--- a/scansion/serve.lua Mon Sep 17 22:07:19 2018 +0100 +++ b/scansion/serve.lua Fri Dec 28 04:35:51 2018 -0500 @@ -19,7 +19,17 @@ local chunk = json.encode(entry) .. "\r\n"; response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk)); end - + + -- SECURITY NOTE: We MUST validate Origin before running the Scansion script, + -- since we don't want arbitrary websites to have local RCEs (CORS does not + -- protect us here, it at best keeps the script from seeing the response) + if request.headers.origin ~= config.origin and config.origin ~= "*" then + verse.log("warn", "Rejecting origin: %s", request.headers.origin); + response.status_code = 403; -- spec suggested response when we don't like the origin + response.headers.connection = "close"; + return ""; + end + response.status_code = 201; response.headers.connection = "close"; response.headers.transfer_encoding = "chunked";