LOW: CORS_ORIGIN accepts comma-separated origins without URL validation #82
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#82
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
server.js:26-28 splits CORS_ORIGIN by comma and accepts any non-empty string as an allowed origin. No validation ensures these are valid URLs or match expected patterns. A typo like http://example.com vs https://example.com would silently allow the wrong origin.
Recommended Fix
Validate that each parsed origin is a valid URL with expected protocol (https in production).