Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c159f07322ca350fce297b6c64bb065de969b4bc
Kordant/piolium/findings/p8-005-cors-origin-env-var/draft.md
Michael Freno 3b29de3234 security sweep
2026-05-29 09:03:47 -04:00

2.7 KiB
Raw Blame History

Phase: 8 Sequence: 005 Slug: cors-origin-env-var Verdict: VALID Rationale: CORS middleware trusts APP_URL environment variable as an allowed origin without domain validation; if env var is injected, attacker can control the CORS origin whitelist Severity-Original: high Severity: medium PoC-Status: pending Pre-FP-Flag: none Debate: piolium/attack-surface/balanced-chamber-summary.md

Summary

The CORS middleware in web/src/middleware.ts trusts process.env.APP_URL as an allowed CORS origin. If an attacker can control the APP_URL environment variable (via CI/CD pipeline compromise, container env injection, or shared hosting environment), they can set an arbitrary allowed origin. The middleware then echoes back the attacker-controlled origin in the Access-Control-Allow-Origin header with Access-Control-Allow-Credentials: true, enabling authenticated cross-origin data theft.

Location

  • web/src/middleware.ts lines 2230 (CORS middleware)

Attacker Control

An attacker who can set environment variables on the deployment can set APP_URL=https://evil.com. The middleware will then allow Origin: https://evil.com requests and set Access-Control-Allow-Origin: https://evil.com with credentials.

Trust Boundary Crossed

CORS policy boundary. The application trusts a single environment variable as a CORS origin whitelist entry, allowing an attacker-controlled origin to bypass same-origin policy.

Impact

Full cross-origin data exfiltration from the tRPC API. An attacker-controlled origin can read all authenticated tRPC procedures including user profiles, billing data, darkwatch exposure data, voiceprint analysis results, and admin statistics.

Evidence

const allowedOrigins = [
  "http://localhost:3000",
  "http://localhost:3001",
  process.env.APP_URL,  // Unvalidated env var
].filter(Boolean);

if (origin && allowedOrigins.includes(origin)) {
  event.response.headers.set("Access-Control-Allow-Origin", origin);
  event.response.headers.set("Access-Control-Allow-Credentials", "true");
}

Reproduction Steps

  1. Attacker gains ability to set environment variables on the deployment
  2. Attacker sets APP_URL=https://evil.com
  3. Attacker's web page loads and makes tRPC requests with Origin: https://evil.com
  4. Server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true
  5. Attacker's JavaScript reads authenticated tRPC responses (user data, billing info, etc.)

Defense Search Results

  • APP_URL env var is trusted without domain validation
  • Origin check uses exact string matching (no wildcard or prefix)
  • Access-Control-Allow-Credentials: true allows cookie-based auth in CORS requests
  • No framework-level CORS configuration with explicit origin lists
Reference in New Issue View Git Blame Copy Permalink