LOW: CORS_ORIGIN accepts comma-separated origins without URL validation #82

Open
opened 2026-05-31 12:04:04 -05:00 by null · 0 comments
Owner

Bug Description

server.js:26-28 splits CORS_ORIGIN by comma and accepts any non-empty string as an allowed origin. No validation ensures these are valid URLs or match expected patterns. A typo like http://example.com vs https://example.com would silently allow the wrong origin.

Validate that each parsed origin is a valid URL with expected protocol (https in production).

## Bug Description server.js:26-28 splits CORS_ORIGIN by comma and accepts any non-empty string as an allowed origin. No validation ensures these are valid URLs or match expected patterns. A typo like http://example.com vs https://example.com would silently allow the wrong origin. ## Recommended Fix Validate that each parsed origin is a valid URL with expected protocol (https in production).
null added the
backend
priority:low
labels 2026-05-31 12:04:04 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#82
No description provided.