tlc-claude-code 1.4.8 → 1.4.9

package/server/lib/security/cors-validator.js

@@ -0,0 +1,278 @@
+/**
+ * CORS Validator Module
+ *
+ * Strict CORS configuration to prevent cross-origin attacks.
+ * Addresses OWASP A05: Security Misconfiguration
+ */
+
+/**
+ * Custom error for CORS security violations
+ */
+export class CorsSecurityError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'CorsSecurityError';
+  }
+}
+
+/**
+ * Simple headers that don't need explicit CORS allowance
+ */
+const SIMPLE_HEADERS = ['accept', 'accept-language', 'content-language', 'content-type'];
+
+/**
+ * Validate an origin against allowed origins
+ * @param {string|null} origin - Origin to validate
+ * @param {Object} options - Validation options
+ * @returns {Object} Validation result
+ */
+export function validateOrigin(origin, options = {}) {
+  const {
+    allowedOrigins = [],
+    production = false,
+    allowNull = false,
+  } = options;
+
+  // Check wildcard in production
+  if (allowedOrigins.includes('*') && production) {
+    throw new CorsSecurityError('Wildcard origin (*) not allowed in production');
+  }
+
+  // Handle null origin
+  if (origin === null) {
+    return allowNull
+      ? { allowed: true }
+      : { allowed: false, reason: 'Null origin not allowed' };
+  }
+
+  // Wildcard in development
+  if (allowedOrigins.includes('*') && !production) {
+    return { allowed: true };
+  }
+
+  // Validate origin format - reject credentials in URL
+  if (origin && origin.includes('@')) {
+    return { allowed: false, reason: 'Origin contains credentials' };
+  }
+
+  // Reject trailing slashes
+  if (origin && origin.endsWith('/')) {
+    return { allowed: false, reason: 'Origin has trailing slash' };
+  }
+
+  // Reject paths
+  try {
+    const url = new URL(origin);
+    if (url.pathname !== '/' && url.pathname !== '') {
+      return { allowed: false, reason: 'Origin contains path' };
+    }
+  } catch {
+    return { allowed: false, reason: 'Invalid origin format' };
+  }
+
+  // Normalize for comparison
+  const normalizedOrigin = origin.toLowerCase();
+
+  for (const allowed of allowedOrigins) {
+    // Exact match (case insensitive)
+    if (allowed.toLowerCase() === normalizedOrigin) {
+      return { allowed: true };
+    }
+
+    // Subdomain wildcard pattern
+    if (allowed.includes('*')) {
+      const pattern = allowed
+        .replace(/\./g, '\\.')
+        .replace(/\*/g, '[a-z0-9-]+');
+      const regex = new RegExp(`^${pattern}$`, 'i');
+
+      // Limit pattern length to prevent ReDoS
+      if (origin.length <= 100 && regex.test(origin)) {
+        return { allowed: true };
+      }
+    }
+  }
+
+  return { allowed: false, reason: 'Origin not in whitelist' };
+}
+
+/**
+ * Generate CORS headers for a response
+ * @param {Object} options - Header options
+ * @returns {Object} CORS headers
+ */
+export function generateCorsHeaders(options = {}) {
+  const {
+    origin,
+    allowedOrigins = [],
+    credentials = false,
+    exposeHeaders = [],
+    production = false,
+  } = options;
+
+  const validation = validateOrigin(origin, { allowedOrigins, production });
+
+  if (!validation.allowed) {
+    return {};
+  }
+
+  const headers = {
+    'Access-Control-Allow-Origin': origin,
+    'Vary': 'Origin',
+  };
+
+  if (credentials) {
+    headers['Access-Control-Allow-Credentials'] = 'true';
+  }
+
+  if (exposeHeaders.length > 0) {
+    headers['Access-Control-Expose-Headers'] = exposeHeaders.join(', ');
+  }
+
+  return headers;
+}
+
+/**
+ * Handle preflight OPTIONS request
+ * @param {Object} options - Preflight options
+ * @returns {Object} Preflight response headers
+ */
+export function handlePreflight(options = {}) {
+  const {
+    origin,
+    requestMethod,
+    requestHeaders = [],
+    allowedOrigins = [],
+    allowedMethods = ['GET', 'POST'],
+    allowedHeaders = [],
+    credentials = false,
+    maxAge = 86400,
+    production = false,
+  } = options;
+
+  const validation = validateOrigin(origin, { allowedOrigins, production });
+
+  if (!validation.allowed) {
+    return {};
+  }
+
+  const headers = {
+    'Access-Control-Allow-Origin': origin,
+    'Vary': 'Origin, Access-Control-Request-Method, Access-Control-Request-Headers',
+  };
+
+  // Filter allowed methods
+  const allowedMethodsList = allowedMethods.filter((m) =>
+    requestMethod ? allowedMethods.includes(requestMethod.toUpperCase()) : true
+  );
+  headers['Access-Control-Allow-Methods'] = allowedMethodsList.join(', ');
+
+  // Filter allowed headers (always allow simple headers)
+  const normalizedAllowedHeaders = [
+    ...allowedHeaders.map((h) => h.toLowerCase()),
+    ...SIMPLE_HEADERS,
+  ];
+  const normalizedRequestHeaders = requestHeaders.map((h) => h.toLowerCase());
+
+  const filteredHeaders = normalizedRequestHeaders.filter((h) =>
+    normalizedAllowedHeaders.includes(h) || SIMPLE_HEADERS.includes(h)
+  );
+
+  if (filteredHeaders.length > 0 || allowedHeaders.length > 0) {
+    headers['Access-Control-Allow-Headers'] = [...new Set([
+      ...allowedHeaders,
+      ...filteredHeaders.filter((h) => SIMPLE_HEADERS.includes(h)),
+    ])].join(', ') || 'Accept, Content-Type';
+  }
+
+  if (credentials) {
+    headers['Access-Control-Allow-Credentials'] = 'true';
+  }
+
+  if (maxAge) {
+    headers['Access-Control-Max-Age'] = String(maxAge);
+  }
+
+  return headers;
+}
+
+/**
+ * Create a reusable CORS validator
+ * @param {Object} config - CORS configuration
+ * @returns {Object} CORS validator instance
+ */
+export function createCorsValidator(config = {}) {
+  const {
+    allowedOrigins = [],
+    allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'],
+    allowedHeaders = ['Content-Type', 'Authorization'],
+    credentials = false,
+    maxAge = 86400,
+    production = false,
+  } = config;
+
+  return {
+    validate(origin) {
+      return validateOrigin(origin, { allowedOrigins, production });
+    },
+
+    isMethodAllowed(method) {
+      return allowedMethods.map((m) => m.toUpperCase()).includes(method.toUpperCase());
+    },
+
+    isHeaderAllowed(header) {
+      const normalized = header.toLowerCase();
+      return (
+        SIMPLE_HEADERS.includes(normalized) ||
+        allowedHeaders.map((h) => h.toLowerCase()).includes(normalized)
+      );
+    },
+
+    getHeaders(origin) {
+      return generateCorsHeaders({
+        origin,
+        allowedOrigins,
+        credentials,
+        production,
+      });
+    },
+
+    handlePreflight(origin, requestMethod, requestHeaders) {
+      return handlePreflight({
+        origin,
+        requestMethod,
+        requestHeaders,
+        allowedOrigins,
+        allowedMethods,
+        allowedHeaders,
+        credentials,
+        maxAge,
+        production,
+      });
+    },
+
+    middleware() {
+      return (req, res, next) => {
+        const origin = req.headers.origin;
+        const headers = this.getHeaders(origin);
+        Object.entries(headers).forEach(([key, value]) => {
+          res.setHeader(key, value);
+        });
+        if (req.method === 'OPTIONS') {
+          const preflightHeaders = this.handlePreflight(
+            origin,
+            req.headers['access-control-request-method'],
+            (req.headers['access-control-request-headers'] || '').split(',').map((h) => h.trim())
+          );
+          Object.entries(preflightHeaders).forEach(([key, value]) => {
+            res.setHeader(key, value);
+          });
+          res.statusCode = 204;
+          res.end();
+          return;
+        }
+        next();
+      };
+    },
+  };
+}

package/server/lib/security/cors-validator.test.js

@@ -0,0 +1,310 @@
+/**
+ * CORS Validator Tests
+ *
+ * Tests for strict CORS configuration.
+ */
+
+import { describe, it, expect } from 'vitest';
+import {
+  validateOrigin,
+  generateCorsHeaders,
+  handlePreflight,
+  createCorsValidator,
+  CorsSecurityError,
+} from './cors-validator.js';
+
+describe('cors-validator', () => {
+  describe('validateOrigin', () => {
+    it('allows whitelisted origin', () => {
+      const result = validateOrigin('https://example.com', {
+        allowedOrigins: ['https://example.com', 'https://app.example.com'],
+      });
+
+      expect(result.allowed).toBe(true);
+    });
+
+    it('rejects non-whitelisted origin', () => {
+      const result = validateOrigin('https://evil.com', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toContain('not in whitelist');
+    });
+
+    it('rejects wildcard (*) in production mode', () => {
+      expect(() => {
+        validateOrigin('https://example.com', {
+          allowedOrigins: ['*'],
+          production: true,
+        });
+      }).toThrow(CorsSecurityError);
+    });
+
+    it('allows wildcard in development mode', () => {
+      const result = validateOrigin('https://anything.com', {
+        allowedOrigins: ['*'],
+        production: false,
+      });
+
+      expect(result.allowed).toBe(true);
+    });
+
+    it('supports pattern matching for subdomains', () => {
+      const result = validateOrigin('https://api.example.com', {
+        allowedOrigins: ['https://*.example.com'],
+      });
+
+      expect(result.allowed).toBe(true);
+    });
+
+    it('rejects null origin by default', () => {
+      const result = validateOrigin(null, {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(false);
+    });
+
+    it('allows null origin when explicitly configured', () => {
+      const result = validateOrigin(null, {
+        allowedOrigins: ['https://example.com'],
+        allowNull: true,
+      });
+
+      expect(result.allowed).toBe(true);
+    });
+
+    it('validates origin protocol', () => {
+      const result = validateOrigin('http://example.com', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(false);
+    });
+
+    it('validates origin port', () => {
+      const result = validateOrigin('https://example.com:8080', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(false);
+    });
+  });
+
+  describe('generateCorsHeaders', () => {
+    it('generates Access-Control-Allow-Origin header', () => {
+      const headers = generateCorsHeaders({
+        origin: 'https://example.com',
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(headers['Access-Control-Allow-Origin']).toBe('https://example.com');
+    });
+
+    it('generates Vary: Origin header', () => {
+      const headers = generateCorsHeaders({
+        origin: 'https://example.com',
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(headers['Vary']).toContain('Origin');
+    });
+
+    it('sets Access-Control-Allow-Credentials when configured', () => {
+      const headers = generateCorsHeaders({
+        origin: 'https://example.com',
+        allowedOrigins: ['https://example.com'],
+        credentials: true,
+      });
+
+      expect(headers['Access-Control-Allow-Credentials']).toBe('true');
+    });
+
+    it('does not set credentials header when not configured', () => {
+      const headers = generateCorsHeaders({
+        origin: 'https://example.com',
+        allowedOrigins: ['https://example.com'],
+        credentials: false,
+      });
+
+      expect(headers['Access-Control-Allow-Credentials']).toBeUndefined();
+    });
+
+    it('sets Access-Control-Expose-Headers', () => {
+      const headers = generateCorsHeaders({
+        origin: 'https://example.com',
+        allowedOrigins: ['https://example.com'],
+        exposeHeaders: ['X-Request-Id', 'X-RateLimit-Remaining'],
+      });
+
+      expect(headers['Access-Control-Expose-Headers']).toContain('X-Request-Id');
+      expect(headers['Access-Control-Expose-Headers']).toContain('X-RateLimit-Remaining');
+    });
+
+    it('returns empty object for disallowed origin', () => {
+      const headers = generateCorsHeaders({
+        origin: 'https://evil.com',
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(headers['Access-Control-Allow-Origin']).toBeUndefined();
+    });
+  });
+
+  describe('handlePreflight', () => {
+    it('returns correct headers for OPTIONS request', () => {
+      const headers = handlePreflight({
+        origin: 'https://example.com',
+        requestMethod: 'POST',
+        requestHeaders: ['Content-Type', 'Authorization'],
+        allowedOrigins: ['https://example.com'],
+        allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
+        allowedHeaders: ['Content-Type', 'Authorization'],
+      });
+
+      expect(headers['Access-Control-Allow-Origin']).toBe('https://example.com');
+      expect(headers['Access-Control-Allow-Methods']).toContain('POST');
+      expect(headers['Access-Control-Allow-Headers']).toContain('Content-Type');
+    });
+
+    it('sets Access-Control-Max-Age', () => {
+      const headers = handlePreflight({
+        origin: 'https://example.com',
+        requestMethod: 'POST',
+        allowedOrigins: ['https://example.com'],
+        allowedMethods: ['POST'],
+        maxAge: 86400,
+      });
+
+      expect(headers['Access-Control-Max-Age']).toBe('86400');
+    });
+
+    it('rejects disallowed method', () => {
+      const headers = handlePreflight({
+        origin: 'https://example.com',
+        requestMethod: 'DELETE',
+        allowedOrigins: ['https://example.com'],
+        allowedMethods: ['GET', 'POST'],
+      });
+
+      expect(headers['Access-Control-Allow-Methods']).not.toContain('DELETE');
+    });
+
+    it('rejects disallowed headers', () => {
+      const headers = handlePreflight({
+        origin: 'https://example.com',
+        requestMethod: 'POST',
+        requestHeaders: ['X-Custom-Header'],
+        allowedOrigins: ['https://example.com'],
+        allowedMethods: ['POST'],
+        allowedHeaders: ['Content-Type'],
+      });
+
+      expect(headers['Access-Control-Allow-Headers']).not.toContain('X-Custom-Header');
+    });
+
+    it('always allows simple headers', () => {
+      const headers = handlePreflight({
+        origin: 'https://example.com',
+        requestMethod: 'POST',
+        requestHeaders: ['Accept', 'Content-Language'],
+        allowedOrigins: ['https://example.com'],
+        allowedMethods: ['POST'],
+        allowedHeaders: [],
+      });
+
+      // Simple headers should be implicitly allowed
+      expect(headers['Access-Control-Allow-Headers']).toBeDefined();
+    });
+  });
+
+  describe('createCorsValidator', () => {
+    it('creates reusable validator with config', () => {
+      const cors = createCorsValidator({
+        allowedOrigins: ['https://example.com', 'https://app.example.com'],
+        allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
+        allowedHeaders: ['Content-Type', 'Authorization'],
+        credentials: true,
+        maxAge: 86400,
+      });
+
+      const result = cors.validate('https://example.com');
+      expect(result.allowed).toBe(true);
+    });
+
+    it('validates methods', () => {
+      const cors = createCorsValidator({
+        allowedOrigins: ['https://example.com'],
+        allowedMethods: ['GET', 'POST'],
+      });
+
+      expect(cors.isMethodAllowed('GET')).toBe(true);
+      expect(cors.isMethodAllowed('DELETE')).toBe(false);
+    });
+
+    it('validates headers', () => {
+      const cors = createCorsValidator({
+        allowedOrigins: ['https://example.com'],
+        allowedHeaders: ['Content-Type', 'Authorization'],
+      });
+
+      expect(cors.isHeaderAllowed('Content-Type')).toBe(true);
+      expect(cors.isHeaderAllowed('X-Custom')).toBe(false);
+    });
+
+    it('generates middleware function', () => {
+      const cors = createCorsValidator({
+        allowedOrigins: ['https://example.com'],
+      });
+
+      const middleware = cors.middleware();
+      expect(typeof middleware).toBe('function');
+    });
+  });
+
+  describe('security edge cases', () => {
+    it('rejects origins with credentials in URL', () => {
+      const result = validateOrigin('https://user:pass@example.com', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(false);
+    });
+
+    it('handles case-insensitive origin matching', () => {
+      const result = validateOrigin('https://EXAMPLE.COM', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(true);
+    });
+
+    it('rejects origins with trailing slashes', () => {
+      const result = validateOrigin('https://example.com/', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      // Origins should not have trailing slashes
+      expect(result.allowed).toBe(false);
+    });
+
+    it('rejects origins with path components', () => {
+      const result = validateOrigin('https://example.com/path', {
+        allowedOrigins: ['https://example.com'],
+      });
+
+      expect(result.allowed).toBe(false);
+    });
+
+    it('validates against regex patterns safely', () => {
+      // Ensure regex patterns don't cause ReDoS
+      const result = validateOrigin('https://a'.repeat(1000) + '.example.com', {
+        allowedOrigins: ['https://*.example.com'],
+      });
+
+      // Should complete quickly and reject
+      expect(result.allowed).toBe(false);
+    });
+  });
+});