fix(cors): all origins could pass when allow_origins_by_metadata is set

apisix/plugins/cors.lua

@@ -341,15 +341,32 @@ function _M.header_filter(conf, ctx)
     local req_origin =  ctx.original_request_origin
     -- If allow_origins_by_regex is not nil, should be matched to it only
     local allow_origins
-    if conf.allow_origins_by_regex == nil then
-        allow_origins = process_with_allow_origins(
-            TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx, req_origin
+    local allow_origins_local = false
+    if conf.allow_origins_by_metadata then
+        allow_origins = process_with_allow_origins_by_metadata(
+            TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_metadata, ctx, req_origin
         )
+        if not match_origins(req_origin, allow_origins) then
+            if conf.allow_origins and conf.allow_origins ~= "*" then
+                allow_origins_local = true
+            end
+        end
     else
-        allow_origins = process_with_allow_origins_by_regex(
-            TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
-            conf, ctx, req_origin
-        )
+        allow_origins_local = true
+    end
+    if conf.allow_origins_by_regex == nil then
+        if allow_origins_local then
+            allow_origins = process_with_allow_origins(
+                TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx, req_origin
+            )
+        end
+    else
+        if allow_origins_local then
+            allow_origins = process_with_allow_origins_by_regex(
+                TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
+                conf, ctx, req_origin
+            )
+        end
     end
     if not match_origins(req_origin, allow_origins) then
         allow_origins = process_with_allow_origins_by_metadata(

t/plugin/cors3.t

@@ -351,3 +351,72 @@ Access-Control-Allow-Headers: *
 Access-Control-Expose-Headers: *
 Access-Control-Max-Age: 5
 Access-Control-Allow-Credentials:
+
+
+
+=== TEST 13: set route (allow_origins_by_metadata specified and allow_origins * is invalid while set allow_origins_by_metadata)
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                    "plugins": {
+                        "cors": {
+                            "allow_origins": "*",
+                            "allow_origins_by_metadata": ["key_1"]
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- response_body
+passed
+
+
+
+=== TEST 14: origin not match because allow_origins * invalid
+--- request
+GET /hello HTTP/1.1
+--- more_headers
+Origin: http://foo.example.org
+--- response_body
+hello world
+--- response_headers
+Access-Control-Allow-Origin:
+Access-Control-Allow-Methods:
+Access-Control-Allow-Headers:
+Access-Control-Expose-Headers:
+Access-Control-Max-Age:
+Access-Control-Allow-Credentials:
+
+
+
+=== TEST 15: origin matches with first allow_origins_by_metadata
+--- request
+GET /hello HTTP/1.1
+--- more_headers
+Origin: https://domain.com
+--- response_body
+hello world
+--- response_headers
+Access-Control-Allow-Origin: https://domain.com
+Access-Control-Allow-Methods: *
+Access-Control-Allow-Headers: *
+Access-Control-Expose-Headers: *
+Access-Control-Max-Age: 5
+Access-Control-Allow-Credentials: