Potential CORS Misconfiguration due to Unvalidated FRONTEND_URL #66
Description
ISSUE_NUMBER: GH-1
Description
The CORS configuration in app.js relies on the FRONTEND_URL environment variable. If this variable is not properly set or validated, it could lead to CORS errors or allow unintended origins to access the API.
File: repositories/QuestionBankapi/app.js
Line: 32
Severity: high
Current Behavior
The application uses FRONTEND_URL without validation in the CORS origin check.
Expected Behavior
The application should validate FRONTEND_URL to ensure it's a valid URL and prevent potential CORS misconfigurations.
Suggested Fix
Add validation for the FRONTEND_URL environment variable.
Code Context
const corsOptions = {
origin: (origin, callback) => {
if (origin === undefined || origin === null) {
callback(null, true);
} else if (
origin.includes("vercel.app") ||
origin === process.env.FRONTEND_URL
) {
callback(null, true);
} else {
console.log("Blocked by CORS:", origin);
callback(new Error("Not allowed by CORS"));
}
},
};Additional Notes
This issue could lead to security vulnerabilities if the FRONTEND_URL is not properly configured.