CORS Security Patch Fix on files docker-compose.yml and config/application.rb

[epineto]

Title: "Security Patch Fix: Addressing CORS Vulnerability for OnTrack Application"

---

Summary:
This PR addresses a Cross-Origin Resource Sharing (CORS) vulnerability in the OnTrack application caused by the use of the Access-Control-Allow-Origin: * header. The current configuration poses significant security risks by allowing unrestricted cross-origin access.

---

Impacts:

• Unauthorized Access:
  Any website can interact with the API, potentially leading to data leakage or abuse.
• Increased Attack Surface:
  Vulnerable to cross-origin attacks and other malicious activities.
• Compliance Risks:
  Violates security and privacy standards.

---

Remediation:

• Preferred Option: Restrict Access-Control-Allow-Origin:
  • Implement a restrictive CORS policy using the DF_ALLOWED_ORIGINS environment variable for flexibility.
  • Update backend configurations in:
    • Docker: /doubtfire-api/docker-compose.yml
    • Rails: /doubtfire-api/config/application.rb

Configuration Updates:

1. Docker:

   • Add the following environment variable:

     DF_ALLOWED_ORIGINS: "http://localhost:4200,https://example.com"

   • Notes:
     • The DF_ALLOWED_ORIGINS variable must reflect the exact URLs where the OnTrack app will be accessed (e.g., production, staging, or development environments).
     • Failure to update this variable correctly will result in inaccessibility for valid clients.

2. Rails:

   • Add middleware configuration in application.rb:

     config.middleware.insert_before Warden::Manager, Rack::Cors do
       allow do
         origins ENV['DF_ALLOWED_ORIGINS'].split(',')
         resource '*', headers: :any, methods: %i[get post put delete options]
       end
     end

---

Files docker-compose.yml and config/application.rb have been updated

[washyking]

This Pr addresses a big security issue by improving the CORS configuration. Restricting the allowed origin is very wise.
I tested this using a curl request. See image below.
This shows me sending from the accepted 4200 url as you can see its accepted cors

This details me sending with a bad origin url "malicious" as you can see the cors does not show up

Good job on the task.

[epineto]

Thanks @washyking for conducting tests and also being very diligent!

[nodogx]

The code logic looks really good. I have tried to get the CORS headers as well for an unauthorised website, which it doesn't give. Which shows it works as intended :)

Unauthorised Website

Authorised Website

Headers:

[aNebula]

Hi @epineto - the changes look good to me, well done. To make lasting contributions, please open upstream pull request with these changes against doubtfire-lsm/doubtfire-api, 8.0.x branch

[epineto]

Hi @aNebula, sure, will do! Thanks.

[epineto]

Hi @epineto - the changes look good to me, well done. To make lasting contributions, please open upstream pull request with these changes against doubtfire-lsm/doubtfire-api, 8.0.x branch

Hi @aNebula , PR submitted as requested: doubtfire-lms#452

Thanks, Epi