Skip to content

Patch critical CORS misconfiguration and dependency vulnerabilities#2

Draft
Copilot wants to merge 8 commits into
mainfrom
copilot/patch-security-vulnerabilities
Draft

Patch critical CORS misconfiguration and dependency vulnerabilities#2
Copilot wants to merge 8 commits into
mainfrom
copilot/patch-security-vulnerabilities

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 11, 2026
edited
Loading

Summary

Fixed CORS misconfiguration allowing unrestricted cross-origin requests and updated 5 vulnerable dependencies with known CVEs.

Changes

CORS Security Hardening

Files: demo/realtime-txt2img/main.py, demo/realtime-img2img/main.py

  • Restricted allow_origins from ["*"] to localhost-only
  • Added validated ALLOWED_ORIGINS env var for additional origins
  • Restricted allow_methods from ["*"] to ["GET", "POST"]
  • Restricted allow_headers from ["*"] to ["Content-Type", "Accept"]
  • Implemented URL validation using urllib.parse.urlparse() with scheme, netloc, whitespace, and length checks
# Before
allow_origins=["*"]  # Any origin accepted

# After
allowed_origins = ["http://localhost:7860", "http://127.0.0.1:7860"]
additional_origins = os.environ.get("ALLOWED_ORIGINS", "")
if additional_origins:
    for origin in additional_origins.split(","):
        parsed = urlparse(origin.strip())
        if (parsed.scheme in ("http", "https") and parsed.netloc and 
            len(origin) < 200 and not any(c.isspace() for c in origin)):
            allowed_origins.append(origin)

Dependency Updates

Files: setup.py, demo/realtime-img2img/requirements.txt

Package Version CVEs Fixed
protobuf 3.20.2 → 5.29.6 DoS, JSON recursion depth bypass
onnx 1.15.0 → 1.17.0 Path traversal, arbitrary file overwrite
Pillow 10.1.0 → 10.3.0 Arbitrary code execution, buffer overflow
fastapi 0.104.1 → 0.109.1 ReDoS
uvicorn 0.24.0 → 0.25.0 Compatibility

Validation

  • GitHub Advisory Database: 0 vulnerabilities in updated dependencies
  • CodeQL: 0 alerts
Original prompt

This section details on the original issue you should resolve

<issue_title>Patch security</issue_title>
<issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 7 commits February 11, 2026 04:02
@cybermorena
Fix security vulnerabilities: CORS and dependencies
03f9dd8 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
@cybermorena
Address code review: make CORS configuration more flexible
8258f35 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
@cybermorena
Improve CORS security: remove dynamic origins, add env var support
78e2b76 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
@cybermorena
Add validation for ALLOWED_ORIGINS environment variable
033e3c1 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
@cybermorena
Enhance origin validation with urlparse for robust URL checking
0a80620 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
@cybermorena
Update Pillow to 10.3.0 to fix buffer overflow vulnerability
d3079b0 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
@cybermorena
Update protobuf to 5.29.6 to fix JSON recursion vulnerabilities
15319d0 
Co-authored-by: cybermorena <168934764+cybermorena@users.noreply.github.com>
Copilot AI changed the title [WIP] Add patch for security vulnerabilities Patch critical CORS misconfiguration and dependency vulnerabilities Feb 11, 2026
Copilot AI requested a review from cybermorena February 11, 2026 04:14
cybermorena
cybermorena requested changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@cybermorena cybermorena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More color

Copy link
Copy Markdown
Author

Copilot AI commented Feb 11, 2026

More color

Could you clarify what you mean by "More color"? Are you referring to:

  • Adding colored terminal output/logging?
  • Improving code documentation?
  • Something else?

I want to make sure I implement the right enhancement.

Copilot AI requested a review from cybermorena February 11, 2026 04:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cybermorena cybermorena Awaiting requested review from cybermorena

Assignees

@cybermorena cybermorena

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Patch security

2 participants

@cybermorena