Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-apigateway: Removal of wildcard matching from Allowed origins for CORS preflight was a breaking change #28445

Open
dlaudams opened this issue Dec 20, 2023 · 1 comment
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@dlaudams
Copy link

Describe the bug

The ability to match origins using regular expressions was removed with this change:

#26623

This causes a breaking change for Core origins relying on that behaviour.

A use case is matching a prefix/wildcard origin, for example, *.example.com -> /https:\/\/.+\.example\.com/

Expected Behavior

The ability to match wildcard origins.

e.g., https://*.example.com

https://github.com/aws/aws-cdk/blob/7264121edb10feca6d4c2bce359138deb62bdf79/packages/aws-cdk-lib/aws-apigateway/lib/resource.ts#L326C1-L326C76

Current Behavior

Only * wildcard or exact origins are allowed.

This prevents prefix matching of origins.

Reproduction Steps

const api = new apigw.RestApi(stack, 'cors-api-test', {
  defaultCorsPreflightOptions: {
    allowOrigins: ['https://*.amazon.com', 'https://twitch.tv'],
  },
});

Produces response template:

#set($origin = $input.params().header.get("Origin"))
#if($origin == "")
  #set($origin = $input.params().header.get("origin"))
#end
#if($origin == "https://*.amazon.com") || $origin == "https://twitch.tv")
  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)
#end'

Possible Solution

const condition = origins.map(wildcardPrefixToRegex).map(regex => `$origin.matches("${regex}")`).join(' || ');

...
function wildcardPrefixToRegex(glob) {
// replace '.' with '\.'
// replace '*' with '.+'
}

Produces response template:

#set($origin = $input.params().header.get("Origin"))
#if($origin == "")
  #set($origin = $input.params().header.get("origin"))
#end
#if($origin.matches("https://.+\.amazon\.com") || $origin.matches("https:\/\/twitch\.tv"))
  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)
#end'

Additional Information/Context

No response

CDK CLI Version

2.115.0 (build 58027ee)

Framework Version

No response

Node.js Version

v18.14.0.

OS

n/a

Language

TypeScript

Language Version

No response

Other information

No response

@dlaudams dlaudams added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 20, 2023
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Dec 20, 2023
@pahud
Copy link
Contributor

pahud commented Dec 22, 2023

We changed its behavior on #26648 because of potential security concern as it was never intended to work as a regex. We need to improve the document on it though.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Development

No branches or pull requests

2 participants