Fix wildcard CORS, restrict credential file permissions, add body size limit#7
Open
glitch-ux wants to merge 1 commit intoRelayPlane:mainfrom
Open
Fix wildcard CORS, restrict credential file permissions, add body size limit#7glitch-ux wants to merge 1 commit intoRelayPlane:mainfrom
glitch-ux wants to merge 1 commit intoRelayPlane:mainfrom
Conversation
…est body size limit - Replace Access-Control-Allow-Origin: * with a localhost-only allowlist (localhost:4100, localhost:3000, and 127.0.0.1 equivalents) to prevent cross-site data exfiltration from any malicious webpage. - Write credentials.json and config.json with mode 0600 (owner-only) and create the .relayplane directory with mode 0700. Previously these files were created with default 0644 permissions, allowing any local user to read API keys. - Add a 1 MB size limit to readBody() to reject oversized payloads before they exhaust server memory. Protects simulation and policy test endpoints from denial-of-service via large JSON bodies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three quick security hardening fixes that address vulnerabilities in how the proxy handles CORS, stores credentials, and accepts request bodies.
1. Replace wildcard CORS with localhost allowlist
File:
src/server.tsThe proxy currently sets
Access-Control-Allow-Origin: *on every response. This means any website can make cross-origin requests to the proxy and read the responses — including sensitive endpoints like/v1/budget,/v1/runs/{id},/v1/policies, and/v1/simulate/*which return cost data, routing decisions, and policy evaluations.Attack scenario: A user visits a malicious webpage. JavaScript on that page fetches
http://localhost:4100/v1/budgetand silently exfiltrates the user's budget state, run traces, and policy configuration.Fix: Replace
*with an explicit allowlist of localhost origins (localhost:4100,localhost:3000, and127.0.0.1equivalents). TheAccess-Control-Allow-Originheader is only set when the request'sOriginmatches the allowlist. Cross-origin requests from non-localhost origins are blocked by the browser's same-origin policy.2. Restrict credential and config file permissions to owner-only
Files:
src/credentials.ts,src/config.tscredentials.jsonandconfig.json(which can containapi_key) are written with Node's default file permissions (typically0644on Unix), making them readable by any local user. The.relayplane/directory is also created with default permissions.Attack scenario: On a shared system (CI runner, dev server, multi-user workstation), any user can
cat ~/.relayplane/credentials.jsonand steal API keys for Anthropic, OpenAI, or other providers.Fix:
~/.relayplane/directory with mode0700(owner-only access)credentials.jsonandconfig.jsonwith mode0600(owner read/write only)saveAgentCredentials(),saveConfig(), andsetApiKey()3. Add 1 MB request body size limit
File:
src/server.tsThe
readBody()helper accumulates the request body withbody += chunkwithout any size check. All POST endpoints that parse JSON bodies (/v1/policies/test,/v1/simulate/policy,/v1/simulate/routing,/v1/chat/completions, etc.) are vulnerable.Attack scenario: An attacker sends a multi-gigabyte POST body to any endpoint, exhausting server memory and crashing the proxy (OOM).
Fix: Track accumulated byte size in
readBody()and destroy the request with a clear error message if it exceeds 1 MB. The limit is defined as a static class constant (MAX_BODY_SIZE) for easy adjustment.Test plan
npx tsc --noEmit— zero errors)@relayplane/learning-engine, missingtsxbinary — unrelated to these changes)localhost:4100still loads (CORS allowslocalhost:4100)~/.relayplane/credentials.jsonis created with600permissions on a fresh setup