Skip to content

fix: Information Disclosure - Path Traversal Security Vulnerability#178

Merged
Roopan-Microsoft merged 5 commits intomainfrom
dev
Apr 8, 2026
Merged

fix: Information Disclosure - Path Traversal Security Vulnerability#178
Roopan-Microsoft merged 5 commits intomainfrom
dev

Conversation

@Prajwal-Microsoft
Copy link
Copy Markdown
Contributor

@Prajwal-Microsoft Prajwal-Microsoft commented Apr 8, 2026

Purpose

  • This pull request introduces several important security and configuration improvements to the frontend server and its deployment infrastructure. The main focus is on tightening CORS policies, restricting configuration endpoint access, and ensuring safer file serving, along with the necessary infrastructure updates to support these changes.

Frontend server security and configuration:

  • CORS policy is now restricted to allowed origins specified by the ALLOWED_ORIGINS environment variable, replacing the previous open policy (*). Only GET methods are allowed, reducing the attack surface.
  • The /config endpoint now checks the request's Origin and Host headers, serving configuration only to same-origin requests and returning 403 Forbidden otherwise. This prevents leaking sensitive configuration to third-party sites.
  • The file serving logic now ensures that requests cannot access files outside the build directory by resolving and validating the requested path, mitigating path traversal attacks.

Infrastructure and environment configuration:

  • The ALLOWED_ORIGINS environment variable is now set in both infra/main.bicep and infra/main_custom.bicep, using the frontend container app name and environment domain to dynamically generate the allowed origin. [1] [2]
  • The generated ARM template (infra/main.json) is updated to include the new ALLOWED_ORIGINS environment variable for the frontend container app, and minor dependency ordering adjustments are made for private DNS zones to ensure correct resource deployment. [1] [2] [3] [4]

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

Prajwal-Microsoft and others added 5 commits April 6, 2026 15:31
@Prajwal-Microsoft
Merge pull request #175 from microsoft/main
59172c0 
chore: Down merge from  main to dev
@Prajwal-Microsoft
fix: patch path traversal (CWE-22) and harden /config endpoint [MSRC …
3a0ec34 
…112301]

- Use os.path.realpath() to resolve symlinks and '..' sequences, then
  verify the resolved path stays within BUILD_DIR before serving files.
- Replace os.path.exists() with os.path.isfile() to prevent directory
  listing.
- Replace allow_origins=['*'] CORS wildcard with configurable
  ALLOWED_ORIGINS env var (empty = same-origin only).
- Restrict CORS allow_methods to GET.
- Add origin-vs-host check on /config to block cross-origin reads.
- Remove verbose fallback strings from /config defaults that disclosed
  deployment state.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prajwal-Microsoft
infra: set ALLOWED_ORIGINS env var for frontend container app
c38520b 
Add ALLOWED_ORIGINS to both main.bicep and main_custom.bicep so the
frontend CORS policy is automatically configured with the container
app's own FQDN during Azure deployment.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prajwal-Microsoft
build: rebuild main.json from updated main.bicep
0a7bd20 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prajwal-Microsoft
Merge pull request #174 from microsoft/fix/cwe-22-path-traversal-msrc…
a88b880 
…-112301

fix: patch path traversal (CWE-22) and harden /config endpoint [MSRC 112301]
@Roopan-Microsoft Roopan-Microsoft merged commit c4b370f into main Apr 8, 2026
19 checks passed
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

🎉 This PR is included in version 1.0.4 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Roopan-Microsoft Roopan-Microsoft Roopan-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@Dongbumlee Dongbumlee Awaiting requested review from Dongbumlee Dongbumlee is a code owner

@sethsteenken sethsteenken Awaiting requested review from sethsteenken sethsteenken is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Prajwal-Microsoft @Roopan-Microsoft