π‘οΈ Sentinel: [HIGH] Fix overly permissive CORS configuration #112
+49
β3
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| ## 2024-05-18 - [Fix CORS Wildcard Vulnerability] | ||
| **Vulnerability:** The CORS middleware allowed cross-origin credentials (`Access-Control-Allow-Credentials: true`) to be sent even when the origin was matched via a wildcard (`*`). | ||
| **Learning:** Returning credentials alongside a reflected origin when a wildcard is conceptually intended bypasses browser restrictions, making the application vulnerable to exposing sensitive data across all origins. | ||
| **Prevention:** Always verify if a wildcard is present in `AllowedOrigins`. If it is, explicitly return `Access-Control-Allow-Origin: *` and omit the `Access-Control-Allow-Credentials` header to comply securely with the CORS specification. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,8 @@ | ||||||||||||||||||||||||||||||||||||||
| 1. **Fix CORS Vulnerability**: In `internal/api/server.go`, update `corsMiddleware` to securely handle the wildcard `*` origin. | ||||||||||||||||||||||||||||||||||||||
| - Detect if `*` is present in `allowedOrigins`. | ||||||||||||||||||||||||||||||||||||||
| - If `*` is present, accept any `Origin` header. | ||||||||||||||||||||||||||||||||||||||
| - Set `Access-Control-Allow-Origin: *` to properly handle the wildcard. | ||||||||||||||||||||||||||||||||||||||
| - Most importantly, do not set `Access-Control-Allow-Credentials: "true"` when `*` is configured, preventing credential sharing across all origins. | ||||||||||||||||||||||||||||||||||||||
| 2. **Add Tests**: Update `internal/api/server_test.go` to test wildcard origin functionality and ensure `Access-Control-Allow-Credentials` is not present when wildcard is used. | ||||||||||||||||||||||||||||||||||||||
| 3. **Pre-commit Checks**: Run pre-commit instructions to ensure testing and formatting are correct. | ||||||||||||||||||||||||||||||||||||||
| 4. **Submit**: Create PR with title "π‘οΈ Sentinel: [HIGH] Fix overly permissive CORS configuration". | ||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+1
to
+8
There was a problem hiding this comment. Add a top-level heading to satisfy markdownlint. The new file starts with a list, so it will keep emitting the reported Proposed fix+# Plan
+
1. **Fix CORS Vulnerability**: In `internal/api/server.go`, update `corsMiddleware` to securely handle the wildcard `*` origin.
- Detect if `*` is present in `allowedOrigins`.
- If `*` is present, accept any `Origin` header.
- Set `Access-Control-Allow-Origin: *` to properly handle the wildcard.
- Most importantly, do not set `Access-Control-Allow-Credentials: "true"` when `*` is configured, preventing credential sharing across all origins.
2. **Add Tests**: Update `internal/api/server_test.go` to test wildcard origin functionality and ensure `Access-Control-Allow-Credentials` is not present when wildcard is used.
3. **Pre-commit Checks**: Run pre-commit instructions to ensure testing and formatting are correct.
4. **Submit**: Create PR with title "π‘οΈ Sentinel: [HIGH] Fix overly permissive CORS configuration".π Committable suggestion
Suggested change
π§° Toolsπͺ markdownlint-cli2 (0.22.1)[warning] 1-1: First line in a file should be a top-level heading (MD041, first-line-heading, first-line-h1) π€ Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| make test | ||
|
There was a problem hiding this comment. 𧩠Analysis chainπ Script executed: #!/bin/bash
set -euo pipefail
fd -HI '^(Makefile|makefile|GNUmakefile)$' | while read -r mf; do
echo "== ${mf} =="
echo "-- test target --"
awk '
BEGIN { printing = 0 }
/^[[:alnum:]_.-]+:/ {
if ($0 ~ /^test:/) {
printing = 1
} else if (printing) {
exit
}
}
printing { print }
' "$mf"
echo "-- quality-gate references --"
rg -n 'gofmt|goimports|go vet|golangci-lint|gosec|go test .*-(race|vet=all)|shuffle=on' "$mf" || true
echo
doneRepository: mattjoyce/ductile Length of output: 153 π Script executed: #!/bin/bash
set -euo pipefail
# Locate and print the relevant test script(s)
fd -HI 'test-fast' -t f . | head -n 20 | cat
# Show the primary script contents (small/targeted read)
path="$(fd -HI 'test-fast' -t f . | head -n 1)"
echo "== Using: $path =="
nl -ba "$path" | sed -n '1,200p'
# If the script shells out to other scripts/targets, trace them quickly
echo "== Calls from $path (shell/exec targets) =="
rg -n '(make[[:space:]]+|./scripts/|bash[[:space:]]|sh[[:space:]]|-c[[:space:]]|golangci-lint|gosec|go vet|go test|goimports|gofmt)' "$path" || true
# Inspect any referenced ./scripts/* from the call sites
rg -o './scripts/[A-Za-z0-9._-]+' "$path" | sort -u | while read -r sp; do
if [ -f "${sp}" ]; then
echo
echo "== Script: $sp =="
nl -ba "$sp" | sed -n '1,200p'
else
echo "== Missing path referenced: $sp =="
fi
done
# Also check scripts/test-fast for any go test flags that match the merge gate
rg -n 'go test .* -race|shuffle=on|vet=all|count=1' "$path" || true
# Finally, check whether any of the scripts run golangci-lint / gosec with severity medium
rg -n 'golangci-lint|gosec .*severity[[:space:]]+medium|gosec|go vet|goimports|gofmt' "$path" || trueRepository: mattjoyce/ductile Length of output: 176 π Script executed: #!/bin/bash
set -euo pipefail
# Find exact path(s) to test-fast
echo "== test-fast candidates =="
fd -HI 'test-fast' -t f . || true
# Prefer scripts/test-fast if it exists
if [ -f "./scripts/test-fast" ]; then
path="./scripts/test-fast"
else
path="$(fd -HI 'test-fast' -t f . | head -n 1)"
fi
echo
echo "== Using: $path =="
echo
echo "---- contents (first 250 lines) ----"
cat -n "$path" | sed -n '1,250p'
echo
echo "---- references to other checks/scripts ----"
rg -n 'golangci-lint|gosec|goimports|gofmt|go vet|go test|shuffle=on|vet=all|-race|severity[[:space:]]+medium|count=1' "$path" || true
echo
echo "---- shelling out / invoking other scripts ----"
rg -n '(make[[:space:]]+|./scripts/|bash[[:space:]]+|sh[[:space:]]+|-c[[:space:]]|exec[[:space:]]+)'. "$path" 2>/dev/null || true
# Print any referenced ./scripts/* files so we can inspect them next
echo
echo "== referenced ./scripts/* =="
rg -o './scripts/[A-Za-z0-9._-]+' "$path" | sort -u | while read -r sp; do
if [ -f "$sp" ]; then
echo "$sp"
else
echo "$sp (missing)"
fi
doneRepository: mattjoyce/ductile Length of output: 627 make test doesnβt run the full merge-grade Go gate
Update π€ Prompt for AI Agents |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normalize the heading so markdownlint stays clean.
This new entry triggers the reported
MD041/MD022warnings because the file starts with an H2 and has no blank line after it.Proposed fix
π Committable suggestion
π§° Tools
πͺ markdownlint-cli2 (0.22.1)
[warning] 1-1: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below
(MD022, blanks-around-headings)
[warning] 1-1: First line in a file should be a top-level heading
(MD041, first-line-heading, first-line-h1)
π€ Prompt for AI Agents