Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security vulnerability #1794

Merged
merged 2 commits into from
Sep 25, 2018
Merged

Fix security vulnerability #1794

merged 2 commits into from
Sep 25, 2018

Conversation

DeMoorJasper
Copy link
Member

@DeMoorJasper DeMoorJasper commented Jul 25, 2018

After having a short discussion with @chromium1337 we found a fix for the security vulnerability #1783

The vulnerability mainly had to do with people being able to steal your code as the origin of requests wasn't checked by websocket server.

However the CORS header in the static server comes down to the same vulnerability and as there is no general hostname flag, we can't really secure that server.

Unless we would agree, that both these hostnames would always be the same and deprecate --hmr-hostname and create a --hostname flag instead that adds a cors limitation to both the static and websocket server. This way allowing parcel to be run on a server without having to worry about any security risks (related to CORS).

Fixes #1783

Copy link
Contributor

@fathyb fathyb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, did someone check if this effectively fixes the issue, e.g. using a POC?

@DeMoorJasper
Copy link
Member Author

@chromium1337 Wrote a page about it explaining why it's an issue and origin would fix this. I'll DM you the page

@DeMoorJasper DeMoorJasper changed the title fix security vuln Fix security vulnerability Aug 11, 2018
@devongovett devongovett merged commit 92b5c08 into master Sep 25, 2018
@devongovett devongovett deleted the security-fix branch September 25, 2018 03:49
devongovett pushed a commit that referenced this pull request Oct 15, 2018
devongovett pushed a commit that referenced this pull request Oct 15, 2018
carlosgeos pushed a commit to carlosgeos/parcel that referenced this pull request Jan 1, 2019
carlosgeos pushed a commit to carlosgeos/parcel that referenced this pull request Jan 2, 2019
tests use the ws library to establish a websocket connection, and they
have an undefined origin by default. This is changed

tests have no defined hmrHostname so it was set too.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

A vulnerability found in parcel-bundler
3 participants