mirror of
https://github.com/tiennm99/ccs.git
synced 2026-07-16 08:17:11 +00:00
fix(cursor): block cross-origin runtime probe requests (#1371)
This commit is contained in:
@@ -18,6 +18,7 @@ import {
|
||||
|
||||
import cursorSettingsRoutes from './cursor-settings-routes';
|
||||
import { getCursorConfig } from '../../config/config-loader-facade';
|
||||
import { isDashboardWebSocketOriginAllowed } from '../middleware/auth-middleware';
|
||||
|
||||
const router = Router();
|
||||
|
||||
@@ -192,7 +193,12 @@ router.get('/models', async (_req: Request, res: Response): Promise<void> => {
|
||||
/**
|
||||
* POST /api/cursor/probe - Run a live authenticated runtime probe
|
||||
*/
|
||||
router.post('/probe', async (_req: Request, res: Response): Promise<void> => {
|
||||
router.post('/probe', async (req: Request, res: Response): Promise<void> => {
|
||||
if (!isDashboardWebSocketOriginAllowed(req)) {
|
||||
res.status(403).json({ error: 'Cross-origin probe requests are not allowed.' });
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
const cursorConfig = getCursorConfig();
|
||||
const result = await probeCursorRuntime(cursorConfig);
|
||||
|
||||
@@ -510,6 +510,17 @@ describe('Cursor Routes Logic', () => {
|
||||
expect(json.current).toBe('gpt-5.3-codex');
|
||||
});
|
||||
|
||||
it('POST /api/cursor/probe rejects cross-origin requests', async () => {
|
||||
const res = await fetch(`${baseUrl}/api/cursor/probe`, {
|
||||
method: 'POST',
|
||||
headers: { Origin: 'https://attacker.example' },
|
||||
});
|
||||
expect(res.status).toBe(403);
|
||||
|
||||
const json = (await res.json()) as { error?: string };
|
||||
expect(json.error).toContain('Cross-origin probe requests are not allowed.');
|
||||
});
|
||||
|
||||
it('POST /api/cursor/probe returns auth failure when credentials are missing', async () => {
|
||||
const res = await fetch(`${baseUrl}/api/cursor/probe`, { method: 'POST' });
|
||||
expect(res.status).toBe(401);
|
||||
|
||||
Reference in New Issue
Block a user