Skip to content

fix(devserver): tighten cors origin validation #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Abhijeet Prasad (AbhiPrasad) wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(devserver): tighten cors origin validation #203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f7f3eb
fix(devserver): tighten cors origin validation
AbhiPrasad Apr 3, 2026
40c7c8a
run all devserver tests
AbhiPrasad Apr 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion py/noxfile.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ def test_cli(session):
_install_test_deps(session)
session.install(".[cli]")
session.install("httpx") # Required for starlette.testclient
_run_tests(session, "braintrust/devserver/test_server_integration.py")
_run_tests(session, DEVSERVER_DIR)


@nox.session()
Expand Down
2 changes: 1 addition & 1 deletion py/src/braintrust/devserver/cors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ def check_origin(origin: str) -> bool:
for allowed in ALLOWED_ORIGINS:
if isinstance(allowed, str) and origin == allowed:
return True
elif isinstance(allowed, re.Pattern) and allowed.match(origin):
elif isinstance(allowed, re.Pattern) and allowed.fullmatch(origin):
return True

return False
Expand Down
45 changes: 45 additions & 0 deletions py/src/braintrust/devserver/test_cors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
import asyncio
import unittest

from braintrust.devserver.cors import check_origin, create_cors_middleware


class TestCorsOriginValidation(unittest.TestCase):
def test_check_origin_allows_legitimate_preview_origin(self):
self.assertTrue(check_origin("https://legit.preview.braintrust.dev"))

def test_check_origin_rejects_preview_suffix_bypass(self):
self.assertFalse(check_origin("https://evil.preview.braintrust.dev.attacker.com"))

def test_options_response_does_not_reflect_disallowed_origin(self):
async def app(scope, receive, send):
raise AssertionError("OPTIONS requests should be handled by the CORS middleware")

middleware = create_cors_middleware()(app)
messages = []

async def receive():
return {"type": "http.request", "body": b"", "more_body": False}

async def send(message):
messages.append(message)

scope = {
"type": "http",
"method": "OPTIONS",
"headers": [
(b"origin", b"https://evil.preview.braintrust.dev.attacker.com"),
(b"access-control-request-method", b"POST"),
],
}

asyncio.run(middleware(scope, receive, send))

response_start = next(message for message in messages if message["type"] == "http.response.start")
headers = dict(response_start["headers"])
self.assertNotIn(b"access-control-allow-origin", headers)
self.assertNotIn(b"access-control-allow-credentials", headers)


if __name__ == "__main__":
unittest.main()
Loading