Merge pull request from GHSA-fgxv-gw55-r5fq

* fix: Authorization Bypass Through User-Controlled Key

* chore: add not safe domain test
master
Kevin Wan 2 years ago committed by GitHub
parent d953675085
commit d9d79e930d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -77,12 +77,18 @@ func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string
}
func isOriginAllowed(allows []string, origin string) bool {
for _, o := range allows {
if o == allOrigins {
origin = strings.ToLower(origin)
for _, allow := range allows {
if allow == allOrigins {
return true
}
if strings.HasSuffix(origin, o) {
allow = strings.ToLower(allow)
if origin == allow {
return true
}
if strings.HasSuffix(origin, "."+allow) {
return true
}
}

@ -53,6 +53,11 @@ func TestCorsHandlerWithOrigins(t *testing.T) {
origins: []string{"http://local", "http://remote"},
reqOrigin: "http://another",
},
{
name: "not safe origin",
origins: []string{"safe.com"},
reqOrigin: "not-safe.com",
},
}
methods := []string{

Loading…
Cancel
Save