🚀 [Feature]: stop dangerously bypassing the wildcard exception (CORS)

[jub0bs]

Feature Description

Fiber's CORS middleware actively bypasses the so-called wildcard exception: if developers configure their CORS middleware to allow credentials and specify the wildcard as an allowed origin, the resulting middleware unconditionally reflects the value of the request's Origin header in the Access-Control-Allow-Origin response header.

This is insecure insofar as it exposes users to cross-origin attacks that can be mounted from any origin.

For information, a similar issue was reported to (and subsequently fixed by) other Web frameworks/libraries:

• Go Chi
• rs/cors

Additional Context (optional)

Steps to reproduce

1. Run mkdir wildcardcraziness && cd $_.
2. Save the program below to main.go.
3. Run go mod init whatever && go mod tidy.
4. Run go run main.go.
5. Run curl -sD - -o /dev/null -H "Origin: https://attacker.org" localhost:8081/hello.

Expected behaviour

Perhaps the following:

curl -sD - -o /dev/null \
  -H "Origin: https://attacker.org" \
  localhost:8081/hello

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
-snip-

Ideally, though, the resulting middleware should not be built at all, since it is dysfunctional. More about this in my latest blog post.

Actual behaviour

curl -sD - -o /dev/null \
  -H "Origin: https://attacker.org" \
  localhost:8081/hello

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://attacker.org
-snip-

Note the unconditional reflection of the request's Origin header value (https://attacker.org) in the Access-Control-Allow-Origin response header.

Code Snippet

package main

import (
	"log"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/cors"
)

func main() {
	app := fiber.New()
	app.Use(cors.New(cors.Config{
		AllowOrigins:     "*",
		AllowCredentials: true,
	}))
	app.Get("/hello", hello)
	if err := app.Listen(":8081"); err != nil {
		log.Fatal(err)
	}
}

func hello(c *fiber.Ctx) error {
	return c.SendString("Hello, World!")
}

Checklist:

• I agree to follow Fiber's Code of Conduct.
• I have checked for existing issues that describe my suggestion prior to opening this one.
• I understand that improperly formatted feature requests may be closed without explanation.

[welcome]

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

[ReneWerner87]

Thx for the report

[ryand67]

I'd love to take a shot at this!

[leonklingele]

Using a default config of AllowOrigins: "*" looks like something we definitely should try to avoid — imo even if we break v2 compatibility.

[li-jin-gou]

I'd love to take a shot at this!

thanks and already assign you