[Security] Reject wildcard CORS with credentials at runtime #235

Closed
opened 2026-07-11 11:39:41 +02:00 by zemion · 2 comments
Owner

Production config validation rejects wildcard CORS, but the runtime app factory still accepts allow_origins=["*"] with allow_credentials=True. This is a deployment footgun and should fail closed in the server factory too.

Code paths: src/govoplan_core/server/fastapi.py:44, src/govoplan_core/server/fastapi.py:48, src/govoplan_core/server/fastapi.py:49, src/govoplan_core/core/install_config.py:177.

Acceptance: app factory rejects wildcard CORS when credentials are enabled, tests cover wildcard rejection and explicit-origin configuration, and the error message points operators to exact origins.

Production config validation rejects wildcard CORS, but the runtime app factory still accepts `allow_origins=["*"]` with `allow_credentials=True`. This is a deployment footgun and should fail closed in the server factory too. Code paths: `src/govoplan_core/server/fastapi.py:44`, `src/govoplan_core/server/fastapi.py:48`, `src/govoplan_core/server/fastapi.py:49`, `src/govoplan_core/core/install_config.py:177`. Acceptance: app factory rejects wildcard CORS when credentials are enabled, tests cover wildcard rejection and explicit-origin configuration, and the error message points operators to exact origins. <!-- codex-audit-2026-07-11:cors-runtime -->
zemion added the
type
bug
status
ready
priority
p2
module/core
area/api
codex/ready
labels 2026-07-11 11:39:41 +02:00
Author
Owner

Codex state update: implemented locally in /mnt/DATA/git/govoplan-core.

Summary:

  • Runtime startup now rejects * in GOVOPLAN_CORS_ALLOW_ORIGINS while credentialed CORS is enabled.
  • Added a focused startup test covering the wildcard rejection.

Verification:

  • python -m unittest tests.test_core_events tests.test_policy_contracts
  • python -m py_compile for touched core modules

Left open until the local code is reviewed/committed/pushed.

Codex state update: implemented locally in `/mnt/DATA/git/govoplan-core`. Summary: - Runtime startup now rejects `*` in `GOVOPLAN_CORS_ALLOW_ORIGINS` while credentialed CORS is enabled. - Added a focused startup test covering the wildcard rejection. Verification: - `python -m unittest tests.test_core_events tests.test_policy_contracts` - `python -m py_compile` for touched core modules Left open until the local code is reviewed/committed/pushed.
Author
Owner

Closing per user request; this issue is covered by the local changes ready to push.

Fixed locally: credentialed CORS startup rejects wildcard origins and requires explicit origins.

Closing per user request; this issue is covered by the local changes ready to push. Fixed locally: credentialed CORS startup rejects wildcard origins and requires explicit origins.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#235
No description provided.