Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Event handler + cors + headers #4589

Closed
leandrodamascena opened this issue Jun 20, 2024 · 7 comments · Fixed by #4638
Closed

Bug: Event handler + cors + headers #4589

leandrodamascena opened this issue Jun 20, 2024 · 7 comments · Fixed by #4638
Assignees
Labels
bug Something isn't working

Comments

@leandrodamascena
Copy link
Contributor

Expected Behaviour

Opening this issue on behalf of @pseudochaos

#4385 (comment)

Current Behaviour

Need more information.

Code snippet

Need more information.

Possible Solution

Need more information.

Steps to Reproduce

Need more information.

Powertools for AWS Lambda (Python) version

2.39.1

AWS Lambda function runtime

3.11

Packaging format used

PyPi

Debugging logs

No response

@leandrodamascena leandrodamascena added bug Something isn't working triage Pending triage from maintainers labels Jun 20, 2024
@leandrodamascena leandrodamascena moved this from Triage to Pending customer in Powertools for AWS Lambda (Python) Jun 20, 2024
@leandrodamascena leandrodamascena removed the triage Pending triage from maintainers label Jun 20, 2024
@Wurstnase
Copy link
Contributor

Wurstnase commented Jun 23, 2024

Prior to 2.16.1 any request without an Origin return an Access-Control-Allow-Origin: *.

2.16.1 introduced the multiple CORS origins. A request without an Origin will not return any Access-Control-Allow-Origin anymore.

Also any request with an Origin will return a header with Access-Control-Allow-Origin: <origin> instead of Access-Control-Allow-Origin: *.

from aws_lambda_powertools.event_handler import APIGatewayRestResolver, CORSConfig, Response

app = APIGatewayRestResolver(CORSConfig())

def handler(event, context):
    return app.resolve(event, context)

@app.get("/foo")
def _():
    return Response(200)

event without origin:

{
  "httpMethod": "GET",
  "path": "/foo"
}
response pre 2.16.1
{
    "body": None,
    "isBase64Encoded": False,
    "multiValueHeaders": {
        "Access-Control-Allow-Headers": [
            "Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"
        ],
        "Access-Control-Allow-Origin": [
            "*"
        ]
    },
    "statusCode": 200
}
response post 2.16.1
{
    "body": None,
    "isBase64Encoded": False,
    "multiValueHeaders": {},
    "statusCode": 200
}

event with origin:

{
  "httpMethod": "GET",
  "path": "/foo"
  "headers": {"Origin": "https://example.com"},
}
response pre 2.16.1
{
    "body": None,
    "isBase64Encoded": False,
    "multiValueHeaders": {
        "Access-Control-Allow-Headers": [
            "Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"
        ],
        "Access-Control-Allow-Origin": [
            "*"
        ]
    },
    "statusCode": 200
}
response post 2.16.1
    {
        'body': None,
        'isBase64Encoded': False,
        'multiValueHeaders': {
            'Access-Control-Allow-Headers': [
                'Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key',
            ],
            'Access-Control-Allow-Origin': [
             'https://example.com',
            ],
        },
        'statusCode': 200,
    }

@heitorlessa heitorlessa moved this from Pending customer to Working on it in Powertools for AWS Lambda (Python) Jun 24, 2024
@heitorlessa
Copy link
Contributor

Assigning to @sthulb to investigate

@heitorlessa
Copy link
Contributor

hey @Wurstnase, thank you for taking the time to add more context that was missing from the original author - I have some questions.

Also any request with an Origin will return a header with Access-Control-Allow-Origin: instead of Access-Control-Allow-Origin: *

To be sure we're on the same page, ideally the behavior should be (to avoid security issues):

Scenario Behavior Why
CORS Origin '<origin>' + Client request with Origin header Access-Control-Allow-Origin: <origin> If match, honour CORS config.
Client request without Origin header Do not return Access-Control-Allow-Origin to not expose configured Origin Not considered a cross-origin request; returning origin could expose server to unwanted requests
CORS Origin '*' set + Client request with Origin header Access-Control-Allow-Origin: * Honour configured CORS config

If we were to return Access-Control-Allow-Origin: * while you're explicitly setting a given Origin, then we're throwing away CORS security guarantees.

A request without an Origin will not return any Access-Control-Allow-Origin anymore.

That's expected by CORS practices, though we missed that apparently in earlier versions. If we were to do it, we'd throw away CORS security guarantees for cross-origin requests; a request without Origin means it was either not cross-origin to begin with OR done in error/intentionally for attack surface discovery.

Please let me know if that's incorrect or if I misunderstood

@Wurstnase
Copy link
Contributor

Wurstnase commented Jun 27, 2024

So, the third scenario is different to the current behavior and should be changed. The rest looks ok to me.

Do we need to handle: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#sect1

*
For requests without credentials, the literal value "*" can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error.

@heitorlessa
Copy link
Contributor

@sthulb handling a regression now w/ Leandro and an internal thing - can you hash it out with Nico the best way forward plz?

Copy link
Contributor

github-actions bot commented Jul 5, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot added the pending-release Fix or implementation already in dev waiting to be released label Jul 5, 2024
Copy link
Contributor

This is now released under 2.41.0 version!

@github-actions github-actions bot removed the pending-release Fix or implementation already in dev waiting to be released label Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Coming soon
4 participants