Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use exact matching of allowed domain entries, issue #489 #493

Merged
merged 5 commits into from
Jun 6, 2022
Merged

use exact matching of allowed domain entries, issue #489 #493

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f292eff
use exact matching of allowed domain entries, issue #489
emicklei Mar 29, 2022
3e9df1c
update doc, add testcases from PR conversation
emicklei May 12, 2022
5728f44
introduce AllowedDomainFunc #489
emicklei Jun 2, 2022
363acea
more tests, fix doc
emicklei Jun 3, 2022
9e49191
lowercase origin before checking cors
emicklei Jun 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion cors_filter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,11 @@ import (
type CrossOriginResourceSharing struct {
ExposeHeaders []string // list of Header names
AllowedHeaders []string // list of Header names
AllowedDomains []string // list of allowed values for Http Origin. An allowed value can be a regular expression to support subdomain matching. If empty all are allowed.
// AllowedDomains list of allowed values for Http Origin.
// An allowed value can be a regular expression to support subdomain matching.
// Non-regular expression values will be changed into an exact match: ^yourdomain.com$
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure ^yourdomain.com$ is an intuitive "exact match". The . is still a wildcard. You'd have to do fmt.Sprintf("^%s$", regexp.QuoteMeta(each)) to get an "exact match".

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed. ^www.amazon.com$ still matches wwwqamazon.com and www.amazonqcom.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me from this what qualifies as "non-regular expression". example.com and .* and example\.com are all regular expressions, even though they don't start with ^ or end with $.

// If empty all are allowed.
AllowedDomains []string
AllowedMethods []string
MaxAge int // number of seconds before requiring new Options request
CookiesAllowed bool
Expand Down Expand Up @@ -199,6 +203,10 @@ func compileRegexps(allowedDomains []string) ([]*regexp.Regexp, error) {
// make sure the expression represents an exact match
if !strings.HasPrefix(each, "^") {
each = fmt.Sprintf("^%s$", each)
} else {
if !strings.HasSuffix(each, "$") {
each = fmt.Sprintf("%s$", each)
}
}
r, err := regexp.Compile(each)
if err != nil {
Expand Down
2 changes: 2 additions & 0 deletions cors_filter_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ var allowedDomainInput = []struct {
{[]string{"example.com"}, "not-allowed", false},
{[]string{"not-matching.com", "example.com"}, "example.com", true},
{[]string{".*"}, "example.com", true},
{[]string{"^some.example.com$"}, "some.example.com", true},
{[]string{"^some\\.example\\.com"}, "some.example.com.org", false},
}

// go test -v -test.run TestCORSFilter_AllowedDomains ...restful
Expand Down