-Control-Allow-Credentials", "true");
}
Option 3 / 方案 3: Use Environment Variable / 使用环境变量
const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:20086'];
const origin = req.headers.origin;
if (origin && ALLOWED_ORIGINS.includes(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
}
Affected Files / 受影响文件
plugins/daemon.ts (lines 153-155)
Priority / 优先级
Medium / 中危 - Should be fixed before production deployment / 应在生产部署前修复
Labels / 标签
security
cors
medium-priority
Summary / 概述
The daemon server has overly permissive CORS configuration that allows requests from any origin.
守护进程服务器的CORS配置过于宽松,允许来自任何来源的请求。
Vulnerability Details / 漏洞详情
Location / 位置
File / 文件:
plugins/daemon.tsLines / 行号: 153-155
Issues / 问题
Access-Control-Allow-Origin: *allows any website to make requests / 允许任何网站发起请求Impact / 影响
Recommended Fix / 修复建议
Option 1 / 方案 1: Restrict to Localhost / 限制为本地访问
Option 2 / 方案 2: Dynamic Origin Validation / 动态来源验证
Option 3 / 方案 3: Use Environment Variable / 使用环境变量
Affected Files / 受影响文件
plugins/daemon.ts(lines 153-155)Priority / 优先级
Medium / 中危 - Should be fixed before production deployment / 应在生产部署前修复
Labels / 标签
securitycorsmedium-priority