fix(middleware/cors): Handling and wildcard subdomain matching

[sixcolors]

PR Description

Summary of Changes

This pull request enhances the CORS middleware in the Fiber web framework by introducing improved origin matching, subdomain support, and comprehensive documentation updates.

Changes Made

1. Origin Matching Improvements:

   • Refactored the utils.validateDomain function to handle wildcard subdomain patterns more accurately.
   • Added tests to ensure correct validation of various origin patterns.

2. Subdomain Support:

   • Modified the CORS middleware to support subdomain matching for the AllowOrigins configuration.
   • Added tests to verify the behavior of subdomain matching.

3. Documentation Updates:

   • Added detailed documentation explaining how the CORS middleware works, including the handling of different AllowOrigins configurations.
   • Highlighted security considerations and best practices to avoid potential vulnerabilities.
   • Included information on handling misconfigurations related to wildcard origins and credentials.
   • Updated the documentation to reflect changes in the middleware's behavior.

4. Improved CORS Handling:

   • Introduced the setCORSHeaders function to streamline the management of common behaviors in both simple and pre-flight requests.
   • Restructured the handler function to consistently apply CORS rules through the newly added setCORSHeaders function.

How It Works Section

• Added a new section in the documentation explaining the functionality of the CORS middleware.
• Described the process of adding CORS headers to responses based on the configuration.
• Clarified the handling of preflight requests and the dynamic evaluation of allowed origins.

Security Considerations Section

• Introduced a section emphasizing security considerations when configuring CORS.
• Highlighted potential risks of allowing all origins, credentials exposure, and exposing sensitive headers.
• Provided guidance on proper configurations to mitigate security threats.

Testing Updates

• Expanded test coverage to include scenarios related to subdomains, origin validation, and wildcard patterns.
• Added tests for improved coverage of the CORS middleware.

Notes for Reviewers

• Please review the changes made to the utils.validateDomain function and ensure accuracy in handling wildcard subdomain patterns.
• Verify the correctness of the subdomain matching behavior in the CORS middleware.
• Verify the correctness of the middleware behavior when making simple requests.
• Thoroughly review the documentation updates for clarity, completeness, and adherence to best practices.
• This is targeting v2 branch, we will also need to cherry pick and merge into v3/main.

This pull request aims to enhance the functionality, security, and documentation of the CORS middleware in Fiber. Your feedback and suggestions are highly appreciated.

Commits

fix(middleware/cors): handling and wildcard subdomain matching
docs(middleware/cors): add 'How it works' and 'Security Considerations'
chore: grammar
chore: fix misspelling
test(middleware/cors): combine Invalid_Origins tests
refactor(middleware/cors): headers handling

Summary by CodeRabbit

• New Features
  • Enhanced CORS middleware support including subdomain matching and dynamic origin evaluation.
• Bug Fixes
  • Corrected Access-Control-Allow-Origin header handling based on AllowCredentials.
• Refactor
  • Improved CORS middleware code organization with a new function for setting headers.
• Tests
  • Added and adjusted tests for various CORS configurations and scenarios.
• Documentation
  • Updated CORS middleware documentation with security considerations and configuration guidance.

[coderabbitai]

Warning

Rate Limit Exceeded

@sixcolors has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 12 minutes and 6 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.
Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.
Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between cc8c559 and 87e7cad.

Walkthrough

These updates enhance the CORS middleware by improving subdomain matching, refining method handling, and introducing dynamic origin evaluation. Emphasis on security is evident through caution against wildcard origins with credentials and the careful exposure of headers. Code organization benefits from the separation of concerns, specifically in setting CORS headers, while tests ensure robustness against invalid origins and verify correct header behavior.

Changes

Files	Summary
docs/api/middleware/cors.md	Enhanced AllowOrigins support, refined AllowMethods, added AllowOriginsFunc, and security considerations.
middleware/cors/cors.go	Adjusted Access-Control-Allow-Origin handling, added warnings for unsafe configurations, and improved code organization with setCORSHeaders function.
middleware/cors/cors_test.go	Extended tests for origin handling, including invalid patterns, subdomain matching, and header verification.
middleware/cors/utils.go	Improved wildcard subdomain handling and added checks against wildcards with protocols.

"In the world of code, where changes abound, 🌍
A rabbit hopped in, with updates profound. 🐰
CORS now refined, with security tight,
Subdomains and methods, now perfectly right. 🛠️
Let's celebrate the code, so cleverly penned,
For a web that's more secure, in the end. 🎉"
~ @coderabbitai

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 3

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between d2b19e2 and af930bd.

Files selected for processing (5)

• docs/api/middleware/cors.md (2 hunks)
• middleware/cors/cors.go (2 hunks)
• middleware/cors/cors_test.go (6 hunks)
• middleware/cors/utils.go (2 hunks)
• middleware/cors/utils_test.go (1 hunks)

Additional comments: 10

middleware/cors/utils.go (2)

• 27-33: The implementation for handling wildcard subdomain patterns in validateDomain looks correct. It properly checks if the domain matches the pattern by trimming the leading dot from the pattern and then checking if the domain ends with the trimmed pattern prefixed by a dot. This approach effectively supports wildcard subdomain matching.
• 70-76: The addition of a check in normalizeOrigin to disallow wildcards with a protocol is a crucial security measure. It prevents the misuse of wildcards in origins, which could lead to security vulnerabilities. This change aligns with the objective of enhancing security in the CORS middleware.

middleware/cors/cors.go (1)

• 206-209: The logic to handle the Access-Control-Allow-Origin header when AllowCredentials is true and AllowOrigins is set to '*' has been updated. This change correctly addresses the security concern of using a wildcard origin with credentials. However, it's important to ensure that this warning is visible to developers during the configuration phase to prevent misconfiguration.

Verification successful

---

The warning log regarding the insecure setup of 'AllowCredentials' being true while 'AllowOrigins' is set to a wildcard is effectively visible to developers during the configuration phase, as indicated by the presence of a panic in middleware/cors/cors.go. This ensures immediate awareness and prevention of misconfiguration related to CORS policies.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Verify that the warning log is effectively visible to developers during configuration
rg --type go --context 5 "Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard."

Length of output: 844

middleware/cors/utils_test.go (1)

• 94-101: The updates to the validateOrigin function's test cases improve the coverage for wildcard subdomain matching and TLD comparisons. These changes ensure that the behavior of origin validation is correctly tested, especially in scenarios involving wildcard subdomains and different TLDs. It's important to ensure that these test cases cover all relevant scenarios to maintain the robustness of the CORS middleware.

docs/api/middleware/cors.md (3)

• 73-79: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [9-9]

In the context of parsing AllowOrigins, the term is correctly used as a variable name and should not be split into two words. However, the use of "matching" in "matching allowed origin" is correct as it is, indicating that the origin being checked matches one of the allowed origins. No change is necessary here.

• 76-76: The documentation now specifies that AllowOrigins supports subdomain matching with a syntax like "https://.example.com". This is a significant enhancement for flexibility in CORS policy configuration. Ensure that examples or additional guidance on using this feature responsibly, considering the security implications, are provided to help developers avoid common pitfalls.
• 131-151: The "Security Considerations" section is crucial for guiding developers in configuring CORS policies securely. It's well-explained, emphasizing the risks associated with allowing all origins, credentials, and exposing headers. However, it might be beneficial to include examples or more detailed explanations of how these configurations can lead to security vulnerabilities, providing developers with a clearer understanding of the risks and how to mitigate them.

middleware/cors/cors_test.go (3)

• 195-231: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [228-242]

The updates to Test_CORS_Subdomain correctly implement and verify the enhanced subdomain matching functionality. The test cases for both allowed and disallowed origins are well-constructed and align with the PR's objectives.

• 277-298: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [280-325]

The expanded test cases in Test_CORS_AllowOriginScheme provide comprehensive coverage of various scenarios, including different schemes, subdomains, and port numbers. These additions ensure the CORS middleware's enhanced functionality is thoroughly tested.

• 367-393: The addition of Test_CORS_AllowOriginHeader_NoMatch correctly verifies the behavior of the CORS middleware when no allowed origins match the request's origin. This test enhances the middleware's test coverage and ensures its reliability.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between af930bd and 03e09c9.

Files selected for processing (1)

• middleware/cors/cors_test.go (6 hunks)

Additional comments: 4

middleware/cors/cors_test.go (4)

• 198-219: The addition of Test_CORS_Invalid_Origin_URL_Panic effectively tests for panic with an invalid origin URL pattern, ensuring robustness against misconfigurations. This aligns well with the PR's objectives to enhance security.
• 195-231: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [228-242]

The update to Test_CORS_Subdomain with a more specific subdomain pattern in AllowOrigins is a good enhancement, testing the improved wildcard subdomain matching functionality.

Also applies to: 242-242

• 280-280: The adjustments and additions to Test_CORS_AllowOriginScheme enhance the test coverage for different origin schemes and patterns, aligning with the PR's objectives to refine CORS policy handling.

Also applies to: 285-285, 290-290, 295-295, 305-305, 310-310, 320-320, 325-325

• 367-393: The addition of Test_CORS_AllowOriginHeader_NoMatch effectively tests the correct behavior when no origin match is found, ensuring the CORS middleware enforces policies securely.

[coderabbitai]

Review Status

Actionable comments generated: 2

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 03e09c9 and b792951.

Files selected for processing (3)

• docs/api/middleware/cors.md (3 hunks)
• middleware/cors/cors.go (1 hunks)
• middleware/cors/cors_test.go (8 hunks)

Files skipped from review as they are similar to previous changes (1)

• middleware/cors/cors.go

Additional comments: 7

docs/api/middleware/cors.md (3)

• 76-76: The documentation now includes support for subdomain matching in AllowOrigins. This is a significant enhancement for flexibility and security in CORS configuration. However, it's crucial to ensure that examples or additional guidance on how to properly format and use subdomain patterns are clear to the users to avoid misconfiguration.

Consider adding examples or more detailed guidance on formatting and using subdomain patterns in AllowOrigins to prevent misconfiguration.

• 76-76: The documentation mentions the introduction of AllowOriginsFunc for dynamic origin evaluation. This is a powerful feature that allows for runtime determination of allowed origins. However, it's essential to emphasize the security considerations when using this function, especially in production environments.

Highlight the security considerations and best practices when using AllowOriginsFunc, especially the importance of validating origins to prevent security risks.

• 131-151: The "Security Considerations" section is a valuable addition, emphasizing the importance of careful CORS configuration to avoid security pitfalls. It's well-explained and covers critical aspects like avoiding wildcard origins with credentials and being cautious with exposed headers. This section helps developers understand the potential security risks and how to mitigate them.

The "Security Considerations" section provides essential guidance on avoiding common security pitfalls in CORS configuration. Great addition!

middleware/cors/cors_test.go (4)

• 175-207: The addition of Test_CORS_Invalid_Origins_Panic is a valuable enhancement to the test suite, ensuring that the middleware correctly handles invalid origin configurations by panicking as expected. This aligns with the PR's objective of enhancing testing around CORS functionality. However, consider adding a comment above the test function explaining the purpose and the expected behavior in more detail for future maintainability.
• 217-217: The modification of the AllowOrigins configuration in Test_CORS_Subdomain to "http://.example.com" is a crucial update that tests the enhanced subdomain matching functionality. This change effectively tests the middleware's ability to handle requests from subdomains of example.com, aligning with the PR's objective of improving wildcard subdomain matching. It's well-implemented and directly addresses the intended enhancement.
• 266-287: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [269-314]

The adjustments made to origin patterns in Test_CORS_AllowOriginScheme are well thought out and cover a wide range of scenarios, including different schemes, subdomains, and port numbers. These changes are essential for thoroughly testing the middleware's ability to handle various origin configurations, especially in light of the enhancements made to subdomain matching and scheme handling. This comprehensive approach ensures that the middleware behaves as expected across different use cases, contributing to the overall reliability and security of the CORS functionality.

• 356-382: The introduction of Test_CORS_AllowOriginHeader_NoMatch is a significant addition to the test suite, specifically targeting the verification of correct header handling when no origin match is found. This test ensures that the Access-Control-Allow-Origin header is not set in response to requests from disallowed origins, which is crucial for maintaining the security and correctness of the CORS policy enforcement. The test setup and validation logic are correctly implemented, effectively addressing one of the PR's objectives related to adjustments in header handling.

[sixcolors]

For reference when reviewing:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://stackoverflow.com/questions/42239643/when-do-browsers-send-the-origin-header-when-do-browsers-set-the-origin-to-null/42242802

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between f12d083 and 79d46e0.

Files selected for processing (1)

• docs/api/middleware/cors.md (4 hunks)

Additional comments: 8

docs/api/middleware/cors.md (8)

• 7-7: The introduction clearly explains the purpose of CORS and its role in web security. It's important to emphasize that CORS is not a security feature but a way to relax the same-origin policy for legitimate cross-origin requests.
• 9-9: The explanation of how the middleware processes the AllowOrigins configuration is clear and concise. It correctly outlines the behavior when a match is found or not, which is crucial for understanding how CORS policies are enforced.
• 11-11: The documentation highlights the importance of providing correctly formatted origins and the automatic handling of schemes and trailing slashes. This is a valuable detail for users configuring the middleware.
• 39-39: The example provided for customizing the CORS configuration is straightforward and demonstrates how to set allowed origins and headers. This will help users quickly understand how to customize their CORS policy.
• 57-57: The introduction of AllowOriginsFunc for dynamic origin validation is a significant enhancement. This allows for more flexible and secure configurations by enabling runtime decisions on whether to allow specific origins.
• 58-58: The documentation now explicitly mentions support for subdomain matching in AllowOrigins, which is a key feature of this update. The explanation is clear, but it could benefit from a brief mention of the security considerations when using wildcard subdomains.

Consider adding a note on the security implications of using wildcard subdomains, especially in relation to credential handling and potential exposure to less secure subdomains.

• 87-99: The "Subdomain Matching" section provides a clear example of how to configure AllowOrigins to allow requests from any subdomain of example.com. This practical example enhances the documentation by showing users exactly how to use this new feature.
• 127-151: The "Security Considerations" section is an excellent addition, offering secure configurations and highlighting common pitfalls. This guidance is crucial for helping users configure CORS in a way that balances functionality with security.

[coderabbitai]

Review Status

Actionable comments generated: 10

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 79d46e0 and 6860130.

Files selected for processing (1)

• docs/api/middleware/cors.md (4 hunks)

Additional comments: 1

docs/api/middleware/cors.md (1)

• 9-9: Ensure the term "matching" is used correctly. It might be more appropriate to use "matching-allowed" if it's part of a compound adjective describing "origin".

Please verify the usage of "matching" in this context to ensure clarity and accuracy.

[coderabbitai]

Review Status

Actionable comments generated: 7

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 6860130 and 2e57b0b.

Files selected for processing (1)

• docs/api/middleware/cors.md (4 hunks)

Additional comments: 1

docs/api/middleware/cors.md (1)

• 11-11: The term AllowOrigins is correctly used in the context of CORS configuration. The suggested replacement "Allow Origins" is not applicable as it breaks the specific configuration property naming convention.

[coderabbitai]

Review Status

Actionable comments generated: 8

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 2e57b0b and d220abc.

Files selected for processing (1)

• docs/api/middleware/cors.md (4 hunks)

Additional comments: 1

docs/api/middleware/cors.md (1)

• 11-11: The term AllowOrigins is correctly used in the context of CORS configuration and does not represent a spelling mistake.

[coderabbitai]

Review Status

Actionable comments generated: 8

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between d220abc and cc8c559.

Files selected for processing (1)

• docs/api/middleware/cors.md (4 hunks)

Additional comments: 1

docs/api/middleware/cors.md (1)

• 11-11: The term AllowOrigins is correctly used in the context of CORS configuration. However, the static analysis tool flagged it as a possible spelling mistake. This is a false positive.

[sixcolors]

@jub0bs I would appreciate your review as I had gone back to see why some decisions about this middleware were made and #2390 explained some decisions I was questioning.

I think this PR improves the situation while being backward compatible within the documented api. I do plan a complete rewrite for v3.

Thanks!

[gaby]

LGTM

[gaby]

@sixcolors Should we add the changes from #2908 in this PR?

I'm going to update that PR to rename the fields first.

[ReneWerner87]

I'm going to update that PR to rename the fields first.

no new features for v2 , only bugfixes and security-related changes