π€ fix: remediate CSWSH β RCE with origin validation + auth hardening#2418
π€ fix: remediate CSWSH β RCE with origin validation + auth hardening#2418ibetitsmike merged 6 commits intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5ba60e9390
βΉοΈ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Allow cross-origin GET/POST requests only on explicit OAuth callback routes so response_mode=form_post and POST-preserving redirects continue to work without opening general CORS access. Also update expected-origin derivation to honor X-Forwarded-Proto even when only Host is present, matching common TLS-terminating proxy deployments.
|
@codex review Addressed both prior P1 comments:
Also added/updated tests for both behaviors. |
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 56195cd9e0
βΉοΈ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Prevent hostnames like 127.example.com from being misclassified as loopback, which would skip auth-token generation on non-local binds. Also handle bracketed IPv6 ([::1]).
|
@codex review Addressed P1: |
|
Codex Review: Didn't find any major issues. More of your lovely PRs please. βΉοΈ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with π. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
#728) ## Summary Add per-workspace authentication token wiring to the Mux Coder module, closing the last-mile deployment gap for cross-site WebSocket hijacking (CSWSH) protection identified in coder/security#120. ## Background When Mux runs as a Coder workspace app, it is accessible via Coder's subdomain proxy (e.g., `mux--ws--user.apps.coder.com`). Without an auth token, a malicious same-site origin (another user's workspace app on the same `*.coder.com` domain) can hijack the WebSocket session and execute arbitrary commands via the oRPC API. The Mux application itself already implements: - **Strict same-origin enforcement** for HTTP/CORS and WebSocket upgrades (coder/mux#2418) - **Auth token support** β the server reads `MUX_SERVER_AUTH_TOKEN` or `--auth-token`, and the browser frontend extracts `?token=` from the URL and persists it to localStorage What was missing was module-level token generation and browser/backend wiring. ## Implementation - **`random_password.mux_auth_token`** generates a 64-character token per module instance. - **Backend wiring:** `run.sh` launches mux with a process-scoped `MUX_SERVER_AUTH_TOKEN` environment variable. - **Frontend wiring:** `coder_app.mux.url` includes `?token=<secret>` so first launch from Coder passes the token to the browser for bootstrap/persistence. To avoid cross-instance breakage, this change intentionally does **not** use a shared `coder_env` key. Multiple `coder/mux` module instances can target the same `agent_id` (different `slug`/`port`), and a single global env key would collide. Process-scoped env keeps each instance's backend token aligned with its app URL token. ## Validation - `terraform fmt -check -diff` in `registry/coder/modules/mux` - `terraform test` in `registry/coder/modules/mux` (8 passed, 0 failed) - Updated tests now verify the URL token value (not just prefix) and verify the launch script sets `MUX_SERVER_AUTH_TOKEN` using the generated token. --- _Generated with `mux` β’ Model: `anthropic:claude-opus-4-6` β’ Thinking: `xhigh`_ <!-- mux-attribution: model=anthropic:claude-opus-4-6 thinking=xhigh -->
1 participant
Summary
Remediates
coder/security#120(Cross-Site WebSocket Hijacking β RCE in Mux app deployments) by enforcing strict same-origin checks at the server boundary, hardening server-mode auth defaults, and preserving required OAuth callback compatibility.Background
The reported exploit chain relied on browser-initiated cross-origin access to the Mux HTTP/WS API plus unauthenticated exposed deployments.
This PR closes that path by:
mux serverbinds.Implementation
1) Origin validation + restrictive CORS (
src/node/orpc/server.ts)app.use(cors()).403.noServer+handleUpgrade) to block cross-origin WS handshakes before oRPC handling.2) OAuth callback safe carveout (
src/node/orpc/server.ts)/auth/mux-gateway/callback/auth/mux-governor/callback/auth/mcp-oauth/callbackGET/POSTnavigation-style callback methods.statebefore code exchange, so this preserves secure OAuth semantics while keeping the API origin gate strict elsewhere.3) Forwarded-proto compatibility fix (
src/node/orpc/server.ts)X-Forwarded-Protoeven when onlyHostis present.4) Secure-by-default auth for non-loopback binds (
src/cli/serverSecurity.ts,src/cli/server.ts)resolveServerAuthToken()policy:Validation
bun test src/node/orpc/server.test.tsbun test src/cli/serverSecurity.test.ts src/node/orpc/server.test.tsmake static-checkAll passed locally.
Risks
Generated with
muxβ’ Model:openai:gpt-5.3-codexβ’ Thinking:xhighβ’ Cost:$4.46