Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue with HTTP Headers of REST API that allow for remote code execution #726

Open
chrishoage opened this issue Nov 22, 2024 · 1 comment
Open

Security issue with HTTP Headers of REST API that allow for remote code execution #726

chrishoage opened this issue Nov 22, 2024 · 1 comment
Labels
soon
Milestone
Unknown

Comments

@chrishoage
Copy link
Contributor

There are CORS headers that allow any Origin to make a request to dagu

dagu/internal/frontend/middleware/global.go

Lines 122 to 133 in e66978d

func cors(h http.Handler) http.Handler {
return http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Access-Control-Allow-Origin", "*")
w.Header().Add("Access-Control-Allow-Methods", "*")
w.Header().Add("Access-Control-Allow-Headers", "*")
if r.Method == http.MethodOptions {
return
}
h.ServeHTTP(w, r)
})
}

dagu/internal/frontend/middleware/global.go

Line 28 in e66978d

next := cors(handler)

By using * as the value for these CORS headers that means that any website a user loads could make a request to dagu under certain conditions and be a pathway for remote code execution (as code execution is the purpose of dagu)

My assumption is that these overly-lax headers were added to support development of the UI on a separate port for quick iteration

dagu/ui/webpack.dev.js

Lines 10 to 13 in e66978d

devServer: {
historyApiFallback: true,
port: 8081,
},

If this was indeed the reason for these lax CORS headers, my recommendation would be to use the Webpack Dev Serer proxy feature built into the dev server. This will allow the browser to make requests dev server on port 8081 and have those requests forwarded to port 8080 bypassing any CORS related issues.

The CORS headers in dagu should either be deleted, or be configurable with a default "secure" setting of "off". In almost no cases would we want such a lax policy of *. If CORS headers are needed and configuration a user could configure them to the specific origin they trust and wish to have access.

To illustrate, the attack would look like this:

  1. Dagu is running on http://localhost:8080
  2. You visit http://attacker-site.com
  3. Javascript on http://attacker-site.com POSTS to http://localhost:8080/dags with a malicious dag payload
  4. Javascript on http://attacker-site.com POSTS to http://localhost:8080/dags/{dagId} to execute their malicious paylaod

If docker is exposed to dagu this would also give the attacker root level privileges.
@yohamta
Copy link
Collaborator

yohamta commented Nov 24, 2024
edited
Loading

Thanks for raising this important security concern! You're absolutely right, allowing any origin via the * wildcard in CORS headers presents a significant security risk, especially given dagu's purpose of code execution. Will address this issue in the earliest convenience.

@yohamta yohamta added this to the v2.0.0-alpha.1 milestone Nov 24, 2024
@yohamta yohamta added the soon label Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
soon
Projects
None yet
Milestone
Unknown
Development

No branches or pull requests
2 participants
@chrishoage @yohamta