aws-apigateway: Allowed origins for CORS preflight are treated as regular expressions

[cyraxx]

Describe the bug

The CDK constructs for API Gateway allow supplying multiple trusted origins to be used in the auto-generated OPTIONS method handlers for CORS preflight responses (CorsOptions interface).

The CORS specification only allows for a single origin in the response headers, so what CDK does in this case is generate a response template that modifies the response based on the origin that the client is requesting. It checks each of the supplied origins (beyond the first one) to see if it matches the Origin request header, and if it does, it sets the Access-Control-Allow-Origin response header to the origin that was supplied in the request.

However, this check treats the configured origin as a regular expression (the code in question). Therefore, if https://www.company.com has been configured as an allowed origin, an attacker could register the domain https://wwwxcompany.com. A crafted request from this origin will match the regular expression and the preflight request succeeds.

It's possible that this is intended behavior, however the documentation doesn't mention anything to that effect. It would also be inconsistent as it does not apply to the first specified origin, only additional ones.

Expected Behavior

Given an API Gateway resource configured with the CORS preflight origins "https://www.firstorigin.com", "https://www.secondorigin.com":

An OPTIONS request to the resource with a request header of Origin: https://wwwXsecondorigin.com should lead to a response header similar to Access-Control-Allow-Origin: https://www.firstorigin.com, i.e. not allowing the invalid origin from the request.

Current Behavior

The OPTIONS request leads to a response header of Access-Control-Allow-Origin: https://wwwXsecondorigin.com, signaling to the requesting browser that the requested origin from is valid.

Reproduction Steps

Create a POC stack such as:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as apigateway from 'aws-cdk-lib/aws-apigateway';

export class CorsPocStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new apigateway.RestApi(this, 'api', {
      defaultCorsPreflightOptions: {
        allowOrigins: ['https://www.firstorigin.com', 'https://www.secondorigin.com'],
      }
    })
      .root
      .addResource('hello')
      .addMethod('GET', new apigateway.MockIntegration({}));
  }
}

Deploy the stack.

Call the CORS preflight method, e.g. using httpie:
http OPTIONS https://xxx.execute-api.xxx.amazonaws.com/prod/hello "Origin: https://wwwXsecondorigin.com"

Examine the response and see that it includes the header: Access-Control-Allow-Origin: https://wwwXsecondorigin.com

Possible Solution

Change $origin.matches("${o}") to $origin == "${o}"

Additional Information/Context

No response

CDK CLI Version

2.89.0 (build 2ad6683)

Framework Version

No response

Node.js Version

v20.2.0

OS

macOS

Language

Typescript

Language Version

TypeScript (5.1.6)

Other information

No response

[pahud]

Thank you for the call-out. Yes I can reproduce this behavior and we should fix that.

aws-cdk/packages/aws-cdk-lib/aws-apigateway/lib/resource.ts

Line 323 in 7b3d381

const condition = origins.map(o => `$origin.matches("${o}")`).join(' || ');

Are you interested to submit a PR for that?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.