Project
vgrep
Description
The vgrep server uses allow_origin(Any) for CORS, which allows any website to make requests to the local server. While this makes integration easy, it could allow malicious websites to:
- Search your codebase
- Extract code snippets from results
- Generate embeddings of sensitive data
Error Message
Debug Logs
System Information
- Bounty Version: 0.1.0
- OS: Ubuntu 24.04 LTS
- Rust: 1.75+
Screenshots
No response
Steps to Reproduce
- Start vgrep server:
vgrep serve
- Visit a malicious website
- Website JavaScript makes fetch to
http://127.0.0.1:7777/search
- Website receives your search results
Expected Behavior
- Default to localhost-only (no CORS needed)
- Configurable allowed origins
- Or require authentication for cross-origin requests
Actual Behavior
- Any website can make requests to the server
- No authentication required
- Full access to search and embed endpoints
Additional Context
No response
Project
vgrep
Description
The vgrep server uses
allow_origin(Any)for CORS, which allows any website to make requests to the local server. While this makes integration easy, it could allow malicious websites to:Error Message
Debug Logs
System Information
Screenshots
No response
Steps to Reproduce
vgrep servehttp://127.0.0.1:7777/searchExpected Behavior
Actual Behavior
Additional Context
No response