Skip to content

Commit

Permalink
Merge pull request #32442 from sberyozkin/cors_same_origin_check_fix
Browse files Browse the repository at this point in the history
Add one more CORS same origin unit test
  • Loading branch information
sberyozkin authored Apr 6, 2023
2 parents 1f6affe + dfce852 commit 9dcac79
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
import java.util.Optional;
import java.util.regex.Pattern;

import org.jboss.logging.Logger;

import io.vertx.core.Handler;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
Expand All @@ -19,6 +21,7 @@

public class CORSFilter implements Handler<RoutingContext> {

private static final Logger LOG = Logger.getLogger(CORSFilter.class);
private static final Pattern COMMA_SEPARATED_SPLIT_REGEX = Pattern.compile("\\s*,\\s*");

// This is set in the recorder at runtime.
Expand Down Expand Up @@ -214,10 +217,12 @@ public void handle(RoutingContext event) {
}

if (!allowsOrigin) {
LOG.debug("Origin is not allowed");
response.setStatusCode(403);
response.setStatusMessage("CORS Rejected - Invalid origin");
response.end();
} else if (request.method().equals(HttpMethod.OPTIONS) && (requestedHeaders != null || requestedMethods != null)) {
LOG.debug("Preflight request has completed");
if (corsConfig.accessControlMaxAge.isPresent()) {
response.putHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE,
String.valueOf(corsConfig.accessControlMaxAge.get().getSeconds()));
Expand All @@ -233,6 +238,9 @@ static boolean isSameOrigin(HttpServerRequest request, String origin) {
//fast path check, when everything is the same
if (origin.startsWith(request.scheme())) {
if (!substringMatch(origin, request.scheme().length(), "://", false)) {
LOG.debugf(
"Same origin check has failed, the origin is not a substring of the request URI. Request URI: %s, origin: %s",
request.absoluteURI(), origin);
return false;
}
if (substringMatch(origin, request.scheme().length() + 3, request.host(), true)) {
Expand All @@ -253,9 +261,14 @@ static boolean isSameOriginSlowPath(HttpServerRequest request, String origin) {
if (!originUri.getPath().isEmpty()) {
//origin should not contain a path component
//just reject it in this case
LOG.debugf("Same origin check has failed as the origin contains a path component. Request URI: %s, origin: %s",
request.absoluteURI(), origin);
return false;
}
if (!baseUri.getHost().equals(originUri.getHost())) {
LOG.debugf("Same origin check has failed, the host values do not match. Request URI: %s, origin: %s",
request.absoluteURI(),
origin);
return false;
}
if (baseUri.getPort() == originUri.getPort()) {
Expand All @@ -280,6 +293,7 @@ static boolean isSameOriginSlowPath(HttpServerRequest request, String origin) {
}
}
}
LOG.debugf("Same origin check has failed. Request URI: %s, origin: %s", request.absoluteURI(), origin);
return false;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,17 @@ public void sameOriginTest() {

}

@Test
public void sameOriginPublicWebAddressTest() {
var request = Mockito.mock(HttpServerRequest.class);
Mockito.when(request.scheme()).thenReturn("https");
Mockito.when(request.host()).thenReturn("stage.code.quarkus.io");
Mockito.when(request.absoluteURI()).thenReturn("https://stage.code.quarkus.io/api/project");
Assertions.assertFalse(isSameOrigin(request, "http://localhost"));
Assertions.assertFalse(isSameOrigin(request, "https://code.quarkus.io"));
Assertions.assertTrue(isSameOrigin(request, "https://stage.code.quarkus.io"));
}

@Test
public void testSubstringMatches() {
Assertions.assertTrue(substringMatch("localhost", 0, "local", false));
Expand Down

0 comments on commit 9dcac79

Please sign in to comment.