Insecure CORS Configuration

[beetle-ai]

ISSUE_NUMBER: GH-1

Description

The CORS configuration in app.js allows requests from undefined or null origins. This could potentially allow malicious requests to bypass CORS restrictions.
File: repositories/QuestionBankapi/app.js
Line: 28
Severity: high

Current Behavior

The CORS configuration allows requests with an origin of undefined or null.

Expected Behavior

The CORS configuration should not allow requests with an origin of undefined or null.

Suggested Fix

Modify the CORS configuration to reject requests with an origin of undefined or null.

Code Context

27|       origin: (origin, callback) => {
28|           if (origin === undefined || origin === null) {
29|                callback(null, true);
30|           } else if (
31|               origin.match(/^https?:\/\/(.*\.)?vercel\.app$/) ||
32|               origin === process.env.FRONTEND_URL
33|           ) {
34|               callback(null, true);
35|           } else {
36|               console.log('Not allowed by CORS:', origin);
37|               callback(new Error('Not allowed by CORS'));
38|           }
39|       },

Additional Notes

This could allow malicious actors to bypass CORS restrictions and potentially access sensitive data.

[beetle-ai]

🚀 Analyze and fix this issue with codetector-ai.

Start now →