ISSUE_NUMBER: GH-1
Description
The CORS configuration in app.js relies on the FRONTEND_URL environment variable. If this variable is not properly set or validated, it could lead to CORS errors or allow unintended origins to access the API.
File: repositories/QuestionBankapi/app.js
Line: 32
Severity: high
Current Behavior
The application uses FRONTEND_URL without validation in the CORS origin check.
Expected Behavior
The application should validate FRONTEND_URL to ensure it's a valid URL and prevent potential CORS misconfigurations.
Suggested Fix
Add validation for the FRONTEND_URL environment variable.
Code Context
const corsOptions = {
origin: (origin, callback) => {
if (origin === undefined || origin === null) {
callback(null, true);
} else if (
origin.includes("vercel.app") ||
origin === process.env.FRONTEND_URL
) {
callback(null, true);
} else {
console.log("Blocked by CORS:", origin);
callback(new Error("Not allowed by CORS"));
}
},
};Additional Notes
This issue could lead to security vulnerabilities if the FRONTEND_URL is not properly configured.
ISSUE_NUMBER: GH-1
Description
The CORS configuration in
app.jsrelies on theFRONTEND_URLenvironment variable. If this variable is not properly set or validated, it could lead to CORS errors or allow unintended origins to access the API.File:
repositories/QuestionBankapi/app.jsLine: 32
Severity: high
Current Behavior
The application uses
FRONTEND_URLwithout validation in the CORS origin check.Expected Behavior
The application should validate
FRONTEND_URLto ensure it's a valid URL and prevent potential CORS misconfigurations.Suggested Fix
Add validation for the
FRONTEND_URLenvironment variable.Code Context
Additional Notes
This issue could lead to security vulnerabilities if the
FRONTEND_URLis not properly configured.