Merge pull request from GHSA-fgxv-gw55-r5fq

* fix: Authorization Bypass Through User-Controlled Key

* chore: add not safe domain test
master
Kevin Wan 2 years ago committed by GitHub
parent d953675085
commit d9d79e930d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -77,12 +77,18 @@ func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string
} }
func isOriginAllowed(allows []string, origin string) bool { func isOriginAllowed(allows []string, origin string) bool {
for _, o := range allows { origin = strings.ToLower(origin)
if o == allOrigins { for _, allow := range allows {
if allow == allOrigins {
return true return true
} }
if strings.HasSuffix(origin, o) { allow = strings.ToLower(allow)
if origin == allow {
return true
}
if strings.HasSuffix(origin, "."+allow) {
return true return true
} }
} }

@ -53,6 +53,11 @@ func TestCorsHandlerWithOrigins(t *testing.T) {
origins: []string{"http://local", "http://remote"}, origins: []string{"http://local", "http://remote"},
reqOrigin: "http://another", reqOrigin: "http://another",
}, },
{
name: "not safe origin",
origins: []string{"safe.com"},
reqOrigin: "not-safe.com",
},
} }
methods := []string{ methods := []string{

Loading…
Cancel
Save