Fix: Mitigate Unauthenticated RCE via CSRF and DNS Rebinding

[ArshVermaGit]

Description

This PR addresses a critical security vulnerability where the local DevShell server implicitly trusted all incoming requests, leading to Unauthenticated Remote Code Execution (RCE) via Cross-Site Request Forgery (CSRF) or DNS Rebinding.

Because the API endpoints natively execute bash commands on the host machine, an attacker could previously exploit a developer by having them visit a malicious webpage, which would then send unauthorized requests to http://127.0.0.1:5000/api/exec.

Resolved Issue

Resolves #123

Changes Made

• DNS Rebinding Protection: Added a before_request hook in app.py that strictly validates the Host header. The server now rejects any requests where the host is not 127.0.0.1 or localhost.
• CSRF Protection: Added validation for Origin and Referer headers on all state-modifying requests. Requests originating from unauthorized domains (or missing these headers while presenting a browser User-Agent) are now actively blocked with a 403 Forbidden response.

Security Impact

These validations act as a robust layer of defense against browser-based attacks targeting the local development server, effectively neutralizing the RCE threat without requiring complex authentication mechanisms or dynamic CSRF tokens.

Testing

• Verified standard UI functionality remains intact.
• Simulated DNS Rebinding via curl -H "Host: malicious.com" ... (Returns 403 Forbidden).
• Simulated CSRF via curl -X POST -H "Origin: http://malicious.com" ... (Returns 403 Forbidden).

[ArshVermaGit]

Hi @siddu-k ! Issue #123 has been resolved. Please review the PR and merge it under GSSoC. Thanks!