Adds check for websocket source

Author: cbron

pkg/devspace/server/logs.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"io"
 	"net/http"
+	"net/url"
 	"sync"
 	"time"
 
@@ -14,7 +15,18 @@ import (
 )
 
 var upgrader = websocket.Upgrader{
-	CheckOrigin: func(r *http.Request) bool { return true },
+	CheckOrigin: func(r *http.Request) bool {
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			return true // non-browser clients (CLI tools, curl) send no Origin header
+		}
+		u, err := url.Parse(origin)
+		if err != nil {
+			return false
+		}
+		h := u.Hostname()
+		return h == "localhost" || h == "127.0.0.1"
+	},
 }
 
 type wsStream struct {

pkg/devspace/server/logs_test.go

@@ -0,0 +1,33 @@
+package server
+
+import (
+	"net/http"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestCheckOrigin(t *testing.T) {
+	cases := map[string]struct {
+		origin string
+		want   bool
+	}{
+		"no origin header (CLI/curl)": {origin: "", want: true},
+		"localhost origin":            {origin: "http://localhost:8080", want: true},
+		"127.0.0.1 origin":            {origin: "http://127.0.0.1:3000", want: true},
+		"localhost no port":           {origin: "http://localhost", want: true},
+		"external origin":             {origin: "http://bad.example.com", want: false},
+		"invalid origin":              {origin: "://bad-url", want: false},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			r := &http.Request{Header: http.Header{}}
+			if tc.origin != "" {
+				r.Header.Set("Origin", tc.origin)
+			}
+			got := upgrader.CheckOrigin(r)
+			assert.Equal(t, tc.want, got, name)
+		})
+	}
+}