Insecure CORS Configuration #79
Description
ISSUE_NUMBER: GH-1
Description
The CORS configuration in app.js is overly permissive and may allow requests from unintended origins. Specifically, the check for origin === undefined || origin === null allows requests without an origin header.
File: repositories/QuestionBankapi/app.js
Line:
28
Severity: high
Current Behavior
The application accepts requests without an origin header due to the origin === undefined || origin === null check in the CORS configuration.
Expected Behavior
The application should only accept requests from explicitly allowed origins. Requests without an origin header should be rejected.
Suggested Fix
Remove the origin === undefined || origin === null check from the CORS configuration.
Code Context
app.use(
cors({
origin: (origin, callback) => {
if (origin === undefined || origin === null) {
callback(null, true);
} else if (
origin.match(/^https?:\/\/(.*\.)?vercel\.app$/) ||
origin === process.env.FRONTEND_URL
) {
callback(null, true);
} else {
console.log('Not allowed by CORS:', origin);
callback(new Error('Not allowed by CORS'));
}
},
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
credentials: true,
})
);Additional Notes
This vulnerability could be exploited to bypass CORS restrictions and perform unauthorized actions on behalf of users.