From e22976cb46fe233d73add18ab288ac948520f6d6 Mon Sep 17 00:00:00 2001 From: Epitacio Neto Date: Sat, 28 Dec 2024 13:16:18 +1100 Subject: [PATCH] CORS web security patch fix on doubtfire-api --- config/application.rb | 15 ++++++++++++--- docker-compose.yml | 6 ++++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/config/application.rb b/config/application.rb index df21df01b..7eb1aa3d1 100644 --- a/config/application.rb +++ b/config/application.rb @@ -177,12 +177,21 @@ class Application < Rails::Application Rails.root.join('app', 'models', 'similarity') # CORS config - config.middleware.insert_before Warden::Manager, Rack::Cors do + # config.middleware.insert_before Warden::Manager, Rack::Cors do + # allow do + # origins '*' + # resource '*', headers: :any, methods: %i(get post put delete options) + # end + # end + + # Updated CORS Security Patch Fix + config.middleware.insert_before Warden::Manager, Rack::Cors do allow do - origins '*' + origins ENV['DF_ALLOWED_ORIGINS'].split(',') resource '*', headers: :any, methods: %i(get post put delete options) end - end + end + # Generators for test framework if Rails.env.test? config.generators do |g| diff --git a/docker-compose.yml b/docker-compose.yml index 22520ccaa..9a97ee300 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,6 +14,12 @@ services: environment: RAILS_ENV: 'development' + # CORS Vulnerability Remediation + # The DF_ALLOWED_ORIGINS variable must reflect the exact URLs where the OnTrack app will be accessed (e.g., production, staging, or development URLs). + # Allowed origins must reflect the exact URLs where the OnTrack app will be accessed. + # Failure to update this variable with the correct origins will cause inaccessibility. + DF_ALLOWED_ORIGINS: "http://localhost:4200" + DF_STUDENT_WORK_DIR: /student-work DF_INSTITUTION_HOST: http://localhost:3000 DF_INSTITUTION_PRODUCT_NAME: OnTrack