thoth-tech · epineto · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024 · Dec 12, 2024
diff --git a/config/application.rb b/config/application.rb
@@ -177,12 +177,21 @@ class Application < Rails::Application
       Rails.root.join('app', 'models', 'similarity')
 
     # CORS config
-    config.middleware.insert_before Warden::Manager, Rack::Cors do
+    # config.middleware.insert_before Warden::Manager, Rack::Cors do
+    #  allow do
+    #    origins '*'
+    #    resource '*', headers: :any, methods: %i(get post put delete options)
+    #  end
+    # end
+
+    # Updated CORS Security Patch Fix
+     config.middleware.insert_before Warden::Manager, Rack::Cors do
       allow do
-        origins '*'
+        origins ENV['DF_ALLOWED_ORIGINS'].split(',')
         resource '*', headers: :any, methods: %i(get post put delete options)
       end
-    end
+     end
+
     # Generators for test framework
     if Rails.env.test?
       config.generators do |g|

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,6 +14,12 @@ services:
     environment:
       RAILS_ENV: 'development'
 
+      # CORS Vulnerability Remediation
+      # The DF_ALLOWED_ORIGINS variable must reflect the exact URLs where the OnTrack app will be accessed (e.g., production, staging, or development URLs).
+      # Allowed origins must reflect the exact URLs where the OnTrack app will be accessed.
+      # Failure to update this variable with the correct origins will cause inaccessibility.
+      DF_ALLOWED_ORIGINS: "http://localhost:4200"
+
       DF_STUDENT_WORK_DIR: /student-work
       DF_INSTITUTION_HOST: http://localhost:3000
       DF_INSTITUTION_PRODUCT_NAME: OnTrack