From fb24934ea2049b13a9044bf7dd7c6105812bd3c9 Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Mon, 5 Dec 2022 15:17:09 +0000 Subject: [PATCH] Do not support any Origin by default if CORS is enabled --- .../src/test/resources/conf/cors-config.properties | 1 + .../io/quarkus/vertx/http/cors/CORSSecurityTestCase.java | 1 + .../vertx/http/cors/CORSWildcardSecurityTestCase.java | 1 + .../src/test/resources/conf/cors-config.properties | 1 + .../io/quarkus/vertx/http/runtime/cors/CORSConfig.java | 3 --- .../io/quarkus/vertx/http/runtime/cors/CORSFilter.java | 9 +++++++-- .../src/main/resources/application.properties | 1 + 7 files changed, 12 insertions(+), 5 deletions(-) diff --git a/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties b/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties index 6cc822b80597cb..10c86a915bd04c 100644 --- a/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties +++ b/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties @@ -1,3 +1,4 @@ quarkus.http.cors=true +quarkus.http.cors.origins=* # whitespaces added to test that they are not taken into account config is parsed quarkus.http.cors.methods=GET, OPTIONS, POST diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java index 6b60a1b8ee6209..8117bf00dbd573 100644 --- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java @@ -22,6 +22,7 @@ public class CORSSecurityTestCase { private static final String APP_PROPS = "" + "quarkus.http.cors=true\n" + + "quarkus.http.cors.origins=*\n" + "quarkus.http.cors.methods=GET, OPTIONS, POST\n" + "quarkus.http.auth.basic=true\n" + "quarkus.http.auth.policy.r1.roles-allowed=test\n" + diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java index 0170bc71864842..0cbda431190ef3 100644 --- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java @@ -22,6 +22,7 @@ public class CORSWildcardSecurityTestCase { private static final String APP_PROPS = "" + "quarkus.http.cors=true\n" + + "quarkus.http.cors.origins=*\n" + "quarkus.http.auth.basic=true\n" + "quarkus.http.auth.policy.r1.roles-allowed=test\n" + "quarkus.http.auth.permission.roles1.paths=/test\n" + diff --git a/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties b/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties index d9a2687cc383d8..c782455a09e726 100644 --- a/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties +++ b/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties @@ -1,4 +1,5 @@ quarkus.http.cors=true +quarkus.http.cors.origins=* # whitespaces added to test that they are not taken into account config is parsed quarkus.http.cors.methods=GET, OPTIONS, POST quarkus.http.cors.access-control-allow-credentials=true diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java index d98820d59c099d..4b2a57fd22573a 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java @@ -18,9 +18,6 @@ public class CORSConfig { * Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000 * In case an entry of the list is surrounded by forward slashes, * it is interpreted as a regular expression. - * The filter allows any origin if this is not set. - * - * default: returns any requested origin as valid */ @ConfigItem @ConvertWith(TrimmedStringConverter.class) diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java index 4a7fee1a14e4fb..fd6d5e8bbf48e2 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java @@ -52,6 +52,10 @@ public static boolean isConfiguredWithWildcard(Optional> optionalLi return list.isEmpty() || (list.size() == 1 && "*".equals(list.get(0))); } + private static boolean isOriginConfiguredWithWildcard(List origins) { + return origins.size() == 1 && "*".equals(origins.get(0)); + } + /** * Parse the provided allowed origins for any regexes * @@ -175,8 +179,9 @@ public void handle(RoutingContext event) { processRequestedHeaders(response, requestedHeaders); } - boolean allowsOrigin = isConfiguredWithWildcard(corsConfig.origins) || corsConfig.origins.get().contains(origin) - || isOriginAllowedByRegex(allowedOriginsRegex, origin); + boolean allowsOrigin = !corsConfig.origins.isEmpty() + && (isOriginConfiguredWithWildcard(corsConfig.origins.get()) || corsConfig.origins.get().contains(origin) + || isOriginAllowedByRegex(allowedOriginsRegex, origin)); if (allowsOrigin) { response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin); diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties index dece21ad567dde..b5a1b12c80a9b1 100644 --- a/integration-tests/oidc-code-flow/src/main/resources/application.properties +++ b/integration-tests/oidc-code-flow/src/main/resources/application.properties @@ -166,6 +166,7 @@ quarkus.http.auth.permission.post-logout.paths=/tenant-logout/post-logout quarkus.http.auth.permission.post-logout.policy=permit quarkus.http.cors=true +quarkus.http.cors.origins=* quarkus.http.auth.proactive=false quarkus.http.proxy.enable-forwarded-prefix=true quarkus.http.proxy.allow-forwarded=true