Anyone can access cursor workspace connection URL
Hi Team, I was exploring coder and we are mostly done with setting up all our workflows on this. I was doing a security review of it, and realised anyone can access cursor workspaces URL in the form of cursor://coder.coder-remote/open?owner=nipun&workspace=brown-crow-66&url=https:/coder.example.com&token=$SSH_TOKEN. How do we think about securing this ? What are the in-general best practices in securing the access to your workspaces ?
Thanks and looking forward
6 Replies
<#1303301231808352277>
Category
Help needed
Product
Coder OSS (v2)
Platform
macOS
Logs
Please post any relevant logs/error messages.
coder_app resources in templates have a share attribute, which is owner by default: https://registry.terraform.io/providers/coder/coder/latest/docs/resources/app#share
If you're using the Cursor Desktop module on our registry, share is still owner, and the link you provided will only work if the token provided (&token=...) is the workspace owner's session token (which only they should have access to).True, I was wondering if there is anyway to restrict or authenticate that too if any malicious internal user shares the link.
Cloudflare zero trust can solve that since we dont have VPN proxy yet but lot of things of code-server arebreakign there .Is there any resource that I cam follow to setup zero trust ?
Why do you want to restrict that? Coder is managing the authentication and any user who is not the mower of the workspace cannot open the workspace.
no so if someone shares a link like this, with SSH token. Coder wont authenticate right ? I was able to run this on a complete isolated PC and get access to all files and all
cursor://coder.coder-remote/open?owner=nipun&workspace=brown-crow-66&url=https:/coder.example.com&token=$SSH_TOKEN
The operative part of sharing the link is that they’re sharing their access token. Even if you were to restrict the link, say by simply removing the token from it on the dashboard, that malicious user could still very easily exfiltrate their token.
But yeah, it sounds like you might not want your Coder deployment accessible from the public web if that’s the case
And for what it’s worth, you can just remove the token from the link, prompting the user to first authenticate manually within the Cursor/VSCode extension before connecting to the workspace.
Take a look at the source of the coder module you’re using, in the
coder_app resource, you should be able to safely remove the &token query parameter.