Spaces:

VibecoderMcSwaggins
/

stroke-deepisles-demo

Paused

App Files Files Community

VibecoderMcSwaggins commited on 2 days ago

Commit

07db7cc

unverified ·

1 Parent(s): 900a32d

fix(security): apply CodeRabbit security feedback (#38)

Browse files

* fix(security): apply CodeRabbit security feedback

Addresses 3 actionable items from CodeRabbit review:

1. CORS regex anchors (CRITICAL): Added ^ and $ anchors to prevent
subdomain spoofing attacks like .hf.space.evil.com

2. ErrorBoundary production leak: Error details now only shown in
development mode (import.meta.env.DEV) or when explicitly enabled
via showDetails prop

3. Type safety: Split BackendJobStatus from JobStatus to clearly
distinguish API response types (never include 'waking_up') from
frontend-only states (which do include 'waking_up')

* fix(security): complete CodeRabbit feedback implementation

Additional fixes based on CodeRabbit's full review:

1. componentDidCatch logging (security): Now gates full error+stack
logging behind import.meta.env.DEV. Production only logs minimal
"ErrorBoundary caught an error" message without exposing internals.

2. CORS single source of truth (DRY): Removed regex entirely in favor
of exact-match allow_origins list. Added HF_SPACE_FRONTEND constant
used in single place. This eliminates:
- Regex security surface area
- Dual-source drift risk (list vs regex)
- Potential misconfiguration

Both changes validated from first principles against CodeRabbit claims.

Files changed (3) hide show

frontend/src/components/ErrorBoundary.tsx +21 -12
frontend/src/types/index.ts +7 -9
src/stroke_deepisles_demo/api/main.py +12 -6

frontend/src/components/ErrorBoundary.tsx CHANGED Viewed

@@ -3,6 +3,8 @@ import { Component, type ReactNode } from "react";
 interface Props {
   children: ReactNode;
   fallback?: ReactNode;
 }
 interface State {
@@ -32,8 +34,13 @@ export class ErrorBoundary extends Component<Props, State> {
   }
   componentDidCatch(error: Error, errorInfo: React.ErrorInfo): void {
-    // Log error for debugging
-    console.error("ErrorBoundary caught error:", error, errorInfo);
   }
   handleRetry = (): void => {
@@ -53,16 +60,18 @@ export class ErrorBoundary extends Component<Props, State> {
             <p className="text-gray-300">
               An unexpected error occurred while rendering the application.
             </p>
-            {this.state.error && (
-              <details className="text-left">
-                <summary className="text-gray-400 cursor-pointer hover:text-gray-300">
-                  Error details
-                </summary>
-                <pre className="mt-2 p-2 bg-gray-900 rounded text-xs text-red-300 overflow-auto max-h-32">
-                  {this.state.error.message}
-                </pre>
-              </details>
-            )}
             <button
               onClick={this.handleRetry}
               className="bg-blue-600 hover:bg-blue-700 text-white font-medium py-2 px-4 rounded-lg transition-colors"

 interface Props {
   children: ReactNode;
   fallback?: ReactNode;
+  /** Show error details even in production (defaults to false) */
+  showDetails?: boolean;
 }
 interface State {
   }
   componentDidCatch(error: Error, errorInfo: React.ErrorInfo): void {
+    // Only log full error details in development (security: don't leak stack traces in prod)
+    if (import.meta.env.DEV) {
+      console.error("ErrorBoundary caught error:", error, errorInfo);
+    } else {
+      // Minimal production logging - no stack traces or internal details
+      console.error("ErrorBoundary caught an error");
+    }
   }
   handleRetry = (): void => {
             <p className="text-gray-300">
               An unexpected error occurred while rendering the application.
             </p>
+            {/* Only show error details in development or if explicitly enabled (security) */}
+            {this.state.error &&
+              (import.meta.env.DEV || this.props.showDetails) && (
+                <details className="text-left">
+                  <summary className="text-gray-400 cursor-pointer hover:text-gray-300">
+                    Error details
+                  </summary>
+                  <pre className="mt-2 p-2 bg-gray-900 rounded text-xs text-red-300 overflow-auto max-h-32">
+                    {this.state.error.message}
+                  </pre>
+                </details>
+              )}
             <button
               onClick={this.handleRetry}
               className="bg-blue-600 hover:bg-blue-700 text-white font-medium py-2 px-4 rounded-lg transition-colors"

frontend/src/types/index.ts CHANGED Viewed

@@ -30,25 +30,23 @@ export interface SegmentResponse {
   warning?: string | null;
 }
-// Job Status Types
-export type JobStatus =
-  | "pending"
-  | "running"
-  | "completed"
-  | "failed"
-  | "waking_up";
 // Response from POST /api/segment (job creation)
 export interface CreateJobResponse {
   jobId: string;
-  status: JobStatus;
   message: string;
 }
 // Response from GET /api/jobs/{jobId} (status polling)
 export interface JobStatusResponse {
   jobId: string;
-  status: JobStatus;
   progress: number;
   progressMessage: string;
   elapsedSeconds?: number;

   warning?: string | null;
 }
+// Backend Job Status Types (returned by API - never includes 'waking_up')
+export type BackendJobStatus = "pending" | "running" | "completed" | "failed";
+// Frontend Job Status Types (includes client-side states like 'waking_up')
+export type JobStatus = BackendJobStatus | "waking_up";
 // Response from POST /api/segment (job creation)
 export interface CreateJobResponse {
   jobId: string;
+  status: BackendJobStatus; // Backend never returns 'waking_up'
   message: string;
 }
 // Response from GET /api/jobs/{jobId} (status polling)
 export interface JobStatusResponse {
   jobId: string;
+  status: BackendJobStatus; // Backend never returns 'waking_up'
   progress: number;
   progressMessage: string;
   elapsedSeconds?: number;

src/stroke_deepisles_demo/api/main.py CHANGED Viewed

@@ -97,24 +97,30 @@ class CORPMiddleware(BaseHTTPMiddleware):
         return response
-# CORS configuration
-FRONTEND_ORIGIN = os.environ.get("FRONTEND_ORIGIN", "")
-CORS_ORIGINS = [
     "http://localhost:5173",  # Vite dev server
     "http://localhost:3000",  # Alternative local port
 ]
-if FRONTEND_ORIGIN:
     CORS_ORIGINS.append(FRONTEND_ORIGIN)
 # Add CORP middleware first (for COEP compatibility)
 app.add_middleware(CORPMiddleware)
 # Add CORS middleware with strict security settings
 app.add_middleware(
     CORSMiddleware,
     allow_origins=CORS_ORIGINS,
-    # Anchored regex: only allow our specific HF Space (security fix for BUG-002)
-    allow_origin_regex=r"https://vibecodermcswaggins-stroke-viewer-frontend\.hf\.space",
     allow_credentials=False,  # Not needed - no cookies/auth
     allow_methods=["GET", "POST"],  # Only methods we use
     allow_headers=["Content-Type"],  # Only headers we need

         return response
+# CORS configuration - Single source of truth (no regex needed for exact origins)
+# Production HF Space frontend origin
+HF_SPACE_FRONTEND = "https://vibecodermcswaggins-stroke-viewer-frontend.hf.space"
+CORS_ORIGINS: list[str] = [
     "http://localhost:5173",  # Vite dev server
     "http://localhost:3000",  # Alternative local port
+    HF_SPACE_FRONTEND,  # Production HF Space frontend
 ]
+# Allow override via environment variable (for custom deployments)
+FRONTEND_ORIGIN = os.environ.get("FRONTEND_ORIGIN", "")
+if FRONTEND_ORIGIN and FRONTEND_ORIGIN not in CORS_ORIGINS:
     CORS_ORIGINS.append(FRONTEND_ORIGIN)
 # Add CORP middleware first (for COEP compatibility)
 app.add_middleware(CORPMiddleware)
 # Add CORS middleware with strict security settings
+# Note: Using allow_origins list for exact matching (no regex needed)
+# This eliminates regex security concerns while maintaining single source of truth
 app.add_middleware(
     CORSMiddleware,
     allow_origins=CORS_ORIGINS,
     allow_credentials=False,  # Not needed - no cookies/auth
     allow_methods=["GET", "POST"],  # Only methods we use
     allow_headers=["Content-Type"],  # Only headers we need