Skip to content

Commit d456e7d

Browse files
sixcolorssixcolors
authored
fix(middleware/cors): Validation of multiple Origins (#2883)
* fix: allow origins check Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic. fixes #2882 * test: AllowOrigins with whitespace * test(middleware/cors): add benchmarks * chore: fix linter errors * test(middleware/cors): use h() instead of app.Test() * test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme * chore: refactor validate and normalize * test(cors/middleware): add more benchmarks
1 parent ddc6b23 commit d456e7d

File tree

2 files changed

+513
-15
lines changed

2 files changed

+513
-15
lines changed

middleware/cors/cors.go

Lines changed: 21 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -113,24 +113,32 @@ func New(config ...Config) fiber.Handler {
113113
panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
114114
}
115115

116-
// Validate and normalize static AllowOrigins if not using AllowOriginsFunc
117-
if cfg.AllowOriginsFunc == nil && cfg.AllowOrigins != "" && cfg.AllowOrigins != "*" {
118-
validatedOrigins := []string{}
119-
for _, origin := range strings.Split(cfg.AllowOrigins, ",") {
120-
isValid, normalizedOrigin := normalizeOrigin(origin)
116+
// allowOrigins is a slice of strings that contains the allowed origins
117+
// defined in the 'AllowOrigins' configuration.
118+
var allowOrigins []string
119+
120+
// Validate and normalize static AllowOrigins
121+
if cfg.AllowOrigins != "" && cfg.AllowOrigins != "*" {
122+
origins := strings.Split(cfg.AllowOrigins, ",")
123+
allowOrigins = make([]string, len(origins))
124+
125+
for i, origin := range origins {
126+
trimmedOrigin := strings.TrimSpace(origin)
127+
isValid, normalizedOrigin := normalizeOrigin(trimmedOrigin)
128+
121129
if isValid {
122-
validatedOrigins = append(validatedOrigins, normalizedOrigin)
130+
allowOrigins[i] = normalizedOrigin
123131
} else {
124-
log.Warnf("[CORS] Invalid origin format in configuration: %s", origin)
132+
log.Warnf("[CORS] Invalid origin format in configuration: %s", trimmedOrigin)
125133
panic("[CORS] Invalid origin provided in configuration")
126134
}
127135
}
128-
cfg.AllowOrigins = strings.Join(validatedOrigins, ",")
136+
} else {
137+
// If AllowOrigins is set to a wildcard or not set,
138+
// set allowOrigins to a slice with a single element
139+
allowOrigins = []string{cfg.AllowOrigins}
129140
}
130141

131-
// Convert string to slice
132-
allowOrigins := strings.Split(strings.ReplaceAll(cfg.AllowOrigins, " ", ""), ",")
133-
134142
// Strip white spaces
135143
allowMethods := strings.ReplaceAll(cfg.AllowMethods, " ", "")
136144
allowHeaders := strings.ReplaceAll(cfg.AllowHeaders, " ", "")
@@ -165,10 +173,8 @@ func New(config ...Config) fiber.Handler {
165173
// Run AllowOriginsFunc if the logic for
166174
// handling the value in 'AllowOrigins' does
167175
// not result in allowOrigin being set.
168-
if allowOrigin == "" && cfg.AllowOriginsFunc != nil {
169-
if cfg.AllowOriginsFunc(originHeader) {
170-
allowOrigin = originHeader
171-
}
176+
if allowOrigin == "" && cfg.AllowOriginsFunc != nil && cfg.AllowOriginsFunc(originHeader) {
177+
allowOrigin = originHeader
172178
}
173179

174180
// Simple request

0 commit comments

Comments
 (0)