Phase: 8
Sequence: 005
Slug: cors-origin-env-var
Verdict: VALID
Rationale: CORS middleware trusts APP_URL environment variable as an allowed origin without domain validation; if env var is injected, attacker can control the CORS origin whitelist
Severity-Original: high
Severity: medium
PoC-Status: pending
Pre-FP-Flag: none
Debate: piolium/attack-surface/balanced-chamber-summary.md

## Summary
The CORS middleware in `web/src/middleware.ts` trusts `process.env.APP_URL` as an allowed CORS origin. If an attacker can control the `APP_URL` environment variable (via CI/CD pipeline compromise, container env injection, or shared hosting environment), they can set an arbitrary allowed origin. The middleware then echoes back the attacker-controlled origin in the `Access-Control-Allow-Origin` header with `Access-Control-Allow-Credentials: true`, enabling authenticated cross-origin data theft.

## Location
- `web/src/middleware.ts` lines 22–30 (CORS middleware)

## Attacker Control
An attacker who can set environment variables on the deployment can set `APP_URL=https://evil.com`. The middleware will then allow `Origin: https://evil.com` requests and set `Access-Control-Allow-Origin: https://evil.com` with credentials.

## Trust Boundary Crossed
CORS policy boundary. The application trusts a single environment variable as a CORS origin whitelist entry, allowing an attacker-controlled origin to bypass same-origin policy.

## Impact
Full cross-origin data exfiltration from the tRPC API. An attacker-controlled origin can read all authenticated tRPC procedures including user profiles, billing data, darkwatch exposure data, voiceprint analysis results, and admin statistics.

## Evidence
```typescript
const allowedOrigins = [
  "http://localhost:3000",
  "http://localhost:3001",
  process.env.APP_URL,  // Unvalidated env var
].filter(Boolean);

if (origin && allowedOrigins.includes(origin)) {
  event.response.headers.set("Access-Control-Allow-Origin", origin);
  event.response.headers.set("Access-Control-Allow-Credentials", "true");
}
```

## Reproduction Steps
1. Attacker gains ability to set environment variables on the deployment
2. Attacker sets `APP_URL=https://evil.com`
3. Attacker's web page loads and makes tRPC requests with `Origin: https://evil.com`
4. Server responds with `Access-Control-Allow-Origin: https://evil.com` + `Access-Control-Allow-Credentials: true`
5. Attacker's JavaScript reads authenticated tRPC responses (user data, billing info, etc.)

## Defense Search Results
- `APP_URL` env var is trusted without domain validation
- Origin check uses exact string matching (no wildcard or prefix)
- `Access-Control-Allow-Credentials: true` allows cookie-based auth in CORS requests
- No framework-level CORS configuration with explicit origin lists