Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security sweep

Browse Source
This commit is contained in:
Michael Freno
2026-05-29 09:03:47 -04:00
parent 469c28fa64
commit 3b29de3234
60 changed files with 7148 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
piolium/findings/p8-005-cors-origin-env-var/draft.md Normal file
View File

@@ -0,0 +1,52 @@
Phase: 8
Sequence: 005
Slug: cors-origin-env-var
Verdict: VALID
Rationale: CORS middleware trusts APP_URL environment variable as an allowed origin without domain validation; if env var is injected, attacker can control the CORS origin whitelist
Severity-Original: high
Severity: medium
PoC-Status: pending
Pre-FP-Flag: none
Debate: piolium/attack-surface/balanced-chamber-summary.md
## Summary
The CORS middleware in `web/src/middleware.ts` trusts `process.env.APP_URL` as an allowed CORS origin. If an attacker can control the `APP_URL` environment variable (via CI/CD pipeline compromise, container env injection, or shared hosting environment), they can set an arbitrary allowed origin. The middleware then echoes back the attacker-controlled origin in the `Access-Control-Allow-Origin` header with `Access-Control-Allow-Credentials: true`, enabling authenticated cross-origin data theft.
## Location
- `web/src/middleware.ts` lines 2230 (CORS middleware)
## Attacker Control
An attacker who can set environment variables on the deployment can set `APP_URL=https://evil.com`. The middleware will then allow `Origin: https://evil.com` requests and set `Access-Control-Allow-Origin: https://evil.com` with credentials.
## Trust Boundary Crossed
CORS policy boundary. The application trusts a single environment variable as a CORS origin whitelist entry, allowing an attacker-controlled origin to bypass same-origin policy.
## Impact
Full cross-origin data exfiltration from the tRPC API. An attacker-controlled origin can read all authenticated tRPC procedures including user profiles, billing data, darkwatch exposure data, voiceprint analysis results, and admin statistics.
## Evidence
```typescript
const allowedOrigins = [
"http://localhost:3000",
"http://localhost:3001",
process.env.APP_URL, // Unvalidated env var
].filter(Boolean);
if (origin && allowedOrigins.includes(origin)) {
event.response.headers.set("Access-Control-Allow-Origin", origin);
event.response.headers.set("Access-Control-Allow-Credentials", "true");
}
```
## Reproduction Steps
1. Attacker gains ability to set environment variables on the deployment
2. Attacker sets `APP_URL=https://evil.com`
3. Attacker's web page loads and makes tRPC requests with `Origin: https://evil.com`
4. Server responds with `Access-Control-Allow-Origin: https://evil.com` + `Access-Control-Allow-Credentials: true`
5. Attacker's JavaScript reads authenticated tRPC responses (user data, billing info, etc.)
## Defense Search Results
- `APP_URL` env var is trusted without domain validation
- Origin check uses exact string matching (no wildcard or prefix)
- `Access-Control-Allow-Credentials: true` allows cookie-based auth in CORS requests
- No framework-level CORS configuration with explicit origin lists

52
piolium/findings/p8-005-cors-origin-env-var/report.md Normal file
View File

@@ -0,0 +1,52 @@
Phase: 8
Sequence: 005
Slug: cors-origin-env-var
Verdict: VALID
Rationale: CORS middleware trusts APP_URL environment variable as an allowed origin without domain validation; if env var is injected, attacker can control the CORS origin whitelist
Severity-Original: high
Severity: medium
PoC-Status: pending
Pre-FP-Flag: none
Debate: piolium/attack-surface/balanced-chamber-summary.md
## Summary
The CORS middleware in `web/src/middleware.ts` trusts `process.env.APP_URL` as an allowed CORS origin. If an attacker can control the `APP_URL` environment variable (via CI/CD pipeline compromise, container env injection, or shared hosting environment), they can set an arbitrary allowed origin. The middleware then echoes back the attacker-controlled origin in the `Access-Control-Allow-Origin` header with `Access-Control-Allow-Credentials: true`, enabling authenticated cross-origin data theft.
## Location
- `web/src/middleware.ts` lines 2230 (CORS middleware)
## Attacker Control
An attacker who can set environment variables on the deployment can set `APP_URL=https://evil.com`. The middleware will then allow `Origin: https://evil.com` requests and set `Access-Control-Allow-Origin: https://evil.com` with credentials.
## Trust Boundary Crossed
CORS policy boundary. The application trusts a single environment variable as a CORS origin whitelist entry, allowing an attacker-controlled origin to bypass same-origin policy.
## Impact
Full cross-origin data exfiltration from the tRPC API. An attacker-controlled origin can read all authenticated tRPC procedures including user profiles, billing data, darkwatch exposure data, voiceprint analysis results, and admin statistics.
## Evidence
```typescript
const allowedOrigins = [
"http://localhost:3000",
"http://localhost:3001",
process.env.APP_URL, // Unvalidated env var
].filter(Boolean);
if (origin && allowedOrigins.includes(origin)) {
event.response.headers.set("Access-Control-Allow-Origin", origin);
event.response.headers.set("Access-Control-Allow-Credentials", "true");
}
```
## Reproduction Steps
1. Attacker gains ability to set environment variables on the deployment
2. Attacker sets `APP_URL=https://evil.com`
3. Attacker's web page loads and makes tRPC requests with `Origin: https://evil.com`
4. Server responds with `Access-Control-Allow-Origin: https://evil.com` + `Access-Control-Allow-Credentials: true`
5. Attacker's JavaScript reads authenticated tRPC responses (user data, billing info, etc.)
## Defense Search Results
- `APP_URL` env var is trusted without domain validation
- Origin check uses exact string matching (no wildcard or prefix)
- `Access-Control-Allow-Credentials: true` allows cookie-based auth in CORS requests
- No framework-level CORS configuration with explicit origin lists