fix(apigateway): allowedOrigins are incorrectly interpreted as regexes

[lpizzinidev]

Allowed origins for CORS preflight were treated like regular expressions in the checking condition.

For example, with this spec:

new apigateway.RestApi(this, 'api', {
      defaultCorsPreflightOptions: {
        allowOrigins: ['https://www.firstorigin.com', 'https://www.secondorigin.com'],
      }
    })
      .root
      .addResource('hello')
      .addMethod('GET', new apigateway.MockIntegration({}));

Calling:

http OPTIONS https://xxx.execute-api.xxx.amazonaws.com/prod/hello "Origin: https://wwwXsecondorigin.com"

The response header would include the header (allowing the invalid origin from the request):

Access-Control-Allow-Origin: https://wwwXsecondorigin.com

This fix solves the issue.

Closes #26623.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[rix0rrr]

Good call, but this change will break everyone who is aware that the field accepts a regex and relies on it.

Better to add a new field, maybe called allowedOriginsLiteral (or something) and document that the current one accepts regexes.

[cyraxx]

Note that the first origin in the array is not treated as a regex, only additional ones starting from the second item.

Combined with the fact the documentation doesn't mention regexes anywhere, IMHO the fact that it ever treated some of the input as regexes was a bug and not something that needs to be kept for backwards compatibility.

[rix0rrr]

Note that the first origin in the array is not treated as a regex, only additional ones starting from the second item.

This confused me for a bit, but I now see that the code is modal. It's not between the first and other elements, but it's between a singleton array and an array with multiple elements. Those get treated differently, and in the multiple elements case all elements get treated as regexes.

Given that, I'm inclined to agree with you.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 2c3281b
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).