fix(security): add CSRF protection, CORS whitelist, and security headers (#1853)

Author: ycjcl868

multimodal/tarko/agent-server-next/examples/bootstrap.ts

@@ -3,7 +3,14 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import { getContext } from 'hono/context-storage';
-import { AuthHook, CorsHook, AgentServer, ContextStorageHook } from '../src/index';
+import {
+  AuthHook,
+  AgentServer,
+  ContextStorageHook,
+  createCorsHook,
+  createCsrfProtectionHook,
+  SecurityHeadersHook,
+} from '../src/index';
 import { resolve } from 'path';
 import { ContextVariables } from '../src/types';
 
@@ -140,8 +147,10 @@ const logger = {
 };
 
 server.setLogger(logger);
+server.registerHook(SecurityHeadersHook);
 server.registerHook(AuthHook);
-server.registerHook(CorsHook);
+server.registerHook(createCorsHook(server.port));
+server.registerHook(createCsrfProtectionHook());
 server.registerHook(ContextStorageHook);
 
 console.log('🚀 Starting TARS Agent Server...');

multimodal/tarko/agent-server-next/src/hooks/builtInHooks.ts

@@ -3,6 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import crypto from 'crypto';
 import { cors } from "hono/cors";
 import { BuiltInPriorities, HookRegistrationOptions } from "./types";
 import { accessLogMiddleware, errorHandlingMiddleware, requestIdMiddleware } from "../middlewares";
@@ -36,20 +37,89 @@ export const ContextStorageHook: HookRegistrationOptions = {
     handler: contextStorage(),
 }
 
+/**
+ * Check if an origin is allowed for CORS.
+ * Allows localhost/127.0.0.1 on the server port, file:// protocol,
+ * and any additional origins from TARKO_ALLOWED_ORIGINS env var.
+ */
+function isAllowedOrigin(origin: string, port: number): boolean {
+    const allowedOrigins = new Set([
+        `http://localhost:${port}`,
+        `http://127.0.0.1:${port}`,
+        'file://',
+    ]);
+
+    // Support additional origins via environment variable
+    const extraOrigins = process.env.TARKO_ALLOWED_ORIGINS;
+    if (extraOrigins) {
+        for (const o of extraOrigins.split(',')) {
+            const trimmed = o.trim();
+            if (trimmed) {
+                allowedOrigins.add(trimmed);
+            }
+        }
+    }
 
+    if (allowedOrigins.has(origin)) {
+        return true;
+    }
 
+    // Allow file:// origins (which may have a path suffix)
+    if (origin.startsWith('file://')) {
+        return true;
+    }
+
+    return false;
+}
+
+/**
+ * Create a CORS hook with origin whitelist based on server port.
+ * @param port The server port to allow in CORS origins
+ */
+export function createCorsHook(port: number): HookRegistrationOptions {
+    return {
+        id: 'cors',
+        name: 'CORS',
+        priority: BuiltInPriorities.CORS,
+        description: 'Cross-Origin Resource Sharing middleware with origin whitelist',
+        handler: cors({
+            origin: (origin) => {
+                if (!origin || isAllowedOrigin(origin, port)) {
+                    return origin || '*';
+                }
+                return null;
+            },
+            allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+            allowHeaders: [
+                'Content-Type',
+                'Authorization',
+                'X-Requested-With',
+                'X-CSRF-Token',
+                'x-user-info',
+                'x-jwt-token',
+            ],
+            credentials: true,
+        }),
+    };
+}
+
+/**
+ * @deprecated Use createCorsHook(port) instead for proper origin validation.
+ * This export uses permissive CORS with ACCESS_ALLOW_ORIGIN env var fallback to '*'.
+ */
 export const CorsHook: HookRegistrationOptions = {
     id: 'cors',
     name: 'CORS',
     priority: BuiltInPriorities.CORS,
-    description: 'Cross-Origin Resource Sharing middleware',
+    description: 'Cross-Origin Resource Sharing middleware (deprecated: use createCorsHook)',
     handler: cors({
         origin: process.env.ACCESS_ALLOW_ORIGIN || '*',
         allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
         allowHeaders: [
             'Content-Type',
             'Authorization',
             'X-Requested-With',
+            'X-CSRF-Token',
             'x-user-info',
             'x-jwt-token',
         ],
@@ -75,3 +145,86 @@ export const AuthHook: HookRegistrationOptions = {
     description: 'Authentication and authorization middleware',
     handler: authMiddleware,
 }
+
+// ---- CSRF Token Management ----
+
+const CSRF_TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours
+const CSRF_MAX_TOKENS = 1000;
+const csrfTokenStore = new Map<string, number>();
+
+function cleanExpiredCsrfTokens(): void {
+    const now = Date.now();
+    for (const [token, expiry] of csrfTokenStore) {
+        if (expiry <= now) {
+            csrfTokenStore.delete(token);
+        }
+    }
+}
+
+export function generateCsrfToken(): string {
+    if (csrfTokenStore.size > CSRF_MAX_TOKENS) {
+        cleanExpiredCsrfTokens();
+    }
+    const token = crypto.randomBytes(32).toString('hex');
+    csrfTokenStore.set(token, Date.now() + CSRF_TOKEN_EXPIRY_MS);
+    return token;
+}
+
+function isValidCsrfToken(token: string): boolean {
+    const expiry = csrfTokenStore.get(token);
+    if (!expiry) return false;
+    if (Date.now() > expiry) {
+        csrfTokenStore.delete(token);
+        return false;
+    }
+    return true;
+}
+
+const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+
+/**
+ * Create a CSRF protection hook.
+ * Validates X-CSRF-Token header on mutation requests (POST/PUT/DELETE).
+ */
+export function createCsrfProtectionHook(): HookRegistrationOptions {
+    return {
+        id: 'csrf-protection',
+        name: 'CSRF Protection',
+        priority: BuiltInPriorities.AUTH - 10, // Just before auth
+        description: 'CSRF token validation for mutation requests',
+        handler: async (c, next) => {
+            if (SAFE_METHODS.has(c.req.method)) {
+                await next();
+                return;
+            }
+
+            const token = c.req.header('X-CSRF-Token');
+            if (!token || !isValidCsrfToken(token)) {
+                return c.json({
+                    error: 'CSRF token missing or invalid',
+                    message: 'A valid CSRF token is required for mutation requests. Obtain one via GET /api/v1/csrf-token.',
+                }, 403);
+            }
+
+            await next();
+        },
+    };
+}
+
+/**
+ * Security headers hook.
+ * Adds standard security response headers.
+ */
+export const SecurityHeadersHook: HookRegistrationOptions = {
+    id: 'security-headers',
+    name: 'Security Headers',
+    priority: BuiltInPriorities.CORS + 10, // Before CORS
+    description: 'Adds security response headers',
+    handler: async (c, next) => {
+        await next();
+        c.header('X-Content-Type-Options', 'nosniff');
+        c.header('X-Frame-Options', 'DENY');
+        c.header('X-XSS-Protection', '1; mode=block');
+        c.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    },
+};

multimodal/tarko/agent-server-next/src/hooks/index.ts

@@ -4,5 +4,14 @@
  */
 
 export { HookManager } from './HookManager';
-export { CorsHook, AccessLogHook, AuthHook, ContextStorageHook } from './builtInHooks'
+export {
+  CorsHook,
+  AccessLogHook,
+  AuthHook,
+  ContextStorageHook,
+  SecurityHeadersHook,
+  createCorsHook,
+  createCsrfProtectionHook,
+  generateCsrfToken,
+} from './builtInHooks'
 export * from './types';

multimodal/tarko/agent-server-next/src/routes/csrf.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2025 Bytedance, Inc. and its affiliates.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Hono } from 'hono';
+import { generateCsrfToken } from '../hooks/builtInHooks';
+import type { ContextVariables } from '../types';
+
+/**
+ * Create CSRF token routes
+ */
+export function createCsrfRoutes(): Hono<{ Variables: ContextVariables }> {
+  const router = new Hono<{ Variables: ContextVariables }>();
+
+  router.get('/api/v1/csrf-token', (c) => {
+    const token = generateCsrfToken();
+    return c.json({ token });
+  });
+
+  return router;
+}

multimodal/tarko/agent-server-next/src/routes/index.ts

@@ -6,4 +6,5 @@
 export { createQueryRoutes } from './queries';
 export { createSessionRoutes } from './sessions';
 export { createShareRoutes } from './share';
-export { createSystemRoutes } from './system';
+export { createSystemRoutes } from './system';
+export { createCsrfRoutes } from './csrf';

multimodal/tarko/agent-server-next/src/server.ts

@@ -27,6 +27,7 @@ import {
   createSessionRoutes,
   createShareRoutes,
   createSystemRoutes,
+  createCsrfRoutes,
 } from './routes';
 import { createUserConfigRoutes } from './routes/user';
 import { HookManager, BuiltInPriorities, type HookRegistrationOptions } from './hooks';
@@ -166,6 +167,7 @@ export class AgentServer<T extends AgentAppConfig = AgentAppConfig> {
    */
   private setupRoutes(): void {
     // Register all API routes
+    this.app.route('/', createCsrfRoutes());
     this.app.route('/', createQueryRoutes());
     this.app.route('/', createSessionRoutes());
     this.app.route('/', createShareRoutes());

multimodal/tarko/agent-server/src/api/index.ts

@@ -2,38 +2,111 @@ import express from 'express';
 import cors from 'cors';
 import { registerAllRoutes } from './routes';
 import { setupWorkspaceStaticServer } from '../utils/workspace-static-server';
+import { csrfProtectionMiddleware } from './middleware/csrf-protection';
+import { registerCsrfRoutes } from './routes/csrf';
 
 /**
- * Get default CORS options if none are provided
- *
- * TODO: support cors config.
+ * Check if an origin is allowed for CORS.
+ * Allows localhost/127.0.0.1 on the server port, file:// protocol,
+ * and any additional origins from TARKO_ALLOWED_ORIGINS env var.
  */
-export function getDefaultCorsOptions(): cors.CorsOptions {
+function isAllowedOrigin(origin: string | undefined, port: number): boolean {
+  if (!origin) {
+    // Allow requests with no Origin header (e.g., curl, same-origin)
+    return true;
+  }
+
+  const allowedOrigins = new Set([
+    `http://localhost:${port}`,
+    `http://127.0.0.1:${port}`,
+    'file://',
+  ]);
+
+  // Support additional origins via environment variable
+  const extraOrigins = process.env.TARKO_ALLOWED_ORIGINS;
+  if (extraOrigins) {
+    for (const o of extraOrigins.split(',')) {
+      const trimmed = o.trim();
+      if (trimmed) {
+        allowedOrigins.add(trimmed);
+      }
+    }
+  }
+
+  if (allowedOrigins.has(origin)) {
+    return true;
+  }
+
+  // Also allow file:// origins (which may have a path suffix)
+  if (origin.startsWith('file://')) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Get CORS options with origin whitelist based on server port.
+ */
+export function getDefaultCorsOptions(port: number): cors.CorsOptions {
   return {
-    origin: '*',
+    origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
+      if (isAllowedOrigin(origin, port)) {
+        callback(null, true);
+      } else {
+        callback(new Error(`Origin ${origin} not allowed by CORS policy`));
+      }
+    },
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-    allowedHeaders: ['Content-Type', 'Authorization'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'X-CSRF-Token'],
   };
 }
 
+/**
+ * Security headers middleware
+ */
+function securityHeadersMiddleware(
+  _req: express.Request,
+  res: express.Response,
+  next: express.NextFunction,
+): void {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  next();
+}
+
 /**
  * Setup API middleware and routes
  * @param app Express application instance
- * @param options Server options
+ * @param options Server options including port for CORS configuration
  */
 export function setupAPI(
   app: express.Application,
   options?: {
     workspacePath?: string;
     isDebug?: boolean;
+    port?: number;
   },
 ) {
-  // Apply CORS middleware
-  app.use(cors(getDefaultCorsOptions()));
+  const port = options?.port ?? 3000;
+
+  // Apply security headers
+  app.use(securityHeadersMiddleware);
+
+  // Apply CORS middleware with origin whitelist
+  app.use(cors(getDefaultCorsOptions(port)));
 
   // Apply JSON body parser middleware
   app.use(express.json({ limit: '20mb' }));
 
+  // Register CSRF token endpoint (before CSRF protection so GET is accessible)
+  registerCsrfRoutes(app);
+
+  // Apply CSRF protection middleware (after body parser, before routes)
+  app.use(csrfProtectionMiddleware);
+
   // Add app.group method
   app.group = (
     prefix: string,