fix: Prevent cross-domain websocket connections to on-premise instances (#9064)

server/services/websockets.ts

@@ -4,6 +4,7 @@ import cookie from "cookie";
 import Koa from "koa";
 import IO from "socket.io";
 import { createAdapter } from "socket.io-redis";
+import env from "@server/env";
 import { AuthenticationError } from "@server/errors";
 import Logger from "@server/logging/Logger";
 import Metrics from "@server/logging/Metrics";
@@ -38,7 +39,8 @@ export default function init(
     pingInterval: 15000,
     pingTimeout: 30000,
     cors: {
-      origin: "*",
+      // Included for completeness, though CORS does not apply to websocket transport.
+      origin: env.isCloudHosted ? "*" : env.URL,
       methods: ["GET", "POST"],
     },
   });
@@ -60,6 +62,16 @@ export default function init(
     "upgrade",
     function (req: IncomingMessage, socket: Duplex, head: Buffer) {
       if (req.url?.startsWith(path) && ioHandleUpgrade) {
+        // For on-premise deployments, ensure the websocket origin matches the deployed URL.
+        // In cloud-hosted we support any origin for custom domains.
+        if (
+          !env.isCloudHosted &&
+          (!req.headers.origin || !env.URL.startsWith(req.headers.origin))
+        ) {
+          socket.end(`HTTP/1.1 400 Bad Request\r\n`);
+          return;
+        }
+
         ioHandleUpgrade(req, socket, head);
         return;
       }