java.lang.IllegalStateException: CORS Rejected - Invalid origin

[carlos-sarmiento]

I'm trying to use nassh with Traefik for reverse proxy and ssl termination. When I try to connect I get the following error:

Sep 25, 2023 5:58:44 AM io.vertx.ext.web.RoutingContext
SEVERE: Unhandled exception in router
java.lang.IllegalStateException: CORS Rejected - Invalid origin
        at io.vertx.ext.web.handler.impl.CorsHandlerImpl.handle(CorsHandlerImpl.java:252)
        at io.vertx.ext.web.handler.impl.CorsHandlerImpl.handle(CorsHandlerImpl.java:41)
        at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1286)
        at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
        at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:144)
        at io.vertx.ext.web.impl.RouterImpl.handle(RouterImpl.java:68)
        at io.vertx.ext.web.impl.RouterImpl.handle(RouterImpl.java:37)
        at io.vertx.core.http.impl.Http1xServerRequestHandler.handle(Http1xServerRequestHandler.java:57)
        at io.vertx.core.http.impl.Http1xServerRequestHandler.handle(Http1xServerRequestHandler.java:30)
        at io.vertx.core.impl.EventLoopContext.emit(EventLoopContext.java:55)
        at io.vertx.core.impl.DuplicatedContext.emit(DuplicatedContext.java:179)
        at io.vertx.core.http.impl.Http1xServerConnection.handleMessage(Http1xServerConnection.java:174)
        at io.vertx.core.net.impl.ConnectionBase.read(ConnectionBase.java:159)
        at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:153)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:93)
        at io.netty.handler.codec.http.websocketx.extensions.WebSocketServerExtensionHandler.onHttpRequestChannelRead(WebSocketServerExtensionHandler.java:160)
        at io.netty.handler.codec.http.websocketx.extensions.WebSocketServerExtensionHandler.channelRead(WebSocketServerExtensionHandler.java:83)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)

I don't understand what kind of CORS validation is being done nor how to disable it. On the browser, requests receive a 403 error.

[carlos-sarmiento]

Managed to check the headers sent to Nassh

    "request_Accept": "*/*",
    "request_Accept-Encoding": "gzip, deflate, br",
    "request_Accept-Language": "en-US,en;q=0.9",
    "request_Origin": "chrome-extension://iodihamcpbpeioajjeobimgagajmlibd",
    "request_Sec-Ch-Ua": "\"Chromium\";v=\"116\", \"Not)A;Brand\";v=\"24\", \"Google Chrome\";v=\"116\"",
    "request_Sec-Ch-Ua-Mobile": "?0",
    "request_Sec-Ch-Ua-Platform": "\"macOS\"",
    "request_Sec-Fetch-Dest": "empty",
    "request_Sec-Fetch-Mode": "cors",
    "request_Sec-Fetch-Site": "cross-site",
    "request_User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "request_X-Forwarded-Host": "ssh.domain.com",
    "request_X-Forwarded-Port": "443",
    "request_X-Forwarded-Proto": "https",
    "request_X-Forwarded-Server": "73ba9440dfd4",
    "request_X-Real-Ip": "10.1.0.85",

[zyclonite]

if you figured it out, you could post your configuration so others can profit from your findings

[carlos-sarmiento]

Oh I have not fixed it at all :( I just added the headers that nassh is receiving to see if it helps debugging

[zyclonite]

maybe it has something to do with CORS handled by the traefik layer? https://doc.traefik.io/traefik/middlewares/http/forwardauth/

[carlos-sarmiento]

Sorry for necro-ing this issue again, haven't had time to look at it in detail. My issue remains even if I try to connect directly to the docker container using the exposed port (so no traefik in between) and getting the same error.

I'm using the secure-shell chrome extension to connect, so I don't know if there is an issue with that. Do you mind sharing what you are using for the terminal? Could the issue be the chrome extension I am using?

[werdnum]

The handler should be diverting into this branch of the if statement: https://github.com/vert-x3/vertx-web/blob/4.4.6/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/CorsHandlerImpl.java#L205

That it doesn't means that isValidOrigin(ORIGIN) must be returning false...

https://github.com/vert-x3/vertx-web/blob/4.4.6/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/CorsHandlerImpl.java#L268-L294

We create the object like so: https://github.com/zyclonite/nassh-relay/blob/main/src/main/java/net/zyclonite/nassh/MainVerticle.java#L45-L49

The problem is that when you call addRelativeOrigin(".*"), the call is actually ignored: https://github.com/vert-x3/vertx-web/blob/4.4.6/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/CorsHandlerImpl.java#L104-L107

That means that the CorsHandlerImpl is in its default state, so starOrigin() returns true: https://github.com/vert-x3/vertx-web/blob/4.4.6/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/CorsHandlerImpl.java#L61-L63

That means that the isValidOrigin function falls back on Origin.isValid: https://github.com/vert-x3/vertx-web/blob/4.4.6/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/CorsHandlerImpl.java#L270-L273

... which returns false if the protocol is chrome-extension: https://github.com/vert-x3/vertx-web/blob/4.4.6/vertx-web/src/main/java/io/vertx/ext/web/impl/Origin.java#L216-L223

I think you could create a pattern that isn't exactly .* but matches everything anyway, perhaps .addRelativeOrigin(".+") or something.

[werdnum]

(filed vert-x3/vertx-web#2556)

[tsegismont]

@zyclonite @werdnum I've sent #23 to fix the problem

[zyclonite]

@carlos-sarmiento i released version 1.1.33, please have a look if you issue is fixed now