Skip to content

chore(guard): centralize cors config#4097

Closed
MasterPtato wants to merge 1 commit into02-02-fix_api_use_matched_path_to_reduce_metric_cardinalityfrom
02-02-chore_guard_centralize_cors_config
Closed

chore(guard): centralize cors config#4097
MasterPtato wants to merge 1 commit into02-02-fix_api_use_matched_path_to_reduce_metric_cardinalityfrom
02-02-chore_guard_centralize_cors_config

Conversation

@MasterPtato
Copy link
Contributor

@MasterPtato MasterPtato commented Feb 3, 2026

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@railway-app railway-app bot temporarily deployed to rivet-frontend / rivet-pr-4097 February 3, 2026 00:20 Destroyed
@railway-app
Copy link

railway-app bot commented Feb 3, 2026
edited
Loading

🚅 Deployed to the rivet-pr-4097 environment in rivet-frontend

Service Status Web Updated (UTC)
mcp-hub 🕒 Building (View Logs) Web Feb 4, 2026 at 6:51 pm
frontend-cloud ✅ Success (View Logs) Web Feb 4, 2026 at 6:50 pm
frontend-inspector 🕐 Queued (View Logs) Web Feb 4, 2026 at 6:49 pm
website 🕒 Building (View Logs) Web Feb 4, 2026 at 6:49 pm

@MasterPtato MasterPtato mentioned this pull request Feb 3, 2026
Closed
11 tasks
@MasterPtato Graphite App
Copy link
Contributor Author

MasterPtato commented Feb 3, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@MasterPtato MasterPtato mentioned this pull request Feb 3, 2026
Closed
11 tasks
@claude
Copy link

claude bot commented Feb 3, 2026
edited
Loading

Code Review - PR #4097: chore(guard): centralize cors config

Summary

This PR centralizes CORS configuration by moving CORS header logic from pegboard-gateway into the shared guard-core proxy service. The change reduces duplication and ensures consistent CORS handling across services.

Positive Aspects ✅

  1. Good abstraction: Centralizing CORS header management in ProxyService is the right architectural choice
  2. Clean refactoring: The code in pegboard-gateway/src/lib.rs is now much cleaner and more focused on business logic
  3. Security improvement: The comment about preventing cache poisoning with the Vary header shows good security awareness
  4. Proper optionality: Making allow_methods, allow_headers, and max_age optional fields is correct since they are only needed for OPTIONS requests

Issues & Recommendations

1. Potential Header Injection Vulnerability 🔴 Critical

Location: proxy_service.rs:587, proxy_service.rs:594, proxy_service.rs:601

The code uses HeaderValue::from_str() on user-provided values without validation. In pegboard-gateway/src/lib.rs:140, requested_headers comes directly from the request header. While HeaderValue::from_str() will return an error for invalid header values, this creates a potential DoS vector where malicious requests could cause the handler to fail.

Recommendation:

  • Either validate/sanitize the requested_headers input before passing it to CorsConfig, or
  • Handle the error case more gracefully in the proxy service (e.g., using .unwrap_or_else() with a safe default)

2. Inconsistent Error Handling Pattern

Location: proxy_service.rs:584-603

The new code uses the ? operator which will propagate errors up the call stack. This is inconsistent with the existing CORS header setting code above it (lines 566-582) which uses infallible methods like HeaderValue::from_static().

Recommendation: Consider using .unwrap_or_else() with safe defaults to make the code infallible, or document the error conditions.

3. Type Safety Issue - TODO Not Addressed

Location: request_context.rs:155

The TODO comment indicates allow_methods should be Vec<Method> instead of String. Since this PR is touching CORS config, it would be ideal to address this TODO for better type safety and to prevent invalid HTTP methods.

4. Missing Documentation

Location: request_context.rs:149-160

The CorsConfig struct lacks documentation explaining when each field should be set, the relationship between optional fields and request types, and valid values/formats for string fields.

5. Code Style - Comment Formatting

Location: request_context.rs:154, request_context.rs:158

Per CLAUDE.md guidelines, comments should be complete sentences. The current comments are fragments ("Only set for OPTIONS requests", "Seconds").

Recommendation: Use complete sentences like "These fields are only set for OPTIONS requests."

6. Unnecessary Comments

Location: pegboard-gateway/src/lib.rs:154-157

The comments explaining when optional fields should be None add noise and would be self-evident from proper struct documentation.

Testing Considerations

The PR description does not mention testing. Consider:

  1. Unit tests: Test that CORS headers are correctly set for both OPTIONS and regular requests
  2. Integration tests: Verify the gateway properly handles preflight requests
  3. Security tests: Test header injection scenarios with malicious input

Performance Considerations

No significant performance concerns. The changes are purely organizational.

Security Assessment

Good: Vary header prevents cache poisoning
⚠️ Concern: Header injection risk from unsanitized user input (see Issue #1)
Good: Credentials and origin handling appears secure

Conclusion

This is a solid refactoring that improves code organization. However, it has one critical security concern around header injection that should be addressed before merging. The other issues are lower priority but would improve code quality.

Recommendation: Request changes to address the header injection vulnerability, then approve after fixes.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 3, 2026
edited
Loading

More templates

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@4097

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/db@4097

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@4097

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@4097

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@4097

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@4097

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@4097

@rivetkit/virtual-websocket

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/virtual-websocket@4097

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@4097

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@4097

commit: d3bae78

@graphite-app graphite-app bot force-pushed the 02-02-fix_api_use_matched_path_to_reduce_metric_cardinality branch 2 times, most recently from bdba6ac to 89f49de Compare February 3, 2026 00:27
@graphite-app graphite-app bot force-pushed the 02-02-chore_guard_centralize_cors_config branch from efea839 to bf38fdd Compare February 3, 2026 00:27
@railway-app railway-app bot temporarily deployed to rivet-frontend / rivet-pr-4097 February 3, 2026 00:27 Destroyed
@MasterPtato MasterPtato force-pushed the 02-02-chore_guard_centralize_cors_config branch from bf38fdd to 1e902d5 Compare February 3, 2026 02:08
@railway-app railway-app bot temporarily deployed to rivet-frontend / rivet-pr-4097 February 3, 2026 02:08 Destroyed
@MasterPtato MasterPtato mentioned this pull request Feb 3, 2026
Closed
11 tasks
@MasterPtato MasterPtato force-pushed the 02-02-chore_guard_centralize_cors_config branch from 1e902d5 to cb28ad8 Compare February 3, 2026 21:19
This was referenced Feb 3, 2026
Closed
Closed
Closed
Closed
Closed
Closed
@MasterPtato MasterPtato force-pushed the 02-02-chore_guard_centralize_cors_config branch from cb28ad8 to d3bae78 Compare February 4, 2026 18:49
@MasterPtato MasterPtato force-pushed the 02-02-fix_api_use_matched_path_to_reduce_metric_cardinality branch from 89f49de to 7b579e8 Compare February 4, 2026 18:49
@railway-app railway-app bot temporarily deployed to rivet-frontend / rivet-pr-4097 February 4, 2026 18:49 Destroyed
@graphite-app
Copy link
Contributor

graphite-app bot commented Feb 4, 2026
edited
Loading

Merge activity

  • Feb 4, 6:50 PM UTC: MasterPtato added this pull request to the Graphite merge queue.
  • Feb 4, 6:51 PM UTC: CI is running for this pull request on a draft pull request (#4113) due to your merge queue CI optimization settings.
  • Feb 4, 6:51 PM UTC: Merged by the Graphite merge queue via draft PR: #4113.

graphite-app bot pushed a commit that referenced this pull request Feb 4, 2026
@MasterPtato
chore(guard): centralize cors config (#4097)
467380d 
# Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] This change requires a documentation update

## How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

## Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
@graphite-app graphite-app bot closed this Feb 4, 2026
@graphite-app graphite-app bot deleted the 02-02-chore_guard_centralize_cors_config branch February 4, 2026 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NathanFlurry NathanFlurry Awaiting requested review from NathanFlurry

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MasterPtato