Skip to content

security: scope CORS to loopback + block cross-origin config/stop (PER-8600/8601/8602/8603)#2282

Open
Shivanshu-07 wants to merge 2 commits into
masterfrom
security/PER-8600-8603-server-origin-hardening
Open

security: scope CORS to loopback + block cross-origin config/stop (PER-8600/8601/8602/8603)#2282
Shivanshu-07 wants to merge 2 commits into
masterfrom
security/PER-8600-8603-server-origin-hardening

Conversation

@Shivanshu-07

@Shivanshu-07 Shivanshu-07 commented Jun 14, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Fifth (final contained) percy-cli security PR — the local-server origin findings (deadline 2026-06-16) + chain PER-8626.

Ticket CWE Finding
PER-8602 CWE-942 CORS wildcard enables cross-origin state mutation
PER-8600 CWE-306 Missing auth on the process-terminating endpoint
PER-8601 CWE-306 Unauthenticated live config mutation via POST /percy/config
PER-8603 CWE-915 Live config mass assignment

The constraint

The local API is unauthenticated by design — every SDK posts to it without credentials. The real exploit path in these findings is a malicious website the user is visiting reaching http://localhost:5338 from the browser. The fix defends that vector without breaking the SDK contract.

Changes

server.js (PER-8602): the CORS middleware no longer returns Access-Control-Allow-Origin: *. It reflects the request Origin only when it's loopback (isLoopbackOriginlocalhost/127.0.0.1/::1/*.localhost, any port). Arbitrary sites get no ACAO and can't read local-server responses (build data, config). Node SDK clients don't use CORS; loopback browser tooling (e.g. the Storybook manager on localhost:6006) still works.

api.js (PER-8600 / PER-8601): assertNotCrossOrigin() rejects (403) any POST /percy/config or /percy/stop request carrying a non-loopback Origin header. Node SDK clients send no Origin → unaffected; a malicious site's cross-origin fetch → blocked.

PER-8603: already mitigated by the existing stripBlockedConfigFields (httpReadOnly) control; the cross-origin guard adds defense against browser-driven mutation.

Why not Host-validation

The server binds to all interfaces by default (PERCY_SERVER_HOST, default ::), so Dockerized SDKs legitimately reach it via a non-loopback Host. Origin-based checks defend the browser vector without breaking those setups.

Verification

  • isLoopbackOrigin verified (localhost/127.0.0.1/*.localhost allowed; evil.com/empty/undefined rejected); both files node --check clean.
  • Added unit tests: cross-origin /config POST rejected + config unmutated; loopback /config POST allowed; cross-origin /stop rejected + percy.stop not called.
  • Existing config/stop tests use Node request helpers (no Origin) → unaffected.

Closes PER-8602; closes the browser-origin vector for PER-8600/8601/8603 and chain PER-8626.

Residual (flagged): a no-Origin top-level navigation/<img> GET to /percy/stop isn't covered by an Origin check, and full request authentication (a token adopted by all SDKs) remains a larger coordinated change. This PR closes the cross-origin (CORS/fetch) vector the findings exploit; full auth tracked as follow-up.

🤖 Generated with Claude Code

@Shivanshu-07 @claude
security: scope CORS to loopback + block cross-origin config/stop (PE…
cd7f49c 
…R-8600/8601/8602/8603)

The local Percy server is unauthenticated by design (SDKs post to it), but it
served `Access-Control-Allow-Origin: *` and accepted state-changing requests
from any origin, so a malicious website the user was visiting could read
responses from, mutate the live config of, or stop the local server via the
browser.

PER-8602 (CWE-942) — replace the wildcard ACAO with loopback-origin-only
reflection in the server CORS middleware (isLoopbackOrigin). Non-loopback
origins receive no ACAO, so arbitrary sites can no longer read local-server
responses. Node SDK clients don't use CORS and are unaffected; loopback browser
tooling (any localhost port) still works.

PER-8600 / PER-8601 (CWE-306/CWE-352) — add assertNotCrossOrigin() and apply it
to the state-changing endpoints POST /percy/config and /percy/stop: a request
carrying a non-loopback Origin header is rejected (403). Node SDK clients send
no Origin and are unaffected.

PER-8603 (CWE-915, mass assignment) — already mitigated by the existing
stripBlockedConfigFields (httpReadOnly) control on /percy/config; the
cross-origin guard further prevents unauthenticated browser-driven mutation.

Host-based validation was deliberately NOT added: the server binds to all
interfaces by default (PERCY_SERVER_HOST, default `::`), so Dockerized SDKs
legitimately reach it via a non-loopback Host. Origin-based checks defend the
browser attack vector without breaking those setups.

Adds unit tests for the cross-origin config/stop rejection and loopback allow.

NOTE: fully authenticating the local API (a shared token adopted by every SDK)
remains a larger coordinated change; this PR closes the browser-origin vector
that the findings (and chain PER-8626) actually exploit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shivanshu-07 Shivanshu-07 requested a review from a team as a code owner June 14, 2026 16:55
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 14, 2026
View reviewed changes
Comment thread packages/core/src/server.js
let origin = req.headers.origin;
let originAllowed = isLoopbackOrigin(origin);
if (originAllowed) {
res.setHeader('Access-Control-Allow-Origin', origin);
@Shivanshu-07 @claude
test: update CORS preflight spec for loopback-scoped origins; drop de…
8d04218 
…ad [::1] branch

The CORS hardening changed Access-Control-Allow-Origin from a wildcard '*'
to an echoed loopback origin (and omits CORS headers entirely for missing/
non-loopback origins). The existing 'handles CORS preflight requests' spec
still asserted '*' and was not updated, so it would fail in CI. Rewrite it to
send a loopback Origin and assert the echoed value, and add a negative case
covering missing and cross-origin requests.

Also remove the dead 'host === "[::1]"' branch in isLoopbackOrigin: URL.hostname
strips the brackets from an IPv6 literal, so it normalises to '::1' and the
bracketed comparison can never match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shivanshu-07

Shivanshu-07 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Claude Code PR Review

PR: #2282Head: 8d04218Reviewers: stack:code-reviewer

Summary

Scopes the local Percy CLI API server's CORS to loopback origins and blocks cross-origin state changes (PER-8600/8601/8602/8603, CWE-942/CWE-352). isLoopbackOrigin() gates Access-Control-Allow-Origin so the server only echoes a loopback origin (never *) and omits CORS headers for missing/non-loopback origins; assertNotCrossOrigin guards /percy/config POST and /percy/stop. Node SDK clients (no Origin header) are unaffected.

Review Table

Priority Category Check Status Notes
High Security Cross-origin reads blocked (CORS) Pass Access-Control-Allow-Origin only echoed for loopback; verified: loopback→echo, no-origin/evil→absent
High Security Cross-origin state changes blocked Pass assertNotCrossOrigin on /percy/config POST + /percy/stop
High Correctness No test regression Fixed in this cycle The existing preflight spec still asserted '*' and would break CI — updated (commit 8d04218)
High Correctness Legitimate SDK traffic preserved Pass No-Origin requests still succeed (204), unaffected by the guard
Medium Testing New behavior tested Pass api.test.js cross-origin tests + rewritten server.test.js preflight + negative case
Low Quality No dead code Fixed in this cycle Removed unreachable host === '[::1]' branch (URL.hostname strips brackets)

Findings (all resolved or non-blocking)

  • File: packages/core/test/unit/server.test.js:244Severity: High — RESOLVED

  • Issue: handles CORS preflight requests asserted access-control-allow-origin: '*', which the patch no longer emits → CI failure. The PR updated api.test.js but not this spec.

  • Resolution: Rewrote the spec to send a loopback Origin and assert the echoed value + methods/headers, and added a negative spec asserting CORS headers are absent for missing and cross-origin requests. Verified against the real server (commit 8d04218).

  • File: packages/core/src/server.js (isLoopbackOrigin) — Severity: Low — RESOLVED

  • Issue: host === '[::1]' is dead — new URL('http://[::1]').hostname returns ::1 (brackets stripped).

  • Resolution: Removed the bracketed branch, kept ::1, with a clarifying comment.

Non-blocking follow-ups (Low/pre-existing, out of scope): consider a Host-header allowlist to fully close DNS-rebinding (server binds 0.0.0.0/::); set Vary: Origin unconditionally; call assertNotCrossOrigin for all /percy/config POSTs rather than only when a body is present.

Verdict: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pankaj443 pankaj443 Awaiting requested review from pankaj443 pankaj443 is a code owner automatically assigned from percy/percy-product-reviewers

@amandeepsingh333 amandeepsingh333 Awaiting requested review from amandeepsingh333 amandeepsingh333 is a code owner automatically assigned from percy/percy-product-reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shivanshu-07 @github-advanced-security