use exact matching of allowed domain entries, issue emicklei#489

tompreston · May 9, 2022 · 9ae31f4 · 9ae31f4
1 parent a2fa145
commit 9ae31f4
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/cors_filter.go b/cors_filter.go
@@ -5,6 +5,7 @@ package restful
 // that can be found in the LICENSE file.
 
 import (
+	"fmt"
 	"regexp"
 	"strconv"
 	"strings"
@@ -188,11 +189,15 @@ func (c CrossOriginResourceSharing) isValidAccessControlRequestHeader(header str
 	return false
 }
 
-// Take a list of strings and compile them into a list of regular expressions.
-func compileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) {
+// Take a list of allowed domains as strings and compile them into a list of regular expressions.
+func compileRegexps(allowedDomains []string) ([]*regexp.Regexp, error) {
 	regexps := []*regexp.Regexp{}
-	for _, regexpStr := range regexpStrings {
-		r, err := regexp.Compile(regexpStr)
+	for _, each := range allowedDomains {
+		// make sure the expression represents an exact match
+		if !strings.HasPrefix(each, "^") {
+			each = fmt.Sprintf("^%s$", each)
+		}
+		r, err := regexp.Compile(each)
 		if err != nil {
 			return regexps, err
 		}