Skip to content

🐛 bug: validate wildcard CORS origins before matching#4438

Merged
ReneWerner87 merged 3 commits into
mainfrom
fix-cors-wildcard-subdomain-vulnerability
Jun 18, 2026
Merged

🐛 bug: validate wildcard CORS origins before matching#4438
ReneWerner87 merged 3 commits into
mainfrom
fix-cors-wildcard-subdomain-vulnerability

Conversation

@gaby

@gaby gaby commented Jun 18, 2026

Copy link
Copy Markdown
Member

Motivation

  • Prevent wildcard CORS rules like https://*.example.com from matching malformed Origin headers such as https://evil.com:any.example.com that are not valid serialized origins, which could be reflected in Access-Control-Allow-Origin when AllowCredentials is enabled.

Description

  • Ensure candidate request Origins are valid serialized origins by calling normalizeOrigin and requiring the normalized form to equal the raw Origin before applying the existing prefix/suffix subdomain matching in subdomain.match (changed in middleware/cors/utils.go).
  • Add a regression test asserting the malformed Origin https://evil.com:any.example.com does not match https://*.example.com (added to middleware/cors/utils_test.go).

Testing

  • Ran go test ./middleware/cors -run Test_CORS_SubdomainMatch -count=1, which passed (ok github.com/gofiber/fiber/v3/middleware/cors 0.019s).
  • Ran the repository checks: make generate, make betteralign, make format, make lint, and make test all completed successfully; make test ran the full suite (DONE 3643 tests, 1 skipped).
  • make audit reported failures from govulncheck targeting the installed Go standard library (25 vulnerabilities reported for the toolchain), causing make audit to fail; this is an environment/toolchain vulnerability report and not a regression in the patch itself.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b40abd5a-9bd8-4522-a6d8-9a08539c55d2

📥 Commits

Reviewing files that changed from the base of the PR and between 3893e38 and d15e175.

📒 Files selected for processing (1)
  • middleware/cors/utils_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • middleware/cors/utils_test.go

Walkthrough

subdomain.match in middleware/cors/utils.go now calls normalizeOrigin on the candidate origin at the start of the function and returns false if normalization fails or the normalized result differs from the raw input. A new test case is added for the "https://evil.com:any.example.com" bypass vector.

Changes

CORS subdomain match normalization guard

Layer / File(s) Summary
Early normalizeOrigin guard and test
middleware/cors/utils.go, middleware/cors/utils_test.go
subdomain.match rejects origins that fail normalizeOrigin or whose normalized form differs from the input before any other matching logic runs. A new table-driven test case asserts that "https://evil.com:any.example.com" returns false.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

  • gofiber/fiber#3163: Modifies normalizeOrigin scheme validation in middleware/cors/utils.go, affecting the exact normalization behavior this PR depends on.
  • gofiber/fiber#3690: Also hardens subdomain.match and wildcard origin handling with boundary and normalization validation in middleware/cors.
  • gofiber/fiber#3168: Changes normalizeOrigin to no longer invalidate non-http/https schemes, directly affecting the validation path that this PR's early guard now relies on.

Suggested labels

☢️ Bug, v3, 📜 RFC Compliance

Suggested reviewers

  • efectn
  • ReneWerner87
  • sixcolors

Poem

🐇 A sneaky origin crept through the gate,
With a port-shaped disguise — oh, how it did frustrate!
But normalizeOrigin spotted the trick,
Returned a swift false and rejected it quick.
No evil.com shall slip past my warren today! 🛡️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title references validating wildcard CORS origins before matching, which directly aligns with the core security fix in the changeset.
Description check ✅ Passed The description provides clear motivation, implementation details, testing results, and addresses the security vulnerability comprehensively.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-cors-wildcard-subdomain-vulnerability

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ReneWerner87 ReneWerner87 added this to v3 Jun 18, 2026
@ReneWerner87 ReneWerner87 added this to the v3 milestone Jun 18, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@middleware/cors/utils_test.go`:
- Around line 206-211: The table-driven test in this file needs to be
parallelized according to repository guidelines. Add t.Parallel() at the start
of the parent test function that contains this subdomain test table, and also
add t.Parallel() as the first statement within the subtest callback passed to
t.Run(). This applies to the test function that defines the table containing the
test case with the "no match with malformed origin port before suffix" name.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: efae52bf-39de-4b2a-ab1c-e48f9d6d0156

📥 Commits

Reviewing files that changed from the base of the PR and between bd99055 and 1b961aa.

📒 Files selected for processing (2)
  • middleware/cors/utils.go
  • middleware/cors/utils_test.go

Comment thread middleware/cors/utils_test.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@middleware/cors/utils_test.go`:
- Around line 212-219: The test case entry for "no match with empty label before
suffix" is missing its opening brace, making the slice literal syntactically
invalid. Add an opening brace `{` before the `name` field of this test case
entry to properly define the struct literal. The entry contains fields `name`,
`sub` with subdomain prefix and suffix values, `origin`, and `expected`, so
ensure the opening brace is placed before `name` to correctly wrap the complete
test case definition.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 87da7c9b-d40c-4b1d-82b8-cde596e5ec37

📥 Commits

Reviewing files that changed from the base of the PR and between 1b961aa and 3893e38.

📒 Files selected for processing (2)
  • middleware/cors/utils.go
  • middleware/cors/utils_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • middleware/cors/utils.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@middleware/cors/utils_test.go`:
- Around line 212-219: The test case entry for "no match with empty label before
suffix" is missing its opening brace, making the slice literal syntactically
invalid. Add an opening brace `{` before the `name` field of this test case
entry to properly define the struct literal. The entry contains fields `name`,
`sub` with subdomain prefix and suffix values, `origin`, and `expected`, so
ensure the opening brace is placed before `name` to correctly wrap the complete
test case definition.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 87da7c9b-d40c-4b1d-82b8-cde596e5ec37

📥 Commits

Reviewing files that changed from the base of the PR and between 1b961aa and 3893e38.

📒 Files selected for processing (2)
  • middleware/cors/utils.go
  • middleware/cors/utils_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • middleware/cors/utils.go
🛑 Comments failed to post (1)
middleware/cors/utils_test.go (1)

212-219: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix malformed table entry that breaks compilation.

At Line 214, the next test case starts without an opening {, so the slice literal is syntactically invalid and causes the parser errors reported in CI.

Suggested patch
 		{
 			name:     "no match with malformed origin port before suffix",
 			sub:      subdomain{prefix: "https://", suffix: "example.com"},
 			origin:   "https://evil.com:any.example.com",
-      expected: false,
-    },
+			expected: false,
+		},
+		{
 			name:     "no match with empty label before suffix",
 			sub:      subdomain{prefix: "https://", suffix: "example.com"},
 			origin:   "https://foo..example.com",
 			expected: false,
 		},
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

			expected: false,
		},
		{
			name:     "no match with empty label before suffix",
			sub:      subdomain{prefix: "https://", suffix: "example.com"},
			origin:   "https://foo..example.com",
			expected: false,
		},
	}
🧰 Tools
🪛 GitHub Actions: Linter / 0_lint _ lint.txt

[error] 219-219: golangci-lint reported a syntax error: unexpected }, expected expression

🪛 GitHub Actions: Linter / lint _ lint

[error] 219-219: golangci-lint reported a syntax error: "unexpected }, expected expression" at utils_test.go:219:2.

🪛 GitHub Check: lint / lint

[failure] 219-219:
expected operand, found '}' (typecheck)


[failure] 219-219:
syntax error: unexpected }, expected expression

🪛 GitHub Check: unit (1.25.x, macos-latest)

[failure] 219-219:
expected operand, found '}'

🪛 GitHub Check: unit (1.25.x, ubuntu-latest)

[failure] 219-219:
expected operand, found '}'

🪛 GitHub Check: unit (1.25.x, windows-latest)

[failure] 219-219:
expected operand, found '}'

🪛 GitHub Check: unit (1.26.x, windows-latest)

[failure] 219-219:
expected operand, found '}'

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@middleware/cors/utils_test.go` around lines 212 - 219, The test case entry
for "no match with empty label before suffix" is missing its opening brace,
making the slice literal syntactically invalid. Add an opening brace `{` before
the `name` field of this test case entry to properly define the struct literal.
The entry contains fields `name`, `sub` with subdomain prefix and suffix values,
`origin`, and `expected`, so ensure the opening brace is placed before `name` to
correctly wrap the complete test case definition.

Source: Linters/SAST tools

@codecov

codecov Bot commented Jun 18, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.59%. Comparing base (bd99055) to head (d15e175).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4438   +/-   ##
=======================================
  Coverage   91.59%   91.59%           
=======================================
  Files         134      134           
  Lines       13515    13518    +3     
=======================================
+ Hits        12379    12382    +3     
  Misses        722      722           
  Partials      414      414           
Flag Coverage Δ
unittests 91.59% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ReneWerner87 ReneWerner87 merged commit 099802b into main Jun 18, 2026
20 checks passed
@ReneWerner87 ReneWerner87 deleted the fix-cors-wildcard-subdomain-vulnerability branch June 18, 2026 14:59
@github-project-automation github-project-automation Bot moved this to Done in v3 Jun 18, 2026
@ReneWerner87 ReneWerner87 removed this from the v3 milestone Jul 2, 2026
@ReneWerner87 ReneWerner87 added this to the v3.4.0 milestone Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants