Skip to content

🔒 security: Enforce case-sensitive null origin validation in CORS #3995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gaby merged 2 commits into from
Jan 7, 2026
Merged

🔒 security: Enforce case-sensitive null origin validation in CORS #3995

gaby merged 2 commits into from
Jan 7, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 7, 2026
edited
Loading

Description

The CORS middleware was performing case-insensitive null origin validation, accepting "NULL" and "Null" variants when only the lowercase literal "null" is valid per CORS specification. This creates a potential security issue as legitimate browsers always send lowercase "null".

Changes introduced

  • Security fix: Enforce case-sensitive null origin check using originHeaderRaw == "null" instead of lowercased originHeader
  • Test coverage: Added validation for non-lowercase null variants ("NULL", "Null") to ensure rejection
  • Test coverage: Added standalone wildcard "*" test case
  • Code clarity: Improved test structure with ExpectAllowed field and renamed test case from "NullOriginAllowed" to "NullOriginLowercase"
// Before: accepted "null", "NULL", "Null", etc.
originIsNull := originHeader == "null" // originHeader is lowercased

// After: only accepts "null"
originIsNull := originHeaderRaw == "null" // case-sensitive comparison
  • Documentation Update: No documentation changes required
  • Changelog/What's New: Security fix for CORS null origin validation
  • Migration Guide: No breaking changes
  • Examples: Existing CORS examples remain valid

Type of change

  • Code consistency (non-breaking change which improves code reliability and robustness)

Checklist

  • Conducted a self-review of the code and provided comments for complex or critical parts.
  • Added or updated unit tests to validate the effectiveness of the changes or new features.
  • Ensured that new and existing unit tests pass locally with the changes.
  • Aimed for optimal performance with minimal allocations in the new code.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI assigned Copilot and gaby Jan 7, 2026
Copilot AI mentioned this pull request Jan 7, 2026
Merged
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 7, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@gaby
Address review comments: case-sensitive null check and test improvements
5205e8e 
Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CORS origin validation in AllowOriginsFunc 🔒 security: Enforce case-sensitive null origin validation in CORS Jan 7, 2026
Copilot AI requested a review from gaby January 7, 2026 02:18
@codecov
Copy link

codecov bot commented Jan 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.57%. Comparing base (4f83436) to head (5205e8e).
⚠️ Report is 13 commits behind head on add-cors-origin-validation-and-tests.

Additional details and impacted files 
@@                           Coverage Diff                            @@
##           add-cors-origin-validation-and-tests    #3995      +/-   ##
========================================================================
+ Coverage                                 90.99%   91.57%   +0.58%     
========================================================================
  Files                                       119      119              
  Lines                                     10861    10271     -590     
========================================================================
- Hits                                       9883     9406     -477     
+ Misses                                      619      546      -73     
+ Partials                                    359      319      -40
Flag Coverage Δ
unittests 91.57% <100.00%> (+0.58%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@gaby gaby marked this pull request as ready for review January 7, 2026 04:42
@gaby gaby requested a review from a team as a code owner January 7, 2026 04:42
@gaby gaby requested review from ReneWerner87, Copilot, efectn and sixcolors and removed request for a team January 7, 2026 04:42
@gaby gaby merged commit c6986fe into add-cors-origin-validation-and-tests Jan 7, 2026
18 of 19 checks passed
@gaby gaby deleted the copilot/sub-pr-3991 branch January 7, 2026 04:42
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability in the CORS middleware where null origin validation was case-insensitive, potentially allowing malicious requests with non-standard "NULL" or "Null" variants. The fix enforces case-sensitive validation to only accept the spec-compliant lowercase "null".

Key Changes:

  • Changed null origin check from lowercased originHeader to case-sensitive originHeaderRaw
  • Added comprehensive test coverage for uppercase and mixed-case null variants to ensure rejection
  • Improved test structure with ExpectAllowed field for clearer intent

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
middleware/cors/cors.go Fixed null origin validation to use case-sensitive comparison with originHeaderRaw instead of lowercased originHeader
middleware/cors/cors_test.go Added test cases for "NULL", "Null", and wildcard "*" origins, plus ExpectAllowed field for clearer test assertions

The implementation is correct and well-tested. The security fix properly addresses the vulnerability by ensuring only the lowercase literal "null" is accepted as a valid null origin, which aligns with the CORS specification and legitimate browser behavior. No issues were identified in this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gaby gaby Awaiting requested review from gaby

@sixcolors sixcolors Awaiting requested review from sixcolors sixcolors was automatically assigned from gofiber/maintainers

@ReneWerner87 ReneWerner87 Awaiting requested review from ReneWerner87 ReneWerner87 was automatically assigned from gofiber/maintainers

@efectn efectn Awaiting requested review from efectn efectn was automatically assigned from gofiber/maintainers

Assignees

@gaby gaby

Copilot code review Copilot

Labels

☢️ Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gaby @ReneWerner87