Describe the bug
The WebSocket upgrader in backend/controllers/websocket.go (lines 16-19) accepts connections from ANY origin by returning true in the CheckOrigin function. This disables CORS protection for WebSocket connections.
Security Impact
- Cross-Site WebSocket Hijacking (CSWSH): Malicious websites can establish WebSocket connections to the backend
- CSRF Attacks: Attackers can perform actions on behalf of authenticated users
- Real-time Data Interception: Job status broadcasts can be intercepted by malicious sites
- Session Hijacking: Attackers can access user-specific job updates
- Data Leakage: Task information and sync statuses exposed to unauthorized origins
To Reproduce
- User logs into CCSync
- User visits malicious website
https://evil.com in another tab
- Malicious site connects WebSocket to victim's CCSync backend
- Attacker receives all real-time job status updates
- Sensitive task information is exfiltrated
Expected behavior
The WebSocket handler should validate the origin against a whitelist of allowed origins and reject connections from unauthorized domains.
Location
- File:
backend/controllers/websocket.go
- Lines: 16-19
- Issue:
CheckOrigin always returns true
Fix Required
Implement proper origin validation to only accept connections from configured frontend origins (FRONTEND_ORIGIN_DEV, FRONTEND_ORIGIN_PROD).
Describe the bug
The WebSocket upgrader in
backend/controllers/websocket.go(lines 16-19) accepts connections from ANY origin by returningtruein theCheckOriginfunction. This disables CORS protection for WebSocket connections.Security Impact
To Reproduce
https://evil.comin another tabExpected behavior
The WebSocket handler should validate the origin against a whitelist of allowed origins and reject connections from unauthorized domains.
Location
backend/controllers/websocket.goCheckOriginalways returnstrueFix Required
Implement proper origin validation to only accept connections from configured frontend origins (FRONTEND_ORIGIN_DEV, FRONTEND_ORIGIN_PROD).