fix: validate_startup checks CORS wildcard in production (#472)

2026-03-19 15:27:56 -04:00
parent 0ae00af3f8
commit 7e6b268c1c
2 changed files with 39 additions and 0 deletions
--- a/src/config.py
+++ b/src/config.py
@@ -469,8 +469,19 @@ def validate_startup(*, force: bool = False) -> None:
                ", ".join(_missing),
            )
            sys.exit(1)
+        if "*" in settings.cors_origins:
+            _startup_logger.error(
+                "PRODUCTION SECURITY ERROR: CORS wildcard '*' is not allowed "
+                "in production. Set CORS_ORIGINS to explicit origins."
+            )
+            sys.exit(1)
        _startup_logger.info("Production mode: security secrets validated ✓")
    else:
+        if "*" in settings.cors_origins:
+            _startup_logger.warning(
+                "SEC: CORS_ORIGINS contains wildcard '*' — "
+                "restrict to explicit origins before deploying to production."
+            )
        if not settings.l402_hmac_secret:
            _startup_logger.warning(
                "SEC: L402_HMAC_SECRET is not set — "
--- a/tests/test_lazy_init.py
+++ b/tests/test_lazy_init.py
@@ -49,6 +49,34 @@ class TestConfigLazyValidation:
            # Should not raise
            validate_startup(force=True)

+    def test_validate_startup_exits_on_cors_wildcard_in_production(self):
+        """validate_startup() should exit in production when CORS has wildcard."""
+        from config import settings, validate_startup
+
+        with (
+            patch.object(settings, "timmy_env", "production"),
+            patch.object(settings, "l402_hmac_secret", "test-secret-hex-value-32"),
+            patch.object(settings, "l402_macaroon_secret", "test-macaroon-hex-value-32"),
+            patch.object(settings, "cors_origins", ["*"]),
+            pytest.raises(SystemExit),
+        ):
+            validate_startup(force=True)
+
+    def test_validate_startup_warns_cors_wildcard_in_dev(self):
+        """validate_startup() should warn in dev when CORS has wildcard."""
+        from config import settings, validate_startup
+
+        with (
+            patch.object(settings, "timmy_env", "development"),
+            patch.object(settings, "cors_origins", ["*"]),
+            patch("config._startup_logger") as mock_logger,
+        ):
+            validate_startup(force=True)
+            mock_logger.warning.assert_any_call(
+                "SEC: CORS_ORIGINS contains wildcard '*' — "
+                "restrict to explicit origins before deploying to production."
+            )
+
    def test_validate_startup_skips_in_test_mode(self):
        """validate_startup() should be a no-op in test mode."""
        from config import validate_startup