From 7ff221732520ab15654d676e4c9ae87adc8dc4db Mon Sep 17 00:00:00 2001 From: Drew Noel Date: Wed, 9 Nov 2022 18:11:28 -0500 Subject: [PATCH 1/4] Add configuration for CORS allowed headers --- custom/conf/app.example.ini | 3 +++ docs/content/doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/setting/cors.go | 2 ++ routers/api/v1/api.go | 2 +- routers/web/web.go | 1 + 5 files changed, 8 insertions(+), 1 deletion(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index b46dfc20a9696..de7459be289ba 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1104,6 +1104,9 @@ ROUTER = console ;; allow request with credentials ;ALLOW_CREDENTIALS = false ;; +;; headers to permit +;HEADERS = Authorization,Content-Type,User-Agent +;; ;; set X-FRAME-OPTIONS header ;X_FRAME_OPTIONS = SAMEORIGIN diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 28bcaf29afdcd..63ba1869a6b9b 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -167,6 +167,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request - `MAX_AGE`: **10m**: max time to cache response - `ALLOW_CREDENTIALS`: **false**: allow request with credentials +- `HEADERS`: **Authorization,Content-Type,User-Agent**: headers that are permitted in requests - `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value. ## UI (`ui`) diff --git a/modules/setting/cors.go b/modules/setting/cors.go index a843194ff981d..4a77d622f41a0 100644 --- a/modules/setting/cors.go +++ b/modules/setting/cors.go @@ -19,10 +19,12 @@ var CORSConfig = struct { Methods []string MaxAge time.Duration AllowCredentials bool + Headers []string XFrameOptions string }{ Enabled: false, MaxAge: 10 * time.Minute, + Headers: []string{"Authorization", "X-Gitea-OTP"}, XFrameOptions: "SAMEORIGIN", } diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 0d11674aa9971..92d9994cfd3d1 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, - AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"}, + AllowedHeaders: setting.CORSConfig.Headers, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } diff --git a/routers/web/web.go b/routers/web/web.go index 48b33813c9a22..d0ee9c5eac0ca 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -67,6 +67,7 @@ func CorsHandler() func(next http.Handler) http.Handler { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, + AllowedHeaders: setting.CORSConfig.Headers, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), }) } From f4d687d3b3df7fb6f51e5eb6fa3e45f216571da9 Mon Sep 17 00:00:00 2001 From: Drew Noel Date: Thu, 10 Nov 2022 07:15:39 -0500 Subject: [PATCH 2/4] Address feedback --- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +- modules/setting/cors.go | 2 +- routers/api/v1/api.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 63ba1869a6b9b..d9dccb8332cea 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -167,7 +167,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request - `MAX_AGE`: **10m**: max time to cache response - `ALLOW_CREDENTIALS`: **false**: allow request with credentials -- `HEADERS`: **Authorization,Content-Type,User-Agent**: headers that are permitted in requests +- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests - `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value. ## UI (`ui`) diff --git a/modules/setting/cors.go b/modules/setting/cors.go index 4a77d622f41a0..74ec6618a534e 100644 --- a/modules/setting/cors.go +++ b/modules/setting/cors.go @@ -24,7 +24,7 @@ var CORSConfig = struct { }{ Enabled: false, MaxAge: 10 * time.Minute, - Headers: []string{"Authorization", "X-Gitea-OTP"}, + Headers: []string{"Content-Type", "User-Agent"}, XFrameOptions: "SAMEORIGIN", } diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 92d9994cfd3d1..bce6e849171a2 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, - AllowedHeaders: setting.CORSConfig.Headers, + AllowedHeaders: append(setting.CORSConfig.Headers, "Authorization", "X-Gitea-OTP"), MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } From 260893a22e65c736dc63b7899f7cfcd74144b8b5 Mon Sep 17 00:00:00 2001 From: Drew Noel Date: Thu, 10 Nov 2022 07:22:35 -0500 Subject: [PATCH 3/4] Remove duplicate header from example Co-authored-by: KN4CK3R --- custom/conf/app.example.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index de7459be289ba..815c8e1497bb1 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1105,7 +1105,7 @@ ROUTER = console ;ALLOW_CREDENTIALS = false ;; ;; headers to permit -;HEADERS = Authorization,Content-Type,User-Agent +;HEADERS = Content-Type,User-Agent ;; ;; set X-FRAME-OPTIONS header ;X_FRAME_OPTIONS = SAMEORIGIN From ec1ad4dd59d0facf6289031fa76f3583117618ef Mon Sep 17 00:00:00 2001 From: Drew Noel Date: Thu, 10 Nov 2022 09:11:05 -0500 Subject: [PATCH 4/4] Prevent accidental slice clobbering in CORS header Go's `append(...)` _may_ modify the first parameter. Since this original value is going to be used in multiple places, we should explicitly avoid that. Co-authored-by: KN4CK3R --- routers/api/v1/api.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index bce6e849171a2..4b272708402ce 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, - AllowedHeaders: append(setting.CORSConfig.Headers, "Authorization", "X-Gitea-OTP"), + AllowedHeaders: append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...), MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) }