Skip to content

Commit

Permalink
Merge pull request #44054 from gsmet/fix-43736
Browse files Browse the repository at this point in the history 
Take regexps into account when setting access-control-allow-credentials
  • Loading branch information
@gsmet
gsmet authored Nov 25, 2024
2 parents 87e1d39 + cd28056 commit a3ce841
Show file tree
Hide file tree
Showing 5 changed files with 64 additions and 20 deletions.
12 changes: 8 additions & 4 deletions ...ons/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSRegexTestCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ public void corsRegexValidOriginTest() {
.when()
.get("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", "https://asdf.domain.com");
.header("Access-Control-Allow-Origin", "https://asdf.domain.com")
.header("Access-Control-Allow-Credentials", "true");
}

@Test
Expand All @@ -31,7 +32,8 @@ public void corsRegexValidOrigin2Test() {
.when()
.get("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", "https://abc-123.app.mydomain.com");
.header("Access-Control-Allow-Origin", "https://abc-123.app.mydomain.com")
.header("Access-Control-Allow-Credentials", "true");
}

@Test
Expand All @@ -40,7 +42,8 @@ public void corsRegexInvalidOriginTest() {
.when()
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
.header("Access-Control-Allow-Origin", nullValue())
.header("Access-Control-Allow-Credentials", nullValue());
}

@Test
Expand All @@ -49,6 +52,7 @@ public void corsRegexInvalidOrigin2Test() {
.when()
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
.header("Access-Control-Allow-Origin", nullValue())
.header("Access-Control-Allow-Credentials", nullValue());
}
}
27 changes: 27 additions & 0 deletions ...x-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSRegexWildcardTestCase.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
package io.quarkus.vertx.http.cors;

import static io.restassured.RestAssured.given;

import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

import io.quarkus.test.QuarkusUnitTest;

public class CORSRegexWildcardTestCase {

@RegisterExtension
static QuarkusUnitTest runner = new QuarkusUnitTest()
.withApplicationRoot((jar) -> jar
.addClasses(BeanRegisteringRoute.class)
.addAsResource("conf/cors-regex-wildcard.properties", "application.properties"));

@Test
public void corsRegexValidOriginTest() {
given().header("Origin", "https://asdf.domain.com")
.when()
.get("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", "https://asdf.domain.com")
.header("Access-Control-Allow-Credentials", "false");
}
}
26 changes: 16 additions & 10 deletions ...ttp/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ public void corsPreflightTest() {
.statusCode(200)
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Methods", methods)
.header("Access-Control-Allow-Headers", headers);
.header("Access-Control-Allow-Headers", headers)
.header("Access-Control-Allow-Credentials", "false");

given().header("Origin", origin)
.header("Access-Control-Request-Method", methods)
Expand All @@ -68,7 +69,8 @@ public void corsPreflightTest() {
.statusCode(200)
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Methods", methods)
.header("Access-Control-Allow-Headers", headers);
.header("Access-Control-Allow-Headers", headers)
.header("Access-Control-Allow-Credentials", "false");

given().header("Origin", origin)
.header("Access-Control-Request-Method", methods)
Expand All @@ -79,7 +81,8 @@ public void corsPreflightTest() {
.statusCode(200)
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Methods", methods)
.header("Access-Control-Allow-Headers", headers);
.header("Access-Control-Allow-Headers", headers)
.header("Access-Control-Allow-Credentials", "false");

given().header("Origin", origin)
.header("Access-Control-Request-Method", methods)
Expand All @@ -90,41 +93,44 @@ public void corsPreflightTest() {
.statusCode(200)
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Methods", methods)
.header("Access-Control-Allow-Headers", headers);
.header("Access-Control-Allow-Headers", headers)
.header("Access-Control-Allow-Credentials", "false");
}

@Test
@DisplayName("Handles a direct CORS request correctly")
public void corsNoPreflightTest() {
String origin = "http://custom.origin.quarkus";
String methods = "GET, POST";
String headers = "X-Custom";
given().header("Origin", origin)
.when()
.get("/test").then()
.statusCode(401)
.header("Access-Control-Allow-Origin", origin);
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Credentials", "false");

given().header("Origin", origin)
.when()
.auth().basic("test", "test")
.get("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", origin)
.body(Matchers.equalTo("test:/test"));
.body(Matchers.equalTo("test:/test"))
.header("Access-Control-Allow-Credentials", "false");

given().header("Origin", origin)
.when()
.auth().basic("test", "wrongpassword")
.get("/test").then()
.statusCode(401)
.header("Access-Control-Allow-Origin", origin);
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Credentials", "false");

given().header("Origin", origin)
.when()
.auth().basic("user", "user")
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", origin);
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Credentials", "false");
}
}
2 changes: 2 additions & 0 deletions extensions/vertx-http/deployment/src/test/resources/conf/cors-regex-wildcard.properties
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
quarkus.http.cors=true
quarkus.http.cors.origins=/.*/
17 changes: 11 additions & 6 deletions ...sions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,13 @@ public static boolean isConfiguredWithWildcard(Optional<List<String>> optionalLi
}

private static boolean isOriginConfiguredWithWildcard(Optional<List<String>> origins) {
return !origins.isEmpty() && origins.get().size() == 1 && "*".equals(origins.get().get(0));
if (origins.isEmpty() || origins.get().size() != 1) {
return false;
}

String origin = origins.get().get(0);

return "*".equals(origin) || "/.*/".equals(origin);
}

/**
Expand Down Expand Up @@ -140,11 +146,11 @@ public void handle(RoutingContext event) {

//for both normal and preflight requests we need to check the origin
boolean allowsOrigin = wildcardOrigin;
boolean originMatches = !wildcardOrigin && corsConfig.origins.isPresent() &&
(corsConfig.origins.get().contains(origin) || isOriginAllowedByRegex(allowedOriginsRegex, origin));
if (!allowsOrigin) {
if (corsConfig.origins.isPresent()) {
allowsOrigin = corsConfig.origins.get().contains(origin)
|| isOriginAllowedByRegex(allowedOriginsRegex, origin)
|| isSameOrigin(request, origin);
allowsOrigin = originMatches || isSameOrigin(request, origin);
} else {
allowsOrigin = isSameOrigin(request, origin);
}
Expand All @@ -154,8 +160,7 @@ public void handle(RoutingContext event) {
response.setStatusCode(403);
response.setStatusMessage("CORS Rejected - Invalid origin");
} else {
boolean allowCredentials = corsConfig.accessControlAllowCredentials
.orElse(corsConfig.origins.isPresent() && corsConfig.origins.get().contains(origin));
boolean allowCredentials = corsConfig.accessControlAllowCredentials.orElse(originMatches);
response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, String.valueOf(allowCredentials));
response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
}
Expand Down

0 comments on commit a3ce841

Please sign in to comment.