Skip to content

Commit

Permalink
use exact matching of allowed domain entries, issue #489
Browse files Browse the repository at this point in the history
  • Loading branch information
@emicklei
emicklei committed Mar 29, 2022
1 parent 7c971ca commit f292eff
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions cors_filter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package restful
// that can be found in the LICENSE file.

import (
"fmt"
"regexp"
"strconv"
"strings"
Expand Down Expand Up @@ -191,11 +192,15 @@ func (c CrossOriginResourceSharing) isValidAccessControlRequestHeader(header str
return false
}

// Take a list of strings and compile them into a list of regular expressions.
func compileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) {
// Take a list of allowed domains as strings and compile them into a list of regular expressions.
func compileRegexps(allowedDomains []string) ([]*regexp.Regexp, error) {
regexps := []*regexp.Regexp{}
for _, regexpStr := range regexpStrings {
r, err := regexp.Compile(regexpStr)
for _, each := range allowedDomains {
// make sure the expression represents an exact match
if !strings.HasPrefix(each, "^") {
each = fmt.Sprintf("^%s$", each)
}
r, err := regexp.Compile(each)
if err != nil {
return regexps, err
}
Expand Down

5 comments on commit f292eff

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@emicklei - would be good to get your thoughts on the severity of the issue in relation to #489?

@emicklei
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it issue shows a problem with the cors filter but I do not consider it to be very critical as this package is meant for building services which typically have 2 other layers for security: authentication and authorisation

@ktg9
Copy link

@ktg9 ktg9 commented on f292eff Apr 3, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @emicklei , could you take a look at my report for this issue on hunt.dev and validate it?
https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@emicklei - thanks for your response 👍 Would you consider it to be low, medium, or high?

@ktg9
Copy link

@ktg9 ktg9 commented on f292eff Apr 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @emicklei , can you take a look at my report and validate it for the issue to be published? You will also get some bounties for fixing the vulnerability
https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/

Please sign in to comment.