fantonangeli commented on code in PR #3353:
URL:
https://github.com/apache/incubator-kie-tools/pull/3353#discussion_r2590571812
##########
packages/cors-proxy/src/index.ts:
##########
@@ -42,12 +42,28 @@ function getAllowedOrigins(): string[] {
return originsList;
}
+function getAllowedHosts(): string[] {
+ const hosts = process.env.CORS_PROXY_ALLOWED_HOSTS ||
"localhost,*.github.com";
+ const hostsList = hosts.split(",").map((o) => o.trim());
+
+ if (hostsList.some((o) => o === "")) {
+ throw new Error("Invalid host: empty hosts are not allowed in
CORS_PROXY_ALLOWED_HOSTS.");
+ }
+
+ if (hostsList.some((o) => o === "*")) {
+ throw new Error('Invalid host: wildcard "*" is not allowed in
CORS_PROXY_ALLOWED_HOSTS.');
Review Comment:
I didn't think about the `*.*` case, thank you for bringing this up!
The issue with it is that a bad user can very easily use the cors-proxy to
attack a server anonymously, as the user decides the `target-url`. So in this
case, CodeQL is right.
> My only issue with it is that KIE Sandbox should be able to connect to any
OpenShift cluster, for example, and there's no way to know beforehand what the
cluster host is.
This is an issue in securing this proxy, especially if it is a public
service. Can you ensure with others if there can be a way to define the
`allowedHosts` whitelist?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
