fix: OK cors=true & origin and host = localhost

Close #8560
micronaut-projects · Jan 11, 2023 · 05647e5 · 05647e5
1 parent 819d48f
commit 05647e5
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 4 deletions.
diff --git a/...rver-tck/src/main/java/io/micronaut/http/server/tck/tests/cors/CorsSimpleRequestTest.java b/...rver-tck/src/main/java/io/micronaut/http/server/tck/tests/cors/CorsSimpleRequestTest.java
@@ -72,7 +72,6 @@ void corsSimpleRequestNotAllowedForLocalhostAndAny() throws IOException {
             (server, request) -> {
                 RefreshCounter refreshCounter = server.getApplicationContext().getBean(RefreshCounter.class);
                 assertEquals(0, refreshCounter.getRefreshCount());
-
                 AssertionUtils.assertThrows(server, request, HttpResponseAssertion.builder()
                         .status(HttpStatus.FORBIDDEN)
                         .assertResponse(response -> assertFalse(response.getHeaders().contains("Vary")))
@@ -81,6 +80,21 @@ void corsSimpleRequestNotAllowedForLocalhostAndAny() throws IOException {
         });
     }
 
+    @Test
+    void corsSimpleRequestNotAllowedForLocalhostAndOriginLocalhost() throws IOException {
+        asserts(SPECNAME,
+            Collections.singletonMap(PROPERTY_MICRONAUT_SERVER_CORS_ENABLED, StringUtils.TRUE),
+            createRequest("http://localhost:8000"),
+            (server, request) -> {
+                RefreshCounter refreshCounter = server.getApplicationContext().getBean(RefreshCounter.class);
+                assertEquals(0, refreshCounter.getRefreshCount());
+                AssertionUtils.assertDoesNotThrow(server, request, HttpResponseAssertion.builder()
+                    .status(HttpStatus.OK)
+                    .build());
+                assertEquals(1, refreshCounter.getRefreshCount());
+            });
+    }
+
     /**
      * CORS Simple request for localhost can be allowed via configuration.
      * @throws IOException may throw the try for resources

diff --git a/...ain/java/io/micronaut/http/server/tck/tests/cors/SimpleRequestWithCorsNotEnabledTest.java b/...ain/java/io/micronaut/http/server/tck/tests/cors/SimpleRequestWithCorsNotEnabledTest.java
@@ -53,7 +53,7 @@ public class SimpleRequestWithCorsNotEnabledTest {
     @Test
     void corsSimpleRequestNotAllowedForLocalhostAndAny() throws IOException {
         asserts(SPECNAME,
-            createRequest(),
+            createRequest("https://sdelamo.github.io"),
             (server, request) -> {
             RefreshCounter refreshCounter = server.getApplicationContext().getBean(RefreshCounter.class);
                 assertEquals(0, refreshCounter.getRefreshCount());
@@ -66,15 +66,29 @@ void corsSimpleRequestNotAllowedForLocalhostAndAny() throws IOException {
             });
     }
 
-    private static HttpRequest<?> createRequest() {
+    @Test
+    void corsSimpleRequestAllowedForLocalhostAndOriginLocalhost() throws IOException {
+        asserts(SPECNAME,
+            createRequest("http://localhost:8000"),
+            (server, request) -> {
+                RefreshCounter refreshCounter = server.getApplicationContext().getBean(RefreshCounter.class);
+                assertEquals(0, refreshCounter.getRefreshCount());
+                AssertionUtils.assertDoesNotThrow(server, request, HttpResponseAssertion.builder()
+                    .status(HttpStatus.OK)
+                    .build());
+                assertEquals(1, refreshCounter.getRefreshCount());
+            });
+    }
+
+    private static HttpRequest<?> createRequest(String origin) {
         return HttpRequest.POST("/refresh", Collections.emptyMap())
             .header("Accept", "*/*")
             .header("Accept-Encoding", "gzip, deflate, br")
             .header("Accept-Language", "en-GB,en-US;q=0.9,en;q=0.8")
             .header("Connection", "keep-alive")
             .header("Content-Length", "0")
             .header("Host", "localhost:8080")
-            .header("Origin", "https://sdelamo.github.io")
+            .header("Origin", origin)
             .header("sec-ch-ua", "\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\"")
             .header("sec-ch-ua-mobile", "?0")
             .header("sec-ch-ua-platform", "\"macOS\"")

diff --git a/http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java b/http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java
@@ -128,6 +128,13 @@ protected boolean shouldDenyToPreventDriveByLocalhostAttack(@NonNull CorsOriginC
         if (httpHostResolver == null) {
             return false;
         }
+        String origin = request.getHeaders().getOrigin().orElse(null);
+        if (origin == null) {
+            return false;
+        }
+        if (origin.startsWith(LOCALHOST)) {
+            return false;
+        }
         String host = httpHostResolver.resolve(request);
         return isAny(corsOriginConfiguration.getAllowedOrigins()) && host.startsWith(LOCALHOST);