fix(core,react): only send x-kyc-code to the configured API origin#179
Open
TaprootFreak wants to merge 1 commit into
Open
fix(core,react): only send x-kyc-code to the configured API origin#179TaprootFreak wants to merge 1 commit into
TaprootFreak wants to merge 1 commit into
Conversation
The KYC setters take their target URL from a previous step response and pass it straight to the credentialed request (x-kyc-code header) — in core via KycApi.kycRequest, in react via useKyc's fetch. Neither checked that the URL stays on the API origin, so a tampered/MITM step URL could exfiltrate the KYC credential to a foreign host. Add Utils.isSameOrigin and guard both call sites: requests to anything but the configured API origin are refused before the header is attached. Fails closed on unparsable URLs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Finding (Medium, branch-weiter Security-Review)
Die KYC-Setter (
setContactData,setPersonalData,setNationalityData, … ~20 Stück) nehmen ihre Ziel-URL aus der vorherigen Step-Antwort der API und reichen sie direkt an den credentialed Request weiter, der denx-kyc-code-Header (KYC-Auth-Token) trägt:KycApi.kycRequest→http.requestAbsolutemitheaders: { 'x-kyc-code': code }useKyc'scall→fetch(config.url, …)mitx-kyc-codeKeine der beiden Stellen prüfte, dass die URL auf der API-Origin bleibt. Eine manipulierte / via MITM veränderte Step-URL könnte den KYC-Code an einen fremden Host exfiltrieren. Als Bibliothek multipliziert sich der Fehler über alle Konsumenten (Threat-Model: Fehlerquelle, die kein Konsument selbst absichern kann).
Fix
Neuer Helper
Utils.isSameOrigin(url, baseUrl)(core; im react-Paket via Re-Export verfügbar). Beide Call-Sites guarden: Requests an etwas anderes als die konfigurierte API-Origin werden abgelehnt, bevor der Header gesetzt wird. Fail-closed bei nicht-parsebaren URLs.Vergleich auf exakte Origin (Scheme + Host + Port) gegen
http.getBaseUrl()(core) bzw.defaultUrl(react).Tests
isSameOrigin-Spec (core): same-origin ✓, fremder Host / Subdomain-Trick / abweichendes Scheme/Port → abgewiesen, unparsebar → false. core 58/58 grün; core+react Build und Lint sauber.Letzter offener Punkt aus dem Security-Backlog. Verbleibend nur noch der Account-Merge Token-Bindungs-Designentscheid (David).