thiagoelg commented on code in PR #3353:
URL:
https://github.com/apache/incubator-kie-tools/pull/3353#discussion_r2589878390
##########
packages/cors-proxy/src/index.ts:
##########
@@ -42,12 +42,28 @@ function getAllowedOrigins(): string[] {
return originsList;
}
+function getAllowedHosts(): string[] {
+ const hosts = process.env.CORS_PROXY_ALLOWED_HOSTS ||
"localhost,*.github.com";
+ const hostsList = hosts.split(",").map((o) => o.trim());
+
+ if (hostsList.some((o) => o === "")) {
+ throw new Error("Invalid host: empty hosts are not allowed in
CORS_PROXY_ALLOWED_HOSTS.");
+ }
+
+ if (hostsList.some((o) => o === "*")) {
+ throw new Error('Invalid host: wildcard "*" is not allowed in
CORS_PROXY_ALLOWED_HOSTS.');
Review Comment:
I believe this is the exact code that fixes the SSRF warning, right?
My only issue with it is that KIE Sandbox should be able to connect to any
OpenShift cluster, for example, and there's no way to know beforehand what the
cluster host is.
In `online-editor`, I've changed the `start:cors-proxy` command to this:
```
cross-env CORS_PROXY__origin=https://localhost:$(build-env
onlineEditor.dev.port) CORS_PROXY__useHttpForHosts=\"localhost:$(build-env
kieSandboxAcceleratorQuarkus.dev.port)\"
CORS_PROXY__allowedHosts=\"*.*,localhost\" npm --prefix
./node_modules/@kie-tools/cors-proxy run start
```
Notice the `*.*`, which basically allows any domain with a `.` in it. It
kind of defeats the purpose of this check, but at the same time, it's something
we need for KIE Sandbox.
Anyway, I'm fine with it, and the `*.*,localhost` solution works for me. But
WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
