Description
In src/main.ts, the Fastify-based NestJS application does not configure any CORS restrictions:
const app = await NestFactory.create<NestFastifyApplication>(
AppModule,
new FastifyAdapter()
);
By default, Fastify/NestJS with no explicit CORS config either accepts all origins or uses the framework's permissive defaults. This means any website can make authenticated API requests to the Hub endpoints, enabling CSRF attacks and cross-origin data theft.
Steps to Reproduce
- From any arbitrary domain, send a CORS request to
https://hub-api/api/v1/*
- The request succeeds without CORS preflight rejection
Expected Behavior
Only known frontend origins (the OpenLake Hub frontend domain) should be allowed to make cross-origin requests.
Suggested Fix
app.enableCors({
origin: [process.env.FRONTEND_URL],
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
});Affected Files
Description
In
src/main.ts, the Fastify-based NestJS application does not configure any CORS restrictions:By default, Fastify/NestJS with no explicit CORS config either accepts all origins or uses the framework's permissive defaults. This means any website can make authenticated API requests to the Hub endpoints, enabling CSRF attacks and cross-origin data theft.
Steps to Reproduce
https://hub-api/api/v1/*Expected Behavior
Only known frontend origins (the OpenLake Hub frontend domain) should be allowed to make cross-origin requests.
Suggested Fix
Affected Files
src/main.ts