fix(docker): configure CORS for frontend in docker-compose#1700
Open
anshul23102 wants to merge 2 commits into
Open
fix(docker): configure CORS for frontend in docker-compose#1700anshul23102 wants to merge 2 commits into
anshul23102 wants to merge 2 commits into
Conversation
Issue utksh1#1620: plugin parsers previously inherited the parent's full network stack. A malicious parser.py could exfiltrate scan findings to an attacker-controlled server over a plain socket, with no control here. Fix: on Linux with unprivileged user namespaces, spawn parser subprocesses in a fresh network namespace with 'unshare --user --net'. The child has no network interfaces configured except a loopback that is down by default, so it cannot reach any host. Parsers only transform text already captured from the scanner (never network-bound); they have zero legitimate need for network access. Unshare capability is probed once at startup via _unshare_net_supported(), which checks platform, binary availability, and runtime support. On non-Linux hosts or if the capability check fails for any reason (restrictive container runtime, disabled user namespaces, etc.), we warn once and fail open, spawning without isolation, rather than refusing all plugins. The broader threat model is documented in docs/plugins/plugin-security-checklist.md. Testing: - testing/backend/integration/test_parser_network_isolation.py: 4 tests covering capability probe, argv construction with/without isolation, and successful parser execution under isolation. - pytest testing/backend/integration -q -m "not benchmark" -- 288 passed, 9 skipped (284 baseline + 4 new) - ruff check backend/secuscan/parser_sandbox.py -- all checks passed Fixes utksh1#1620
Issue utksh1#1622: the docker-compose configuration was missing CORS setup for the frontend service. Frontend runs on port 5173, API on port 8081, both accessible via multiple origins (localhost, 127.0.0.1, and the Docker service name 'frontend'). Without explicit CORS_ALLOWED_ORIGINS, the backend's CORS middleware would reject requests from the frontend, blocking API calls. Fix: set SECUSCAN_CORS_ALLOWED_ORIGINS environment variable in the api service to allow requests from http://localhost:5173, http://127.0.0.1:5173, and http://frontend:5173 (Docker internal DNS). This ensures the frontend can make API calls whether accessed via localhost, IP, or internal Docker service name. Fixes utksh1#1622
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1622
The docker-compose configuration was missing CORS setup for the frontend service. Frontend runs on port 5173, API on port 8081. Without explicit CORS_ALLOWED_ORIGINS, the backend's CORS middleware would reject requests from the frontend, blocking API calls.
Fix: set SECUSCAN_CORS_ALLOWED_ORIGINS environment variable in the api service to allow requests from:
This ensures the frontend can make API calls whether accessed via localhost, IP, or internal Docker service name.