Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use wildcard to match alloworigins #2389

Merged
merged 2 commits into from
Jan 4, 2024
Merged

use wildcard to match alloworigins #2389

merged 2 commits into from
Jan 4, 2024

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Jan 2, 2024
edited

The current CORS api uses regex to match the allowed origins. This PR changes this behavior to use wildcard matching instead. Using wildcard matching is more intuitive and easier to use, and also aligns with the gateway api hostname matching.

before:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: cors
spec:
  cors:
    allowMethods:
    - GET
    - HEAD
    - PUT
    - PATCH
    - POST
    - DELETE
    allowOrigins:
    - type: RegularExpression
      value: .*\.example\.com
    allowCredentials: true
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backend

after:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: cors
spec:
  cors:
    allowMethods:
    - GET
    - HEAD
    - PUT
    - PATCH
    - POST
    - DELETE
    allowOrigins:
    - https://*.example.com
    allowCredentials: true
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backend

related:
#2350
#2312

@zhaohuabing zhaohuabing requested a review from a team as a code owner January 2, 2024 07:11
@zhaohuabing zhaohuabing marked this pull request as draft January 2, 2024 07:11
@zhaohuabing zhaohuabing force-pushed the cors-wildcard-origin branch 3 times, most recently from fbdea90 to 27431e3 Compare January 2, 2024 08:24
@codecov Codecov
Copy link

codecov bot commented Jan 2, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (8c2112f) 64.68% compared to head (c33fda9) 64.65%.
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2389      +/-   ##
==========================================
- Coverage   64.68%   64.65%   -0.04%     
==========================================
  Files         114      114              
  Lines       16618    16605      -13     
==========================================
- Hits        10750    10736      -14     
- Misses       5190     5193       +3     
+ Partials      678      676       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing force-pushed the cors-wildcard-origin branch 8 times, most recently from 5814287 to 9a7d854 Compare January 2, 2024 13:57
@zhaohuabing zhaohuabing marked this pull request as ready for review January 2, 2024 15:03
@zhaohuabing zhaohuabing marked this pull request as draft January 2, 2024 15:04
@zhaohuabing zhaohuabing force-pushed the cors-wildcard-origin branch 3 times, most recently from c3648da to 16a6497 Compare January 3, 2024 02:08
@zhaohuabing zhaohuabing marked this pull request as ready for review January 3, 2024 02:11
@zhaohuabing
use wildcard to match alloworigins
07a1580 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
arkodg
arkodg approved these changes Jan 3, 2024
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks to simplifying this API field
adding a release-note tag so we highlight this breaking change in the release notes

@arkodg arkodg requested review from a team January 3, 2024 19:45
@arkodg arkodg added the release-note Indicates a required release note label Jan 3, 2024
@zirain zirain merged commit 0f430a9 into envoyproxy:main Jan 4, 2024
20 checks passed
@jaynis
Copy link
Contributor

jaynis commented Jan 12, 2024

Could it be that the validation pattern which has been added to the CRD in this MR prevents the allowance of requests from any origin, e.g. https://*? If so, was this intended?

@arkodg
Copy link
Contributor

arkodg commented Jan 12, 2024

hey @jaynis, thanks for root causing the issue :) can you raise a separate GH issue for this, outlining your use case

@jaynis
Copy link
Contributor

jaynis commented Jan 12, 2024
edited

Hi @arkodg. I can surely create a separate issue but I was wondering whether it might make sense to revert this PR altogether. I appreciate the effort which @zhaohuabing put into this PR and generally into this project but the implementation before featured regexes and therefore was much more powerful and closer to envoys implementation. This has been changed to a glob notation with a quite strict validation regex which only allows wildcarded subdomains. And internally this is converted back to a regex again. I do not consider this much of an improvement.

Also, it is debatable whether it makes sense to align the hostname validation with the CORS validation (which was one of the goals of this PR) because CORS is not a mere hostname but additionally contains the URI scheme and an optional port.

@zhaohuabing
Copy link
Member Author

@jaynis Thanks for the feedback, and sorry for the breaking API changes.
EG decided to use wildcard match to replace regex because we have already seen some users reporting issues with CORS because of the regex is not aligned with their existing experience and against their intuitive expectations while configuring CORS. For example, these two mentioned in this PR. #2350 and #2312

We are afraid that if we keep the regex, we will see more users reporting similar issues and we need to continue to debug and explain how to use regex to them. We think it is better to use wildcard match to avoid these issues.

Could you please help to provide more details about your use case? Could it be solved by wildcard match?

@jaynis
Copy link
Contributor

jaynis commented Jan 13, 2024

Thank you for this clarification @zhaohuabing 👍 . If this was a design decision based on community feedback I am totally fine with this implementation. I personally find regexes more intuitive, but this might be just my personal taste.

I will come up with a PR which extends the current wildcard approach with the functionality which I need and then we can discuss there whether it makes sense to merge it or not 😃 .

@arkodg
Copy link
Contributor

arkodg commented Jan 16, 2024

thanks @jaynis, I think relaxing CEL validation to support * makes sense, we just need to make sure we add another constraint of not allowing * to be set when Access-Control-Allow-Credentials is true
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing

@jaynis jaynis mentioned this pull request Jan 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zirain zirain zirain approved these changes

@arkodg arkodg arkodg approved these changes

Assignees
No one assigned
Labels
release-note Indicates a required release note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@zhaohuabing @jaynis @arkodg @zirain