Merge pull request from GHSA-fgxv-gw55-r5fq

* fix: Authorization Bypass Through User-Controlled Key * chore: add not safe domain test
zeromicro · Mar 4, 2023 · d9d79e9 · d9d79e9
1 parent d953675
commit d9d79e9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/rest/internal/cors/handlers.go b/rest/internal/cors/handlers.go
@@ -77,12 +77,18 @@ func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string
 }
 
 func isOriginAllowed(allows []string, origin string) bool {
-	for _, o := range allows {
-		if o == allOrigins {
+	origin = strings.ToLower(origin)
+	for _, allow := range allows {
+		if allow == allOrigins {
 			return true
 		}
 
-		if strings.HasSuffix(origin, o) {
+		allow = strings.ToLower(allow)
+		if origin == allow {
+			return true
+		}
+
+		if strings.HasSuffix(origin, "."+allow) {
 			return true
 		}
 	}

diff --git a/rest/internal/cors/handlers_test.go b/rest/internal/cors/handlers_test.go
@@ -53,6 +53,11 @@ func TestCorsHandlerWithOrigins(t *testing.T) {
 			origins:   []string{"http://local", "http://remote"},
 			reqOrigin: "http://another",
 		},
+		{
+			name:      "not safe origin",
+			origins:   []string{"safe.com"},
+			reqOrigin: "not-safe.com",
+		},
 	}
 
 	methods := []string{