Skip to content

Commit

Permalink
Do not support any Origin by default if CORS is enabled
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Dec 6, 2022
1 parent 1f82dd9 commit cf3c09a
Show file tree
Hide file tree
Showing 9 changed files with 16 additions and 7 deletions.
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
quarkus.http.cors=true
quarkus.http.cors.origins=*
# whitespaces added to test that they are not taken into account config is parsed
quarkus.http.cors.methods=GET, OPTIONS, POST
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
quarkus.http.cors=true
quarkus.http.cors=true
quarkus.http.cors.origins=*
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ public class CORSSecurityTestCase {

private static final String APP_PROPS = "" +
"quarkus.http.cors=true\n" +
"quarkus.http.cors.origins=*\n" +
"quarkus.http.cors.methods=GET, OPTIONS, POST\n" +
"quarkus.http.auth.basic=true\n" +
"quarkus.http.auth.policy.r1.roles-allowed=test\n" +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ public class CORSWildcardSecurityTestCase {

private static final String APP_PROPS = "" +
"quarkus.http.cors=true\n" +
"quarkus.http.cors.origins=*\n" +
"quarkus.http.auth.basic=true\n" +
"quarkus.http.auth.policy.r1.roles-allowed=test\n" +
"quarkus.http.auth.permission.roles1.paths=/test\n" +
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
quarkus.http.cors=true
quarkus.http.cors.origins=*
# whitespaces added to test that they are not taken into account config is parsed
quarkus.http.cors.methods=GET, OPTIONS, POST
quarkus.http.cors.access-control-allow-credentials=true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@ public class CORSConfig {
* Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000
* In case an entry of the list is surrounded by forward slashes,
* it is interpreted as a regular expression.
* The filter allows any origin if this is not set.
*
* default: returns any requested origin as valid
*/
@ConfigItem
@ConvertWith(TrimmedStringConverter.class)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@ public static boolean isConfiguredWithWildcard(Optional<List<String>> optionalLi
return list.isEmpty() || (list.size() == 1 && "*".equals(list.get(0)));
}

private static boolean isOriginConfiguredWithWildcard(List<String> origins) {
return origins.size() == 1 && "*".equals(origins.get(0));
}

/**
* Parse the provided allowed origins for any regexes
*
Expand Down Expand Up @@ -178,8 +182,9 @@ public void handle(RoutingContext event) {
processRequestedHeaders(response, requestedHeaders);
}

boolean allowsOrigin = isConfiguredWithWildcard(corsConfig.origins) || corsConfig.origins.get().contains(origin)
|| isOriginAllowedByRegex(allowedOriginsRegex, origin);
boolean allowsOrigin = !corsConfig.origins.isEmpty()
&& (isOriginConfiguredWithWildcard(corsConfig.origins.get()) || corsConfig.origins.get().contains(origin)
|| isOriginAllowedByRegex(allowedOriginsRegex, origin));

if (allowsOrigin) {
response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ quarkus.http.auth.permission.post-logout.paths=/tenant-logout/post-logout
quarkus.http.auth.permission.post-logout.policy=permit

quarkus.http.cors=true
quarkus.http.cors.origins=*
quarkus.http.auth.proactive=false
quarkus.http.proxy.enable-forwarded-prefix=true
quarkus.http.proxy.allow-forwarded=true
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
quarkus.http.cors=true
quarkus.http.cors.origins=*

quarkus.oidc.token-cache.max-size=3

Expand Down Expand Up @@ -116,4 +117,4 @@ quarkus.native.additional-build-args=-H:IncludeResources=.*\\.pem


quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthenticationMechanism".min-level=TRACE
quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthenticationMechanism".level=TRACE
quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthenticationMechanism".level=TRACE

0 comments on commit cf3c09a

Please sign in to comment.