CodeBuddy Code v2.70.1 Release
Security Fixes
CORS Cross-Origin Attack Protection
Fixed a cross-origin request security vulnerability in the local Gateway service (cbc --serve). Previously, malicious web pages could use JavaScript to make cross-origin requests to the user's local localhost service, executing Agent commands or stealing output data.
Key fixes:
- Replaced the framework's default
Access-Control-Allow-Origin: *with a precise allowlist mechanism, only permitting cross-origin requests from localhost, 127.0.0.1, and Tunnel URLs - Added Host header validation middleware to prevent DNS Rebinding attacks
- Fixed CORS wildcard vulnerability on SSE streaming endpoints
- Changed the default bind address from
0.0.0.0to127.0.0.1to prevent the service from being exposed to the local network
Improvements
- Custom CORS Rules: Support configuring allowed cross-origin sources via the
CODEBUDDY_CODE_CORS_ORIGINSenvironment variable (comma-separated) or thegateway.corsOriginsSettings option, accommodating special use cases