Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
M
mybee
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
vicotor
mybee
Commits
f63c396f
Unverified
Commit
f63c396f
authored
Mar 11, 2021
by
Janoš Guljaš
Committed by
GitHub
Mar 11, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
fix unconfigured cors origin (#1421)
parent
7988481f
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
137 additions
and
15 deletions
+137
-15
api_test.go
pkg/api/api_test.go
+15
-13
cors_test.go
pkg/api/cors_test.go
+108
-0
router.go
pkg/api/router.go
+1
-1
cors.go
pkg/debugapi/cors.go
+1
-1
cors_test.go
pkg/debugapi/cors_test.go
+12
-0
No files found.
pkg/api/api_test.go
View file @
f63c396f
...
...
@@ -29,17 +29,18 @@ import (
)
type
testServerOptions
struct
{
Storer
storage
.
Storer
Resolver
resolver
.
Interface
Pss
pss
.
Interface
Traversal
traversal
.
Service
WsPath
string
Tags
*
tags
.
Tags
GatewayMode
bool
WsPingPeriod
time
.
Duration
Logger
logging
.
Logger
PreventRedirect
bool
Feeds
feeds
.
Factory
Storer
storage
.
Storer
Resolver
resolver
.
Interface
Pss
pss
.
Interface
Traversal
traversal
.
Service
WsPath
string
Tags
*
tags
.
Tags
GatewayMode
bool
WsPingPeriod
time
.
Duration
Logger
logging
.
Logger
PreventRedirect
bool
Feeds
feeds
.
Factory
CORSAllowedOrigins
[]
string
}
func
newTestServer
(
t
*
testing
.
T
,
o
testServerOptions
)
(
*
http
.
Client
,
*
websocket
.
Conn
,
string
)
{
...
...
@@ -53,8 +54,9 @@ func newTestServer(t *testing.T, o testServerOptions) (*http.Client, *websocket.
o
.
WsPingPeriod
=
60
*
time
.
Second
}
s
:=
api
.
New
(
o
.
Tags
,
o
.
Storer
,
o
.
Resolver
,
o
.
Pss
,
o
.
Traversal
,
o
.
Feeds
,
o
.
Logger
,
nil
,
api
.
Options
{
GatewayMode
:
o
.
GatewayMode
,
WsPingPeriod
:
o
.
WsPingPeriod
,
CORSAllowedOrigins
:
o
.
CORSAllowedOrigins
,
GatewayMode
:
o
.
GatewayMode
,
WsPingPeriod
:
o
.
WsPingPeriod
,
})
ts
:=
httptest
.
NewServer
(
s
)
t
.
Cleanup
(
ts
.
Close
)
...
...
pkg/api/cors_test.go
0 → 100644
View file @
f63c396f
// Copyright 2021 The Swarm Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package
api_test
import
(
"net/http"
"testing"
)
func
TestCORSHeaders
(
t
*
testing
.
T
)
{
for
_
,
tc
:=
range
[]
struct
{
name
string
origin
string
allowedOrigins
[]
string
wantCORS
bool
}{
{
name
:
"none"
,
},
{
name
:
"no origin"
,
allowedOrigins
:
[]
string
{
"https://gateway.ethswarm.org"
},
wantCORS
:
false
,
},
{
name
:
"single explicit"
,
origin
:
"https://gateway.ethswarm.org"
,
allowedOrigins
:
[]
string
{
"https://gateway.ethswarm.org"
},
wantCORS
:
true
,
},
{
name
:
"single explicit blocked"
,
origin
:
"http://a-hacker.me"
,
allowedOrigins
:
[]
string
{
"https://gateway.ethswarm.org"
},
wantCORS
:
false
,
},
{
name
:
"multiple explicit"
,
origin
:
"https://staging.gateway.ethswarm.org"
,
allowedOrigins
:
[]
string
{
"https://gateway.ethswarm.org"
,
"https://staging.gateway.ethswarm.org"
},
wantCORS
:
true
,
},
{
name
:
"multiple explicit blocked"
,
origin
:
"http://a-hacker.me"
,
allowedOrigins
:
[]
string
{
"https://gateway.ethswarm.org"
,
"https://staging.gateway.ethswarm.org"
},
wantCORS
:
false
,
},
{
name
:
"wildcard"
,
origin
:
"http://localhost:1234"
,
allowedOrigins
:
[]
string
{
"*"
},
wantCORS
:
true
,
},
{
name
:
"wildcard"
,
origin
:
"https://gateway.ethswarm.org"
,
allowedOrigins
:
[]
string
{
"*"
},
wantCORS
:
true
,
},
{
name
:
"with origin only"
,
origin
:
"https://gateway.ethswarm.org"
,
allowedOrigins
:
nil
,
wantCORS
:
false
,
},
{
name
:
"with origin only not nil"
,
origin
:
"https://gateway.ethswarm.org"
,
allowedOrigins
:
[]
string
{},
wantCORS
:
false
,
},
}
{
t
.
Run
(
tc
.
name
,
func
(
t
*
testing
.
T
)
{
client
,
_
,
_
:=
newTestServer
(
t
,
testServerOptions
{
CORSAllowedOrigins
:
tc
.
allowedOrigins
,
})
req
,
err
:=
http
.
NewRequest
(
http
.
MethodGet
,
"/"
,
nil
)
if
err
!=
nil
{
t
.
Fatal
(
err
)
}
if
tc
.
origin
!=
""
{
req
.
Header
.
Set
(
"Origin"
,
tc
.
origin
)
}
r
,
err
:=
client
.
Do
(
req
)
if
err
!=
nil
{
t
.
Fatal
(
err
)
}
got
:=
r
.
Header
.
Get
(
"Access-Control-Allow-Origin"
)
if
tc
.
wantCORS
{
if
got
!=
tc
.
origin
{
t
.
Errorf
(
"got Access-Control-Allow-Origin %q, want %q"
,
got
,
tc
.
origin
)
}
}
else
{
if
got
!=
""
{
t
.
Errorf
(
"got Access-Control-Allow-Origin %q, want none"
,
got
)
}
}
})
}
}
pkg/api/router.go
View file @
f63c396f
...
...
@@ -196,7 +196,7 @@ func (s *server) setupRouting() {
s
.
pageviewMetricsHandler
,
func
(
h
http
.
Handler
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
{
if
o
:=
r
.
Header
.
Get
(
"Origin"
);
o
!=
""
&&
(
len
(
s
.
CORSAllowedOrigins
)
==
0
||
s
.
checkOrigin
(
r
)
)
{
if
o
:=
r
.
Header
.
Get
(
"Origin"
);
o
!=
""
&&
s
.
checkOrigin
(
r
)
{
w
.
Header
()
.
Set
(
"Access-Control-Allow-Credentials"
,
"true"
)
w
.
Header
()
.
Set
(
"Access-Control-Allow-Origin"
,
o
)
w
.
Header
()
.
Set
(
"Access-Control-Allow-Headers"
,
"Origin, Accept, Authorization, Content-Type, X-Requested-With, Access-Control-Request-Headers, Access-Control-Request-Method"
)
...
...
pkg/debugapi/cors.go
View file @
f63c396f
...
...
@@ -12,7 +12,7 @@ import (
// corsHandler sets CORS headers to HTTP response if allowed origins are configured.
func
(
s
*
Service
)
corsHandler
(
h
http
.
Handler
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
{
if
o
:=
r
.
Header
.
Get
(
"Origin"
);
o
!=
""
&&
(
len
(
s
.
corsAllowedOrigins
)
==
0
||
checkOrigin
(
r
,
s
.
corsAllowedOrigins
)
)
{
if
o
:=
r
.
Header
.
Get
(
"Origin"
);
o
!=
""
&&
checkOrigin
(
r
,
s
.
corsAllowedOrigins
)
{
w
.
Header
()
.
Set
(
"Access-Control-Allow-Credentials"
,
"true"
)
w
.
Header
()
.
Set
(
"Access-Control-Allow-Origin"
,
o
)
w
.
Header
()
.
Set
(
"Access-Control-Allow-Headers"
,
"Origin, Accept, Authorization, Content-Type, X-Requested-With, Access-Control-Request-Headers, Access-Control-Request-Method"
)
...
...
pkg/debugapi/cors_test.go
View file @
f63c396f
...
...
@@ -60,6 +60,18 @@ func TestCORSHeaders(t *testing.T) {
allowedOrigins
:
[]
string
{
"*"
},
wantCORS
:
true
,
},
{
name
:
"with origin only"
,
origin
:
"https://gateway.ethswarm.org"
,
allowedOrigins
:
nil
,
wantCORS
:
false
,
},
{
name
:
"with origin only not nil"
,
origin
:
"https://gateway.ethswarm.org"
,
allowedOrigins
:
[]
string
{},
wantCORS
:
false
,
},
}
{
t
.
Run
(
tc
.
name
,
func
(
t
*
testing
.
T
)
{
testServer
:=
newTestServer
(
t
,
testServerOptions
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment