Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use exact matching of allowed domain entries, issue #489 #493

Merged
merged 5 commits into from
Jun 6, 2022
Merged

use exact matching of allowed domain entries, issue #489 #493

merged 5 commits into from
Jun 6, 2022

Conversation

emicklei
Copy link
Owner

No description provided.

@codecov-commenter
Copy link

codecov-commenter commented Apr 30, 2022
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.63%. Comparing base (2326c8e) to head (9e49191).
Report is 79 commits behind head on v3.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##               v3     #493      +/-   ##
==========================================
- Coverage   70.07%   69.63%   -0.44%     
==========================================
  Files          26       27       +1     
  Lines        1223     1581     +358     
==========================================
+ Hits          857     1101     +244     
- Misses        293      409     +116     
+ Partials       73       71       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@crenshaw-dev
Copy link

The docs should be updated to indicate that each allowed domain isn't a potential regexp pattern, it is a regexp pattern. So ^some.example.com$ matches somexexample.com. Even after the PR, ^some\.example\.com matches some.example.com.org.

@emicklei
Copy link
Owner Author

@JamieSlome is your hunt issue resolved by this PR?

crenshaw-dev
crenshaw-dev suggested changes May 12, 2022
View reviewed changes
cors_filter.go Outdated
AllowedDomains []string // list of allowed values for Http Origin. An allowed value can be a regular expression to support subdomain matching. If empty all are allowed.
// AllowedDomains list of allowed values for Http Origin.
// An allowed value can be a regular expression to support subdomain matching.
// Non-regular expression values will be changed into an exact match: ^yourdomain.com$
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure ^yourdomain.com$ is an intuitive "exact match". The . is still a wildcard. You'd have to do fmt.Sprintf("^%s$", regexp.QuoteMeta(each)) to get an "exact match".

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed. ^www.amazon.com$ still matches wwwqamazon.com and www.amazonqcom.

cors_filter.go Outdated
AllowedDomains []string // list of allowed values for Http Origin. An allowed value can be a regular expression to support subdomain matching. If empty all are allowed.
// AllowedDomains list of allowed values for Http Origin.
// An allowed value can be a regular expression to support subdomain matching.
// Non-regular expression values will be changed into an exact match: ^yourdomain.com$
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me from this what qualifies as "non-regular expression". example.com and .* and example\.com are all regular expressions, even though they don't start with ^ or end with $.

@JamieSlome
Copy link

@emicklei:

Just (cc) @sickcodes and @ktg9 to see if they think this addresses the reported issue 👍

@steven-collins-omega
Copy link

@emicklei if I'm reading the code correctly, this just simply isn't going to work in practice in most cases. isOriginAllowed() is called on the literal value of the Origin header, which looks something like https://some.example.com:8080. Technically the documentation does say that AllowedDomains is a "list of allowed values for Http Origin", which is what it is. However, given the name AllowedDomains and the cors_filter test code, a library user would be likely to interpret it as a list of allowed domains. Such a user will find, after this proposed change, that nothing is allowed anymore. ^some.example.com$ doesn't match https://some.example.com:8080.

@emicklei
Copy link
Owner Author

@steven-collins-omega thank you for commenting on this. I agree that it is not correct and confusing. I will give it second time to come up with a solution

@emicklei
Copy link
Owner Author

emicklei commented May 25, 2022
edited
Loading

hi all, I am thinking about changing the behaviour of CrossOriginResourceSharing:

  • AllowedDomains will have entries that must include the origin value from the request by string comparing.
  • add the AllowedDomainFunc field which can be set with a function takes takes the origin and returns a bool for a match. This allows the developer to define his/her own logic.

crenshaw-dev
crenshaw-dev reviewed Jun 3, 2022
View reviewed changes
cors_filter.go Outdated
if domain == origin {
allowed = true
break
if domain == ".*" || domain == origin {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should domain and origin be lowercased before comparison?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, i think this should happen. RFC4343: Domain Name System (DNS) names are "case insensitive".

@emicklei emicklei merged commit fd3c327 into v3 Jun 6, 2022
L3n41c pushed a commit to L3n41c/go-restful that referenced this pull request Jul 11, 2022
@emicklei @L3n41c
use exact matching of allowed domain entries, issue emicklei#489 (emi…
932dd83 
…cklei#493)

* use exact matching of allowed domain entries, issue emicklei#489

* update doc, add testcases from PR conversation

* introduce AllowedDomainFunc emicklei#489

* more tests, fix doc

* lowercase origin before checking cors
@L3n41c L3n41c mentioned this pull request Jul 11, 2022
Merged
emicklei added a commit that referenced this pull request Jul 11, 2022
@L3n41c @emicklei
use exact matching of allowed domain entries, issue #489 (#493) (#503)
9266625 
* use exact matching of allowed domain entries, issue #489

* update doc, add testcases from PR conversation

* introduce AllowedDomainFunc #489

* more tests, fix doc

* lowercase origin before checking cors

Co-authored-by: Ernest Micklei <ernest.micklei@gmail.com>
@L3n41c L3n41c mentioned this pull request Jul 12, 2022
Merged
9 tasks
@Barakmor1 Barakmor1 mentioned this pull request Jul 13, 2022
Merged
This was referenced Aug 10, 2022
Open
Open
@cx-tatianab cx-tatianab mentioned this pull request Feb 7, 2023
Open
@dorohayon dorohayon mentioned this pull request Feb 7, 2023
Open
@Yoavast Yoavast mentioned this pull request Feb 27, 2023
Open
@danielzhanghl danielzhanghl mentioned this pull request Mar 15, 2023
Closed
@diogopcx diogopcx mentioned this pull request Jun 27, 2023
Open
@apcxtest apcxtest mentioned this pull request Aug 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev requested changes

@steven-collins-omega steven-collins-omega steven-collins-omega left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@emicklei @codecov-commenter @crenshaw-dev @JamieSlome @steven-collins-omega @ktg9