Skip to content

fix(security): remove CORS wildcard from local HTTP API (SEC-001)#70

Open
abyssbugg wants to merge 1 commit into
mainfrom
program-s/pr-s1-cors
Open

fix(security): remove CORS wildcard from local HTTP API (SEC-001)#70
abyssbugg wants to merge 1 commit into
mainfrom
program-s/pr-s1-cors

Conversation

@abyssbugg

@abyssbugg abyssbugg commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes #62 — removes the Access-Control-Allow-Origin: * wildcard from the local HTTP API.

Finding

SEC-001 (CWE-942, MEDIUM): Any website visited by the user could fetch("http://127.0.0.1:6736/v1/usage") and read provider IDs, plan names, and usage metrics. The local HTTP API is for local apps, not browsers — CORS headers served no legitimate purpose.

Fix

Removed CORS_HEADERS constant and all CORS header injection from response builders. The API now returns same-origin-only responses. No browser can make cross-origin requests to the local API.

Tests Updated

  • route_options_returns_204_with_cors → removed CORS assertion (renamed conceptually, kept 204 check)
  • route_options_on_provider_returns_204 → removed CORS methods assertion
  • response_json_includes_cors_headers → renamed to response_json_does_not_include_cors_headers and inverted assertion
  • response_service_unavailable_returns_503_json → removed CORS assertion

Validation

  • cargo test ✅ 164 passed, 0 failed (all Rust tests green)
  • bun run build — timed out locally (environmental); CI will validate
  • bun run test — pre-existing jsdom/Node.js incompatibility (environmental, not caused by this change)

Regression Risk

Low — only affects browser-based cross-origin access. No internal app consumer uses CORS. The local HTTP API is consumed by the app itself (same-origin) and local CLI tools (no CORS needed).

Scope

1 file changed, 5 insertions, 16 deletions. No new tokens, no behavior changes beyond CORS removal.


Summary by cubic

Remove the CORS wildcard from the local HTTP API to block cross-origin access from arbitrary websites. This addresses SEC-001 by preventing pages from reading provider IDs, plan names, and usage metrics via localhost.

  • Bug Fixes
    • Removed CORS_HEADERS and stopped injecting CORS headers in JSON and 204 responses.
    • Updated tests to assert no CORS headers while keeping 204/503 behavior checks.

Written for commit 474f347. Summary will update on new commits.

Review in cubic

Note

Remove CORS wildcard headers from local HTTP API responses

Removes the CORS_HEADERS constant from server.rs and stops injecting Access-Control-Allow-* headers into response_json and response_no_content (204) responses. Tests are updated to assert that CORS headers are absent rather than present. Risk: any client relying on wildcard CORS headers from this API will no longer receive them.

Macroscope summarized 474f347.

Summary by Sourcery

Remove CORS headers from the local HTTP API responses to eliminate wildcard cross-origin access and tighten security.

Bug Fixes:

  • Prevent browser-based cross-origin access to the local usage endpoint by removing permissive CORS headers from JSON and 204 responses.

Enhancements:

  • Simplify HTTP response builders by dropping the unused CORS header constant and related header injection logic.

Tests:

  • Update local HTTP API tests to assert absence of CORS headers while preserving status code and content checks for OPTIONS and error responses.

@abyssbugg abyssbugg added security Security finding or hardening program-s Program S — Security Hardening labels Jul 10, 2026
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@abyssbugg, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 51 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: abbc9224-e148-4ffa-b980-3d5198cbc08d

📥 Commits

Reviewing files that changed from the base of the PR and between 6fd9421 and 474f347.

📒 Files selected for processing (1)
  • src-tauri/src/local_http_api/server.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch program-s/pr-s1-cors

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@sourcery-ai

sourcery-ai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Removes the CORS wildcard and all related headers from the local HTTP API response builders and updates tests to assert their absence while preserving existing status codes and JSON behavior.

Sequence diagram for local HTTP API responses without CORS headers

sequenceDiagram
    actor Website
    participant Browser
    participant LocalHttpApi

    Website->>Browser: fetch(http://127.0.0.1:6736/v1/usage)
    Browser->>LocalHttpApi: HTTP GET /v1/usage
    LocalHttpApi->>LocalHttpApi: response_json(200, OK, body)
    LocalHttpApi-->>Browser: 200 OK without Access-Control-Allow-Origin
    Browser-->>Website: [CORS blocked by browser]
Loading

File-Level Changes

Change Details Files
Stop injecting CORS headers into local HTTP API responses and simplify response builders accordingly.
  • Deleted shared CORS_HEADERS constant that defined Access-Control-Allow-* headers.
  • Updated response_json to omit CORS headers from the formatted HTTP response string while keeping status, connection, content type, and content length unchanged.
  • Simplified response_no_content to return a fixed 204 No Content response string without extra headers and removed its dependency on CORS_HEADERS.
src-tauri/src/local_http_api/server.rs
Align tests with new CORS behavior while keeping routing and status code expectations intact.
  • Removed CORS header presence assertions from OPTIONS route tests but kept 204 status checks for /v1/usage and /v1/usage/{provider}.
  • Renamed the JSON response CORS test to assert that CORS headers are not present and still validate JSON content type.
  • Updated the 503 Service Unavailable response test to assert absence of CORS headers while still checking the error payload and status code.
src-tauri/src/local_http_api/server.rs

Assessment against linked issues

Issue Objective Addressed Explanation
#62 Remove CORS headers (including the Access-Control-Allow-Origin wildcard and related headers) from all local HTTP API responses in src-tauri/src/local_http_api/server.rs.
#62 Update existing tests in server.rs (around lines 263, 319, 348) so they no longer assert the presence of wildcard CORS headers and instead reflect the new behavior without CORS.

Possibly linked issues

  • #SEC-001: PR implements SEC-001 fix by removing CORS headers from local HTTP API responses and adjusting tests accordingly.

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The test name route_options_returns_204_with_cors no longer matches its behavior after the CORS removal; consider renaming it to reflect that it's just validating the 204 response.
  • Given that CORS is fully removed, revisit whether the explicit OPTIONS handling is still needed for the local API or if it can be simplified to reduce surface area.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The test name `route_options_returns_204_with_cors` no longer matches its behavior after the CORS removal; consider renaming it to reflect that it's just validating the 204 response.
- Given that CORS is fully removed, revisit whether the explicit `OPTIONS` handling is still needed for the local API or if it can be simplified to reduce surface area.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

program-s Program S — Security Hardening security Security finding or hardening

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SEC-001: Local HTTP API CORS wildcard allows cross-origin usage data access

1 participant