Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(middleware/cors): Validation of multiple Origins #2883

Merged
merged 8 commits into from
Mar 1, 2024

Conversation

sixcolors
Copy link
Member

@sixcolors sixcolors commented Feb 26, 2024

Description

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

in addition it adds benchmarks to the middleware

Related to #2882

Type of Change

Please delete options that are not relevant.

  • Bug fix

Checklist

Before you submit your pull request, please make sure you meet these requirements:

  • Followed the inspiration of the Express.js framework for new functionalities, making them similar in usage.
  • Conducted a self-review of the code and provided comments for complex or critical parts.
  • Added or updated unit tests to validate the effectiveness of the changes or new features.
  • Ensured that new and existing unit tests pass locally with the changes.
  • Aimed for optimal performance with minimal allocations in the new code.

Summary by CodeRabbit

  • Refactor
    • Improved handling and validation of CORS (Cross-Origin Resource Sharing) settings to support wildcards and specific origins more effectively.
  • Tests
    • Added new test cases and benchmarks for enhanced testing of CORS configurations and preflight request handling.

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes gofiber#2882
@sixcolors sixcolors requested review from gaby, ReneWerner87, efectn and a team and removed request for ReneWerner87 and efectn February 26, 2024 19:55
@sixcolors sixcolors changed the title fix: allow origins check fix(middleware/cors): cfg.AllowOrigins validation Feb 26, 2024
@sixcolors
Copy link
Member Author

@brunobmello25 this should fix the bug from #2881

middleware/cors/cors_test.go Outdated Show resolved Hide resolved
middleware/cors/cors_test.go Outdated Show resolved Hide resolved
middleware/cors/cors_test.go Show resolved Hide resolved
middleware/cors/cors_test.go Show resolved Hide resolved
Copy link
Contributor

coderabbitai bot commented Feb 27, 2024

Walkthrough

The update introduces a refined approach to handling Cross-Origin Resource Sharing (CORS) in the middleware. It includes a refactoring of the logic for validating and normalizing AllowOrigins, now stored as a slice of strings for more flexible management of allowed origins, including wildcard support. Additionally, the update enhances error logging for invalid origins and streamlines the setting of allowOrigin via AllowOriginsFunc. Complementing these changes, new test cases and benchmarks in cors_test.go aim to ensure robust CORS functionality across various configurations.

Changes

Files Summary
middleware/cors/cors.go Refactored AllowOrigins handling, improved error logging, simplified allowOrigin setting.
middleware/cors/cors_test.go Added tests and benchmarks for CORS configurations and preflight request handling.

"In the code's vast meadow, under the digital sky,
A rabbit hops with joy, as CORS issues fly by.
🐰 With each line refined, and tests anew,
Wildcards dance, and origins true.
Cheers to the devs, with their craft so bright,
For making the web a more connected site."
🌟🌍🚀

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>.
    • Generate unit-tests for this file.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit tests for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai generate interesting stats about this repository from git and render them as a table.
    • @coderabbitai show all the console.log statements in this repository.
    • @coderabbitai read src/utils.ts and generate unit tests.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • The JSON schema for the configuration file is available here.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

@ReneWerner87
Copy link
Member

@coderabbitai review

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits Files that changed from the base of the PR and between ddc6b23 and b3c7a2c.
Files selected for processing (2)
  • middleware/cors/cors.go (2 hunks)
  • middleware/cors/cors_test.go (3 hunks)
Additional comments: 5
middleware/cors/cors.go (1)
  • 176-177: The simplification of setting allowOrigin based on AllowOriginsFunc is clear and concise. This change improves readability and maintainability of the code by reducing complexity.
middleware/cors/cors_test.go (4)
  • 310-324: The addition of test cases to cover multiple origins with and without whitespace is a good practice to ensure the middleware correctly handles various configurations. These tests validate the functionality of trimming whitespace and normalizing origins, which is crucial for the correctness of the CORS middleware.
  • 470-496: The test cases for handling multiple origins with and without whitespace are comprehensive and effectively validate the middleware's behavior. It's good to see thorough testing around the changes made to the handling of AllowOrigins. This ensures that the middleware behaves as expected in different scenarios.
  • 693-727: The benchmark Benchmark_CORS_NewHandler is a valuable addition for assessing the performance implications of the changes made to the CORS middleware. It's important to monitor the performance impact of new features or refactors to ensure that the middleware remains efficient.
  • 730-763: Similarly, the benchmark Benchmark_CORS_NewHandlerPreflight focuses on preflight request handling, which is crucial for understanding the performance characteristics of the CORS middleware in such scenarios. Including benchmarks for both simple and preflight requests provides a comprehensive view of the middleware's performance.

middleware/cors/cors.go Show resolved Hide resolved
@sixcolors sixcolors requested a review from gaby February 27, 2024 23:31
Copy link
Member

@gaby gaby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just two comments, besides that LGTM!

middleware/cors/cors_test.go Show resolved Hide resolved
@gaby gaby requested review from a team, ReneWerner87 and efectn and removed request for a team February 28, 2024 03:52
@gaby gaby changed the title fix(middleware/cors): cfg.AllowOrigins validation fix(middleware/cors): Validation of multiple Origins Feb 28, 2024
@gaby gaby added the v2 label Feb 28, 2024
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits Files that changed from the base of the PR and between b3c7a2c and a8cf4f0.
Files selected for processing (1)
  • middleware/cors/cors_test.go (3 hunks)
Files skipped from review as they are similar to previous changes (1)
  • middleware/cors/cors_test.go

@sixcolors
Copy link
Member Author

sixcolors commented Mar 1, 2024

@gaby! I have added some additional benchmarks to CORS middleware. I hope that these are the ones you were looking for.

Example results (averages, 4 runs):

Benchmark Iterations Nanoseconds per Op Bytes Allocated per Op Allocs per Op
Benchmark_CORS_NewHandler
- 24 2461773.25 488.475 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerParallel
- 24 25237829.5 46.19 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerSingleOrigin
- 24 2392461 499.1 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerSingleOriginParallel
- 24 24952500.75 46.58 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerWildcard
- 24 3557272.75 340.725 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerWildcardParallel
- 24 36942249.5 32.025 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerPreflight
- 24 789018.75 1496.25 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerPreflightParallel
- 24 8957035.75 132.4 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerPreflightSingleOrigin
- 24 812777.25 1436 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerPreflightSingleOriginParallel
- 24 8901125 128.175 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerPreflightWildcard
- 24 906358 1274.75 ns/op 0 B/op 0 allocs/op
Benchmark_CORS_NewHandlerPreflightWildcardParallel
- 24 9456178 113.725 ns/op 0 B/op 0 allocs/op

@gaby
Copy link
Member

gaby commented Mar 1, 2024

@sixcolors Did something change in v2?

github.com/gofiber/fiber/v2/middleware/monitor
cpu: AMD EPYC 7763 64-Core Processor                
Benchmark_Monitor-4   	--- FAIL: Benchmark_Monitor-4
    monitor_test.go:156: 
        Test:       Benchmark_Monitor
        Trace:      monitor_test.go:156
        Expect:     200     (int)
        Result:     404     (int)
FAIL
exit status 1
FAIL	

Yes, those benchmarks are excellent!

@sixcolors
Copy link
Member Author

@sixcolors Did something change in v2?

github.com/gofiber/fiber/v2/middleware/monitor
cpu: AMD EPYC 7763 64-Core Processor                
Benchmark_Monitor-4   	--- FAIL: Benchmark_Monitor-4
    monitor_test.go:156: 
        Test:       Benchmark_Monitor
        Trace:      monitor_test.go:156
        Expect:     200     (int)
        Result:     404     (int)
FAIL
exit status 1
FAIL	

Yes, those benchmarks are excellent!

Not that I noticed.... re-running.

@gaby
Copy link
Member

gaby commented Mar 1, 2024

@sixcolors Did something change in v2?

github.com/gofiber/fiber/v2/middleware/monitor
cpu: AMD EPYC 7763 64-Core Processor                
Benchmark_Monitor-4   	--- FAIL: Benchmark_Monitor-4
    monitor_test.go:156: 
        Test:       Benchmark_Monitor
        Trace:      monitor_test.go:156
        Expect:     200     (int)
        Result:     404     (int)
FAIL
exit status 1
FAIL	

Yes, those benchmarks are excellent!

Not that I noticed.... re-running.

Seems like another timming issue

@ReneWerner87 ReneWerner87 added this to the Next Release milestone Mar 1, 2024
@ReneWerner87 ReneWerner87 merged commit d456e7d into gofiber:v2 Mar 1, 2024
20 checks passed
@ReneWerner87 ReneWerner87 linked an issue Mar 1, 2024 that may be closed by this pull request
ReneWerner87 pushed a commit that referenced this pull request Mar 1, 2024
* fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes #2882

* test: AllowOrigins with whitespace

* test(middleware/cors): add benchmarks

* chore: fix linter errors

* test(middleware/cors): use h() instead of app.Test()

* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme

* chore: refactor validate and normalize

* test(cors/middleware): add more benchmarks

(cherry picked from commit d456e7d)
@ReneWerner87
Copy link
Member

code is also transferred to main(v3) branch 4ab8629

grivera64 pushed a commit to grivera64/fiber that referenced this pull request Mar 16, 2024
* fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes gofiber#2882

* test: AllowOrigins with whitespace

* test(middleware/cors): add benchmarks

* chore: fix linter errors

* test(middleware/cors): use h() instead of app.Test()

* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme

* chore: refactor validate and normalize

* test(cors/middleware): add more benchmarks

(cherry picked from commit d456e7d)
ReneWerner87 added a commit that referenced this pull request Mar 28, 2024
* Update pull_request_template.md

* Update v3-changes.md

* Update CONTRIBUTING.md (#2752)

Grammar correction.

* chore(encryptcookie)!: update default config (#2753)

* chore(encryptcookie)!: update default config

docs(encryptcookie): enhance documentation and examples

BREAKING CHANGE: removed the hardcoded "csrf_" from the Except.

* docs(encryptcookie): reads or modifies cookies

* chore(encryptcookie): csrf config example

* docs(encryptcookie): md table spacing

* build(deps): bump actions/setup-go from 4 to 5 (#2754)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 🩹 middleware/logger/: log client IP address by default (#2755)

* middleware/logger: Log client IP address by default.

* Update doc.

* fix: don't constrain middlewares' context-keys to strings 🐛 (#2751)

* Revert "Revert ":bug: requestid.Config.ContextKey is interface{} (#2369)" (#2742)"

This reverts commit 28be17f.

* fix: request ContextKey default value condition

Should check for `nil` since it is `any`.

* fix: don't constrain middlewares' context-keys to strings

`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.

The official go blog also recommends this https://go.dev/blog/context.

`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.

But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.

This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.

* 📚 Update app.md for indentation (#2761)

Update app.md for indentation

* build(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#2762)

Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](google/uuid@v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 2 to 3 (#2763)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v2...v3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Changing default log output (#2730)

changing default log output

Closes #2729

* Update hooks.md

fix wrong hooks signature

* 🩹 Fix: CORS middleware should use the defined AllowedOriginsFunc config when AllowedOrigins is empty (#2771)

* 🐛 [Bug]: Adaptator + otelfiber issue #2641 (#2772)

* 🩹🚨 - fix for redirect with query params (#2748)

* redirect with query params did not work, fix it and add test for it

* redirect middleware - fix test typo

* ♻️ logger/middleware colorize logger error message #2593 (#2773)

* ✨ feat: add liveness and readiness checks (#2509)

* ✨ feat: add liveness and readiness checkers

* 📝 docs: add docs for liveness and readiness

* ✨ feat: add options method for probe checkers

* ✅ tests: add tests for liveness and readiness

* ♻️ refactor: change default endpoint values

* ♻️ refactor: change default value for liveness endpoint

* 📝 docs: add return status for liveness and readiness probes

* ♻️ refactor: change probechecker to middleware

* 📝 docs: move docs to middleware session

* ♻️ refactor: apply gofumpt formatting

* ♻️ refactor: remove unused parameter

* split config and apply a review

* apply reviews and add testcases

* add benchmark

* cleanup

* rename middleware

* fix linter

* Update docs and config values

* Revert change to IsReady

* Updates based on code review

* Update docs to match other middlewares

---------

Co-authored-by: Muhammed Efe Cetin <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>

* prepare release v2.52.0
- add more Parser tests

* fix healthcheck.md

* configure workflows for V2 branch

* configure workflows for V2 branch

* Fix default value to false in docs of QueryBool (#2811)

fix default value to false in docs of QueryBool

* update queryParser config

* Update ctx.md

* Update routing.md

* 📚 Doc: Fix code snippet indentation in /docs/api/middleware/keyauth.md

Removes an an extra level of indentation in line 51 of
`keyauth.md` [here](https://github.com/gofiber/fiber/blob/v2/docs/api/middleware/keyauth.md?plain=1#L51)

* fix: healthcheck middleware not working with route group (#2863)

* fix: healthcheck middleware not working with route group

* perf: change verification method to improve perf

* Update healthcheck_test.go

* test: add not matching route test for strict routing

* add more test cases

* correct tests

* correct test helpers

* correct tests

* correct tests

---------

Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: René Werner <[email protected]>

* Merge pull request from GHSA-fmg4-x8pw-hjhg

* Enforce Wildcard Origins with AllowCredentials check

* Expand unit-tests, fix issues with subdomains logic, update docs

* Update cors.md

* Added test using localhost, ipv4, and ipv6 address

* improve documentation markdown

---------

Co-authored-by: René Werner <[email protected]>

* Update app.go

prepare release v2.52.1

* fix cors domain normalize

* fix sync-docs workflow

* fix sync-docs workflow

* fix(middleware/cors): Validation of multiple Origins (#2883)

* fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes #2882

* test: AllowOrigins with whitespace

* test(middleware/cors): add benchmarks

* chore: fix linter errors

* test(middleware/cors): use h() instead of app.Test()

* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme

* chore: refactor validate and normalize

* test(cors/middleware): add more benchmarks

* prepare release v2.52.2

* refactor(docs): deactivate docs sync for v2

* refactor(docs): deactivate docs sync for v2

* fix(middleware/cors): Handling and wildcard subdomain matching (#2915)

* fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes #2882

* test: AllowOrigins with whitespace

* test(middleware/cors): add benchmarks

* chore: fix linter errors

* test(middleware/cors): use h() instead of app.Test()

* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme

* chore: refactor validate and normalize

* test(cors/middleware): add more benchmarks

* fix(middleware/cors): handling and wildcard subdomain matching

docs(middleware/cors): add How it works and Security Considerations

* chore: grammar

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* chore: fix misspelling

* test(middleware/cors): combine Invalid_Origins tests

* refactor(middleware/cors): headers handling

* docs(middleware/cors): Update AllowOrigins description

* chore: merge

* perf(middleware/cors): optimize handler

* perf(middleware/cors): optimize handler

* chore(middleware/cors): ipdate origin handling logic

* chore(middleware/cors): fix header capitalization

* docs(middleware/cors): improve sercuity notes

* docs(middleware/cors): Improve security notes

* docs(middleware/cors): improve CORS overview

* docs(middleware/cors): fix ordering of how it works

* docs(middleware/cors): add additional info to How to works

* docs(middleware/cors): rm space

* docs(middleware/cors): add validation for AllowOrigins origins to overview

* docs(middleware/cors): update ExposeHeaders and MaxAge descriptions

* docs(middleware/cors): Add dynamic origin validation example

* docs(middleware/cors): Improve security notes and fix header capitalization

* docs(middleware/cors): configuration examples

* docs(middleware/cors): `"*"`

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix(middleware/cors): Categorize requests correctly (#2921)

* fix(middleware/cors): categorise requests correctly

* test(middleware/cors): improve test coverage for request types

* test(middleware/cors): Add subdomain matching tests

* test(middleware/cors): parallel tests for CORS headers based on request type

* test(middleware/cors): Add benchmark for CORS subdomain matching

* test(middleware/cors): cover additiona test cases

* refactor(middleware/cors): origin validation and normalization

* test(middleware/csrf): Fix Benchmark Tests (#2932)

* test(middleware/csrf): fix Benchmark_Middleware_CSRF_*

* fix(middleware/csrf): update refererMatchesHost()

* Prepare release v2.52.3

* fix(middleware/cors): CORS handling (#2937)

* fix(middleware/cors): CORS handling

* fix(middleware/cors): Vary header handling

* test(middleware/cors): Ensure Vary Headers checked

* fix(middleware/cors): Vary header handling non-cors OPTIONS requests (#2939)

* fix(middleware/cors): Vary header handling non-cors OPTIONS requests

* chore(middleware/cors): Add Vary header for non-CORS OPTIONS requests comment

* prepare release v2.52.4

* merge v2 in main(v3)

* merge v2 in main(v3)

* merge v2 in main(v3)

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: tokelo-12 <[email protected]>
Co-authored-by: Jason McNeil <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: iRedMail <[email protected]>
Co-authored-by: Benjamin Grosse <[email protected]>
Co-authored-by: Mehmet Firat KOMURCU <[email protected]>
Co-authored-by: Bruno <[email protected]>
Co-authored-by: Muhammad Kholid B <[email protected]>
Co-authored-by: gilwo <[email protected]>
Co-authored-by: Lucas Lemos <[email protected]>
Co-authored-by: Muhammed Efe Cetin <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: Jongmin Kim <[email protected]>
Co-authored-by: Giovanni Rivera <[email protected]>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

🐛 [BUG]: CORS panic with AcceptOrigins with whitespace
3 participants