Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixe(domain): wildcard parse bug #106

Merged
merged 1 commit into from
Mar 6, 2024
Merged

fixe(domain): wildcard parse bug #106

merged 1 commit into from
Mar 6, 2024

Conversation

Hvitgar
Copy link
Contributor

@Hvitgar Hvitgar commented Jul 7, 2022

I think there is a bug in the parseWildcardRules function - if the wildcard is at the end of the origin string, the character right before the wildcard is cut off, leading to potentially unwanted matches, for instance https://example.com/* would also validate anything on https://example.community/*.

For verification, just execute the code below:

package main

import (
	"errors"
	"strings"
)

type Config struct {
	AllowWildcard bool
	AllowOrigins  []string
}

func (c Config) parseWildcardRules() [][]string {
	var wRules [][]string

	if !c.AllowWildcard {
		return wRules
	}

	for _, o := range c.AllowOrigins {
		if !strings.Contains(o, "*") {
			continue
		}

		if c := strings.Count(o, "*"); c > 1 {
			panic(errors.New("only one * is allowed").Error())
		}

		i := strings.Index(o, "*")
		if i == 0 {
			wRules = append(wRules, []string{"*", o[1:]})
			continue
		}
		if i == (len(o) - 1) {
			wRules = append(wRules, []string{o[:i-1], "*"})
			continue
		}

		wRules = append(wRules, []string{o[:i], o[i+1:]})
	}

	return wRules
}

func main() {
	c1 := Config{AllowWildcard: true, AllowOrigins: []string{
		"https://example.com/*",
		"https://example.com/*/helloWorld",
		"*/helloWorld",
	}}

	wrules := c1.parseWildcardRules()
	for i, wr := range wrules {
		println(c1.AllowOrigins[i] + " ->")
		println(wr[0])
		println(wr[1])
		println()
	}
}

which results in

https://example.com/* ->
https://example.com                 # incorrect, should be https://example.com/
*

https://example.com/*/helloWorld ->
https://example.com/
/helloWorld

*/helloWorld ->
*
/helloWorld

@Hvitgar
Copy link
Contributor Author

Hvitgar commented Jul 7, 2022

I just noticed that there is a PR open for this, however it is from 2019...so I will leave this open as a reminder

@jub0bs
Copy link

jub0bs commented Oct 25, 2022
edited
Loading

Note that Web origins do not contain a path. But I agree with you that a trailing wildcard is a terrible footgun; for instance, https://example.* would match Web origin https://example.attacker.com.

@ninogresenz
Copy link

ninogresenz commented Jan 24, 2023
edited
Loading

Hey, I just discovered this bug as well. Will this be merged or what's the status?
Even though Web origins do not contain a path, it leads to the situation where you configure https://example.* and it would match https://example-without-a-dot.com. Sure it's a footgun, but it's even worse as I would consider this an unwanted behavior.

@appleboy
Copy link
Member

I will take it.

@jub0bs
Copy link

jub0bs commented Nov 27, 2023

Relevant: https://jub0bs.com/posts/2023-02-08-fearless-cors/#disallow-dangerous-origin-patterns

@dm-godsend dm-godsend mentioned this pull request Feb 28, 2024
Closed
@aleksasiriski
Copy link

I just hit this bug, why isn't it merged yet?

@appleboy appleboy added the bug label Mar 6, 2024
@appleboy appleboy changed the title fixed wildcard parse bug fixe(domain): wildcard parse bug Mar 6, 2024
@appleboy appleboy merged commit 27b723a into gin-contrib:master Mar 6, 2024
@appleboy appleboy mentioned this pull request Mar 6, 2024
Merged
appleboy added a commit that referenced this pull request Mar 6, 2024
@appleboy
test(cors): enhance CORS wildcard handling tests (#145)
90a7c66 
- Import the `reflect` package in `cors_test.go`
- Add new test cases for parsing wildcard rules in CORS configuration
- Implement tests to check for panic on multiple wildcards and validate expected results for various wildcard scenarios

ref: #106

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
@appleboy appleboy mentioned this pull request Mar 6, 2024
Closed
@maxshine
Copy link

maxshine commented Mar 6, 2024

It is interesting my five years aged PR #57 with the exactly same fix was closed without any endorsements.. lol

@Hvitgar
Copy link
Contributor Author

Hvitgar commented Mar 7, 2024

I am sorry @maxshine, my PR was not meant to take your contribution away. I only realised after I'd written the PR that you wrote one with the exact same fix

@maxshine
Copy link

maxshine commented Mar 8, 2024
edited
Loading

I am sorry @maxshine, my PR was not meant to take your contribution away. I only realised after I'd written the PR that you wrote one with the exact same fix

@Hvitgar Believe me I understand it is not about your contribution coincides with mine which was ready there for long time.

I just hope this repo owner / maintainers would be able to do their job in a smart way. 😂

@appleboy
Copy link
Member

appleboy commented Mar 8, 2024

@maxshine, I apologize for not noticing that a similar PR had already been submitted when I was reviewing this PR. This was an oversight on my part, and I will be more careful in the future.

@appleboy
Copy link
Member

appleboy commented Mar 8, 2024
edited
Loading

@maxshine I updated the release note v1.6.0 release note that put the both of @Hvitgar and @maxshine in the list.

image

@GoVulnBot GoVulnBot mentioned this pull request Jun 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Hvitgar @jub0bs @ninogresenz @appleboy @aleksasiriski @maxshine