PROD-34947 (#360)

- Fix CORS origin check to exclude domains that are similar to allowed ones - Fixed regex not whitelisting all subdomains when configured
Workable · Jan 26, 2024 · 1372d8f · 1372d8f
1 parent ea95ad6
commit 1372d8f
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 2 deletions.
diff --git a/examples/simple-example/config.js b/examples/simple-example/config.js
@@ -7,7 +7,8 @@ module.exports = {
     name: 'foo'
   },
   cors: {
-    publicPrefixes: ['/api/allowAll']
+    publicPrefixes: ['/api/allowAll'],
+    allowedOrigins: ['localhost:3000', 'lvh.me', '*.lvh.me'],
   },
   riviere: {
     bodyKeysRegex: '.*'

diff --git a/src/orka-builder.ts b/src/orka-builder.ts
@@ -91,7 +91,7 @@ export default class OrkaBuilder {
     { credentials = undefined, allowedOrigins = this.config.allowedOrigins, publicPrefixes = [] } = this.config.cors ||
       {}
   ) {
-    const allowedOrigin = new RegExp('https?://(www\\.)?([^.]+\\.)?(' + allowedOrigins.join(')|(') + ')');
+    const allowedOrigin = new RegExp('^https?://(www\\.)?([^.]+\\.)?((' + allowedOrigins.map(ao => ao.replaceAll('.', '\\.').replaceAll('*', '.*')).join(')|(') + '))$');
 
     return this.use(() =>
       cors({

diff --git a/test/examples/star-cors-example.test.ts b/test/examples/star-cors-example.test.ts
@@ -29,4 +29,41 @@ describe('Star CORS examples', () => {
 
     response.headers['access-control-allow-origin'].should.eql('http://localhost:3000');
   });
+
+  it('/api triggers cors policy', async () => {
+    const response = await supertest('localhost:3000')
+      .get('/api')
+      .set('origin', 'http://lvh.me.foreign.com')
+      .expect(200);
+
+    response.headers['access-control-allow-origin'].should.not.eql('http://lvh.me.foreign.com');
+    response.headers['access-control-allow-origin'].should.eql('localhost:3000');
+  });
+
+  it('/api/example returns access-control-allow-origin that contains the subdomain', async () => {
+    const response = await supertest('localhost:3000')
+      .get('/api/example')
+      .set('origin', 'http://some.localhost:3000')
+      .expect(200);
+
+    response.headers['access-control-allow-origin'].should.eql('http://some.localhost:3000');
+  });
+
+  it('/api/example blocks deep subdomains', async () => {
+    const response = await supertest('localhost:3000')
+      .get('/api/example')
+      .set('origin', 'http://some.very.deep.subdomain.localhost:3000')
+      .expect(200);
+
+    response.headers['access-control-allow-origin'].should.eql('localhost:3000');
+  });
+
+  it('/api/example allows deep subdomains when the allowed origin is \'*.lvh.me\'', async () => {
+    const response = await supertest('localhost:3000')
+      .get('/api/example')
+      .set('origin', 'https://some.very.deep.subdomain.lvh.me')
+      .expect(200);
+
+    response.headers['access-control-allow-origin'].should.eql('https://some.very.deep.subdomain.lvh.me');
+  });
 });