Skip to content

Commit d9d79e9

Browse files
authored
Merge pull request from GHSA-fgxv-gw55-r5fq
* fix: Authorization Bypass Through User-Controlled Key * chore: add not safe domain test
1 parent d953675 commit d9d79e9

File tree

2 files changed

+14
-3
lines changed

2 files changed

+14
-3
lines changed

Diff for: rest/internal/cors/handlers.go

+9-3
Original file line numberDiff line numberDiff line change
@@ -77,12 +77,18 @@ func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string
7777
}
7878

7979
func isOriginAllowed(allows []string, origin string) bool {
80-
for _, o := range allows {
81-
if o == allOrigins {
80+
origin = strings.ToLower(origin)
81+
for _, allow := range allows {
82+
if allow == allOrigins {
8283
return true
8384
}
8485

85-
if strings.HasSuffix(origin, o) {
86+
allow = strings.ToLower(allow)
87+
if origin == allow {
88+
return true
89+
}
90+
91+
if strings.HasSuffix(origin, "."+allow) {
8692
return true
8793
}
8894
}

Diff for: rest/internal/cors/handlers_test.go

+5
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ func TestCorsHandlerWithOrigins(t *testing.T) {
5353
origins: []string{"http://local", "http://remote"},
5454
reqOrigin: "http://another",
5555
},
56+
{
57+
name: "not safe origin",
58+
origins: []string{"safe.com"},
59+
reqOrigin: "not-safe.com",
60+
},
5661
}
5762

5863
methods := []string{

0 commit comments

Comments
 (0)