deckide 3.5.8 → 3.5.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/websocket.js +4 -2
- package/package.json +1 -1
package/dist/websocket.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import crypto from 'node:crypto';
|
|
2
2
|
import { WebSocketServer } from 'ws';
|
|
3
|
-
import { PORT, TRUST_PROXY, CORS_ORIGIN } from './config.js';
|
|
3
|
+
import { PORT, TRUST_PROXY, CORS_ORIGIN, NODE_ENV } from './config.js';
|
|
4
4
|
import { logSecurityEvent } from './middleware/security.js';
|
|
5
5
|
import { verifyWebSocketAuth } from './middleware/auth.js';
|
|
6
6
|
const MIN_TERMINAL_SIZE = 1;
|
|
@@ -99,8 +99,10 @@ export function setupWebSocketServer(server, terminals) {
|
|
|
99
99
|
const socketId = crypto.randomUUID();
|
|
100
100
|
const clientIP = getClientIP(req);
|
|
101
101
|
// Validate Origin header to prevent Cross-Site WebSocket Hijacking
|
|
102
|
+
// Skip check if CORS_ORIGIN is '*' or unset in development mode
|
|
103
|
+
const skipOriginCheck = CORS_ORIGIN === '*' || (!CORS_ORIGIN && NODE_ENV !== 'production');
|
|
102
104
|
const origin = req.headers['origin'];
|
|
103
|
-
if (origin &&
|
|
105
|
+
if (origin && !skipOriginCheck && !WS_ALLOWED_ORIGINS.has(origin)) {
|
|
104
106
|
logSecurityEvent('WS_INVALID_ORIGIN', { ip: clientIP, origin });
|
|
105
107
|
socket.close(1008, 'Invalid origin');
|
|
106
108
|
return;
|