fix(serve): reject unsafe CORS origins (wildcard + credentials) at startup (GHSA-5mh2, 0.62.1)#422
Open
padak wants to merge 1 commit into
Open
fix(serve): reject unsafe CORS origins (wildcard + credentials) at startup (GHSA-5mh2, 0.62.1)#422padak wants to merge 1 commit into
padak wants to merge 1 commit into
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
padak
force-pushed
the
fix/serve-cors-credentials-guard
branch
from
d9cbf53 to
a9f2ba9
Compare
…artup (0.62.1) create_app sets allow_credentials=True. Combined with `--cors-origin '*'` (or a malformed origin) Starlette reflects the request Origin and returns Access-Control-Allow-Credentials: true, letting any website read authenticated cross-origin responses. Validate the origins in create_app: reject `*` and any non scheme://host[:port] value (raising ConfigError), surfaced by `kbagent serve` as a clean --cors-origin usage error. The default localhost dev set is unaffected. Private advisory GHSA-5mh2-6xgr-rf89.
padak
force-pushed
the
fix/serve-cors-credentials-guard
branch
from
a9f2ba9 to
39c60be
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes M6 from the 2026-06-12 security audit (private advisory GHSA-5mh2-6xgr-rf89) — a permissive-CORS misconfiguration in
kbagent serve.create_appregistersCORSMiddlewarewithallow_credentials=True. Combined with a wildcard--cors-origin '*'(or a malformed origin), Starlette reflects the requestOriginback and returnsAccess-Control-Allow-Credentials: true— the textbook unsafe combination that lets any website read authenticated cross-origin responses from a victim's runningserve. The previous code passedcors_originsstraight into the middleware with no validation.Fix
create_appnow validates the origins via_resolve_cors_origins:*and any value that isn't a concretescheme://host[:port](no path/query/fragment, per the CORS Origin spec), raisingConfigError;--cors-origin) localhost dev set is unchanged, so normal use is unaffected — only the actively-dangerous wildcard/malformed config is refused.kbagent servecatches theConfigErrorand surfaces it as a cleantyper.BadParameterusage error on--cors-origin(exit 2) instead of a traceback. The guard lives increate_app(the point where the credentialed middleware is configured) so the unsafe combination can't ship via any caller.No regex / new imports in
app.py— the origin check is a small structural predicate.Tests
New
TestCorsCredentialsGuardintest_serve_ui.py: parametrized rejection of["*"], a mixed list containing*, a scheme-less origin, an origin with a path, and aws://origin; parametrized acceptance ofNone(defaults) and explicithttp(s)://host[:port]lists; plus a unit test of the_is_valid_cors_originpredicate. Full suite green: 4021 passed, 132 skipped; lint/format/ty/changelog clean.Audit progress
Open advisories after this: M7 (silent plaintext-on-encrypt write — spans config/variables/data-app services), M8 (SSRF), M10 (version regex), plus the M5 residual (accepted) and M1 residual. M9 (npm
--ignore-scripts) also remains.