sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

SECURITY: CORS allows all origins (*) — review for CSRF implications #40

New Issue
Open
opened 2026-02-16 06:56:34 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-16 06:56:34 +01:00
Collaborator
Copy Link

Severity: MEDIUM

File: internal/middleware/middleware.go lines ~120-130 (CORS method)

Description

cors.Handler(cors.Options{
    AllowedOrigins: []string{"*"},
    ...
    AllowCredentials: false,
})

While AllowCredentials: false prevents cookies from being sent with cross-origin requests (good), the wildcard CORS policy still allows any website to make API calls to the upaas instance. This means:

  • The JSON API endpoints (/apps/{id}/status, /apps/{id}/container-logs, etc.) are accessible from any origin
  • While they won't include session cookies, if there's ever an auth bypass or a non-cookie auth mechanism added, this becomes exploitable

For a single-user admin panel, a wildcard CORS policy is unnecessarily permissive.

Suggested Fix

Restrict CORS to same-origin only, or remove the CORS middleware entirely since this is a server-rendered app that doesn't need cross-origin API access:

AllowedOrigins: []string{}, // or remove CORS middleware entirely
## Severity: MEDIUM ## File: `internal/middleware/middleware.go` lines ~120-130 (CORS method) ## Description ```go cors.Handler(cors.Options{ AllowedOrigins: []string{"*"}, ... AllowCredentials: false, }) ``` While `AllowCredentials: false` prevents cookies from being sent with cross-origin requests (good), the wildcard CORS policy still allows any website to make API calls to the upaas instance. This means: - The JSON API endpoints (`/apps/{id}/status`, `/apps/{id}/container-logs`, etc.) are accessible from any origin - While they won't include session cookies, if there's ever an auth bypass or a non-cookie auth mechanism added, this becomes exploitable For a single-user admin panel, a wildcard CORS policy is unnecessarily permissive. ## Suggested Fix Restrict CORS to same-origin only, or remove the CORS middleware entirely since this is a server-rendered app that doesn't need cross-origin API access: ```go AllowedOrigins: []string{}, // or remove CORS middleware entirely ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#40
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?