Skip to content

⚠️ Security: Overly Permissive CORS Configuration / 过于宽松的CORS配置 #9

Description

@ACCSCI

Summary / 概述

The daemon server has overly permissive CORS configuration that allows requests from any origin.
守护进程服务器的CORS配置过于宽松,允许来自任何来源的请求。

Vulnerability Details / 漏洞详情

Location / 位置

File / 文件: plugins/daemon.ts
Lines / 行号: 153-155

res.setHeader("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
res.setHeader("Access-Control-Allow-Headers", "Content-Type");

Issues / 问题

  1. Wildcard Origin / 通配符来源: Access-Control-Allow-Origin: * allows any website to make requests / 允许任何网站发起请求
  2. No Credentials / 无凭证: Cannot use cookies or authentication headers / 无法使用cookie或认证头
  3. Potential CSRF / 潜在CSRF: Cross-site request forgery attacks are possible / 可能发生跨站请求伪造攻击

Impact / 影响

  • Medium / 中危: Cross-origin attacks from malicious websites / 来自恶意网站的跨域攻击
  • Low / 低危: Information disclosure about daemon status / 守护进程状态信息泄露

Recommended Fix / 修复建议

Option 1 / 方案 1: Restrict to Localhost / 限制为本地访问

const allowedOrigins = [
  'http://localhost:20086',  // FRONTEND_PORT
  'http://127.0.0.1:20086',
];

const origin = req.headers.origin;
if (origin && allowedOrigins.includes(origin)) {
  res.setHeader("Access-Control-Allow-Origin", origin);
  res.setHeader("Access-Control-Allow-Credentials", "true");
}

Option 2 / 方案 2: Dynamic Origin Validation / 动态来源验证

function isAllowedOrigin(origin: string | undefined): boolean {
  if (!origin) return false;
  
  // Allow localhost with any port / 允许本地访问任意端口
  const url = new URL(origin);
  return url.hostname === 'localhost' || url.hostname === '127.0.0.1';
}

const origin = req.headers.origin;
if (isAllowedOrigin(origin)) {
  res.setHeader("Access-Control-Allow-Origin", origin);
  res.setHeader("Access-Control-Allow-Credentials", "true");
}

Option 3 / 方案 3: Use Environment Variable / 使用环境变量

const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:20086'];

const origin = req.headers.origin;
if (origin && ALLOWED_ORIGINS.includes(origin)) {
  res.setHeader("Access-Control-Allow-Origin", origin);
}

Affected Files / 受影响文件

  • plugins/daemon.ts (lines 153-155)

Priority / 优先级

Medium / 中危 - Should be fixed before production deployment / 应在生产部署前修复

Labels / 标签

  • security
  • cors
  • medium-priority

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions