Skip to content

fix(auth): validate Origin header against APPSMITH_BASE_URL #41426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 28, 2025
Merged

fix(auth): validate Origin header against APPSMITH_BASE_URL #41426

merged 1 commit into from
Nov 28, 2025

Conversation

@subrata71
Copy link
Collaborator

@subrata71 subrata71 commented Nov 27, 2025
edited
Loading

Description

Prevent account takeover by validating Origin header in password reset and email verification endpoints against configured APPSMITH_BASE_URL.

  • Add validateBaseUrl() helper to check Origin matches APPSMITH_BASE_URL
  • Add APPSMITH_BASE_URL field to admin settings UI
  • Ensure backward compatibility when APPSMITH_BASE_URL is not set

EE PR: https://github.com/appsmithorg/appsmith-ee/pull/8448

Fixes https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/19726406804
Commit: 3764386
Cypress dashboard.
Tags: @tag.All
Spec:

Thu, 27 Nov 2025 07:03:50 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

  • Yes
  • No

Summary by CodeRabbit

  • New Features

    • Added Appsmith Base URL configuration setting in Admin Settings, enabling administrators to specify their instance's base URL.

  • Bug Fixes

    • Improved error handling and added URL validation in password reset and email verification flows for enhanced security.

✏️ Tip: You can customize this high-level summary in your review settings.

@subrata71 subrata71 self-assigned this Nov 27, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 27, 2025
edited
Loading

Walkthrough

New admin setting APPSMITH_BASE_URL introduced with text input configuration, validation logic, and test locators. Backend refactored to validate request origin against configured base URL during password reset and email verification flows.

Changes

Cohort / File(s) Summary
Test Locators
app/client/cypress/locators/AdminsSettings.js		 Added appsmithBaseUrlInput locator property for the new admin setting field.
Frontend Configuration
app/client/src/ce/pages/AdminSettings/config/configuration.tsx		 Exported new APPSMITH_BASE_URL configuration setting with text input control, HTTP(s) URL validation, and descriptive labels.
Backend Error Handling
app/server/appsmith-server/src/main/java/.../UserControllerCE.java		 Removed onErrorReturn(true) operator from forgot password flow; errors now propagate instead of being suppressed.
Backend Validation
app/server/appsmith-server/src/main/java/.../UserServiceCEImpl.java		 Added appsmithBaseUrl dependency injection and validateBaseUrl() method. Refactored forgotPasswordTokenGenerate() and resendEmailVerification() to validate request origin against configured base URL before processing.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Controller
    participant Service
    
    Note over Client,Service: Forgot Password / Email Verification Flow
    
    Client->>Controller: POST request (with origin)
    Controller->>Service: Call flow method
    
    rect rgb(220, 240, 245)
        Note over Service: validateBaseUrl()
        Service->>Service: Check if APPSMITH_BASE_URL configured
        alt URL configured
            Service->>Service: Validate origin matches APPSMITH_BASE_URL
            alt Mismatch
                Service-->>Controller: Return error
            else Match
                Service->>Service: Proceed to token generation
            end
        else URL not configured
            Service->>Service: Skip validation, proceed
        end
    end
    
    Service->>Service: Process token generation
    Service-->>Controller: Return success/result
    Controller-->>Client: HTTP 200 response
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Backend service logic: Verify validation chain integration in validateBaseUrl() and correct error propagation through refactored helper methods
  • Error handling changes: Confirm removal of onErrorReturn(true) doesn't inadvertently expose user information in error messages
  • Configuration coupling: Ensure APPSMITH_BASE_URL config is properly wired from frontend setting to backend service injection

Poem

🔐 A base URL comes to town,
Validating origins up and down,
Password flows now stand their ground,
With origin checks all around! 🛡️

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding Origin header validation against APPSMITH_BASE_URL for authentication security.
Description check ✅ Passed PR description covers the main security fix with clear motivation, links to issue and EE PR, includes test results, and mostly follows the template structure.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/acc-takeover-vuln

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@subrata71 subrata71 added the ok-to-test Required label for CI label Nov 27, 2025
coderabbitai[bot]
coderabbitai bot reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9864994 and 3764386.

📒 Files selected for processing (4)
  • app/client/cypress/locators/AdminsSettings.js (1 hunks)
  • app/client/src/ce/pages/AdminSettings/config/configuration.tsx (2 hunks)
  • app/server/appsmith-server/src/main/java/com/appsmith/server/controllers/ce/UserControllerCE.java (0 hunks)
  • app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java (4 hunks)
💤 Files with no reviewable changes (1)
  • app/server/appsmith-server/src/main/java/com/appsmith/server/controllers/ce/UserControllerCE.java
🧰 Additional context used
📓 Path-based instructions (1)
app/client/cypress/**/**.*

⚙️ CodeRabbit configuration file

app/client/cypress/**/**.*: Review the following e2e test code written using the Cypress test library. Ensure that:

  • Follow best practices for Cypress code and e2e automation.
  • Avoid using cy.wait in code.
  • Avoid using cy.pause in code.
  • Avoid using agHelper.sleep().
  • Use locator variables for locators and do not use plain strings.
  • Use data-* attributes for selectors.
  • Avoid Xpaths, Attributes and CSS path.
  • Avoid selectors like .btn.submit or button[type=submit].
  • Perform logins via API with LoginFromAPI.
  • Perform logout via API with LogOutviaAPI.
  • Perform signup via API with SignupFromAPI.
  • Avoid using it.only.
  • Avoid using after and aftereach in test cases.
  • Use multiple assertions for expect statements.
  • Avoid using strings for assertions.
  • Do not use duplicate filenames even with different paths.
  • Avoid using agHelper.Sleep, this.Sleep in any file in code.

Files:

  • app/client/cypress/locators/AdminsSettings.js
🧠 Learnings (6)
📓 Common learnings 
Learnt from: sharat87
Repo: appsmithorg/appsmith PR: 29585
File: deploy/docker/fs/opt/appsmith/caddy-reconfigure.mjs:8-8
Timestamp: 2024-10-08T15:32:39.374Z
Learning: The `APPSMITH_CUSTOM_DOMAIN` environment variable is not being deleted and should remain in use as per the current codebase configuration.

Learnt from: sharat87
Repo: appsmithorg/appsmith PR: 29585
File: deploy/docker/fs/opt/appsmith/caddy-reconfigure.mjs:8-8
Timestamp: 2024-07-26T21:12:57.228Z
Learning: The `APPSMITH_CUSTOM_DOMAIN` environment variable is not being deleted and should remain in use as per the current codebase configuration.
📚 Learning: 2024-07-24T08:29:41.208Z 
Learnt from: abhishek-bandameedi
Repo: appsmithorg/appsmith PR: 35133
File: app/client/cypress/e2e/Regression/ClientSide/Widgets/Checkbox/CheckBox2_spec.js:0-0
Timestamp: 2024-07-24T08:29:41.208Z
Learning: In Cypress tests for the Appsmith project, ensure the use of locator variables for selectors and include multiple assertions for comprehensive testing.

Applied to files:

  • app/client/cypress/locators/AdminsSettings.js
📚 Learning: 2024-10-08T15:32:34.115Z 
Learnt from: sagar-qa007
Repo: appsmithorg/appsmith PR: 34955
File: app/client/cypress/e2e/Regression/ClientSide/ActionExecution/General_settings_Spec.ts:14-56
Timestamp: 2024-10-08T15:32:34.115Z
Learning: Learnt from: sagar-qa007
PR: appsmithorg/appsmith#34955
File: app/client/cypress/e2e/Regression/ClientSide/ActionExecution/General_settings_Spec.ts:14-56
Timestamp: 2024-07-16T06:44:55.118Z
Learning: Avoid using sleep functions like `agHelper.Sleep`, `this.Sleep`, and other related sleep functions in Cypress tests within the `app/client/cypress` directory to prevent non-deterministic behaviors and ensure tests are more reliable and maintainable.

Applied to files:

  • app/client/cypress/locators/AdminsSettings.js
📚 Learning: 2024-10-04T05:51:15.138Z 
Learnt from: abhvsn
Repo: appsmithorg/appsmith PR: 36596
File: app/server/appsmith-server/src/main/java/com/appsmith/server/solutions/ce/UserSignupCEImpl.java:475-475
Timestamp: 2024-10-04T05:51:15.138Z
Learning: In `app/server/appsmith-server/src/main/java/com/appsmith/server/solutions/ce/UserSignupCEImpl.java`, the variable `newsletterSignedUpUserEmail` is always expected to be non-null because the user's email is always present in the user object, so an additional null check is unnecessary.

Applied to files:

  • app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java
📚 Learning: 2024-07-26T21:12:57.228Z 
Learnt from: nidhi-nair
Repo: appsmithorg/appsmith PR: 29372
File: app/server/appsmith-server/src/main/java/com/appsmith/server/applications/jslibs/ApplicationJsLibServiceCEImpl.java:24-24
Timestamp: 2024-07-26T21:12:57.228Z
Learning: The change from `private` to `protected` for the `applicationService` field in `ApplicationJsLibServiceCEImpl` class was confirmed to be intentional by the user nidhi-nair for subclass access.

Applied to files:

  • app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java
📚 Learning: 2024-12-25T06:50:40.623Z 
Learnt from: trishaanand
Repo: appsmithorg/appsmith PR: 38359
File: app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/CustomOAuth2UserServiceCEImpl.java:78-82
Timestamp: 2024-12-25T06:50:40.623Z
Learning: In `CustomOAuth2UserServiceCEImpl`, the second repository call for finding users by case-insensitive email is needed because older users might have uppercase or mixed-case emails, while new users have emails stored in lowercase.

Applied to files:

  • app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java
🧬 Code graph analysis (1)
app/client/src/ce/pages/AdminSettings/config/configuration.tsx (1)
app/client/src/ce/pages/AdminSettings/config/types.ts (2)
  • Setting (54-108)
  • SettingCategories (123-141)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)
  • GitHub Check: perform-test / server-build / server-unit-tests
  • GitHub Check: perform-test / rts-build / build
  • GitHub Check: perform-test / client-build / client-build
  • GitHub Check: client-check-cyclic-deps / check-cyclic-dependencies
  • GitHub Check: client-lint / client-lint
  • GitHub Check: client-prettier / prettier-check
  • GitHub Check: client-unit-tests / client-unit-tests
  • GitHub Check: client-build / client-build
  • GitHub Check: server-spotless / spotless-check
  • GitHub Check: server-unit-tests / server-unit-tests
🔇 Additional comments (5)
app/client/cypress/locators/AdminsSettings.js (1)

83-83: LGTM!

The locator follows the established pattern and uses an attribute selector as required.

app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java (4)

220-225: Validation integration looks good.

The validation is correctly positioned before token generation, ensuring the security check happens early in the flow. The defer wrapper ensures proper reactive chain execution.

However, ensure the URL normalization issue in validateBaseUrl (Line 124-138) is addressed.

227-282: Good refactoring - extracted helper improves maintainability.

Extracting the token generation logic into a private helper method makes the code cleaner and separates the validation concern from the business logic.

851-856: Validation integration looks good.

Consistent with the forgot password flow - validation happens before processing. The defer wrapper ensures proper reactive chain execution.

However, ensure the URL normalization issue in validateBaseUrl (Line 124-138) is addressed.

858-931: Good refactoring - extracted helper improves maintainability.

Extracting the email verification logic into a private helper method maintains consistency with the forgot password flow and improves code organization.

@github-actions
Copy link

github-actions bot commented Nov 27, 2025

Failed server tests

  • com.appsmith.server.helpers.UserUtilsTest#makeInstanceAdministrator_WhenUserAlreadyAdmin_MaintainsPermissionsSuccessfully

@subrata71 subrata71 merged commit 6f9ee62 into release Nov 28, 2025
101 of 103 checks passed
@subrata71 subrata71 deleted the fix/acc-takeover-vuln branch November 28, 2025 04:39
This was referenced Nov 28, 2025
Closed
Merged
subrata71 added a commit to appsmithorg/appsmith-docs that referenced this pull request Nov 28, 2025
@subrata71
docs: Add APPSMITH_BASE_URL environment variable documentation (#2962)
f158fa8 
## Description 
- Add new Security section to environment-variables.md
- Document APPSMITH_BASE_URL for Origin header validation
- Explain protection against account takeover attacks
- Include configuration options (Admin Settings UI and env var)
- Add backward compatibility notes and recommendations

This addresses the account takeover vulnerability by documenting the
Origin header validation feature for password reset and email
verification requests.


Related PRs:
appsmithorg/appsmith-ee#8448
appsmithorg/appsmith#41426

## Pull request type

Check the appropriate box:

- [ ] Review Fixes
- [ ] Documentation Overhaul
- [ ] Feature/Story
    - Link one or more Engineering Tickets
        * 
- [ ] A-Force
- [ ] Error in documentation
- [ ] Maintenance

## Documentation tickets

 Link to one or more documentation tickets:
 - 

## Checklist

From the below options, select the ones that are applicable:

- [ ] Checked for Grammarly suggestions.
- [ ] Adhered to the writing checklist.
- [ ] Adhered to the media checklist.
- [ ] Verified and updated cross-references or added redirect rules.
- [ ] Tested the redirect rules on deploy preview.
- [ ] Validated the modifications made to the content on the deploy
preview.
- [ ] Validated the CSS modifications on different screen sizes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@sharat87 sharat87 sharat87 approved these changes

@ankitakinger ankitakinger Awaiting requested review from ankitakinger ankitakinger is a code owner

Assignees

@subrata71 subrata71

Labels

ok-to-test Required label for CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@subrata71 @sharat87