This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new bc000a9c0 fix(cors): all origins could pass when
allow_origins_by_metadata is set (#10948)
bc000a9c0 is described below
commit bc000a9c0001732ce6b53e7f81f9407d25832c26
Author: xiangwei meng <1031205...@qq.com>
AuthorDate: Mon Feb 26 14:24:18 2024 +0800
fix(cors): all origins could pass when allow_origins_by_metadata is set
(#10948)
---
apisix/plugins/cors.lua | 31 +++++++++++++++++-----
t/plugin/cors3.t | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 93 insertions(+), 7 deletions(-)
diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua
index 94f54683e..869775e5f 100644
--- a/apisix/plugins/cors.lua
+++ b/apisix/plugins/cors.lua
@@ -341,15 +341,32 @@ function _M.header_filter(conf, ctx)
local req_origin = ctx.original_request_origin
-- If allow_origins_by_regex is not nil, should be matched to it only
local allow_origins
- if conf.allow_origins_by_regex == nil then
- allow_origins = process_with_allow_origins(
- TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx,
req_origin
+ local allow_origins_local = false
+ if conf.allow_origins_by_metadata then
+ allow_origins = process_with_allow_origins_by_metadata(
+ TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_metadata,
ctx, req_origin
)
+ if not match_origins(req_origin, allow_origins) then
+ if conf.allow_origins and conf.allow_origins ~= "*" then
+ allow_origins_local = true
+ end
+ end
else
- allow_origins = process_with_allow_origins_by_regex(
- TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
- conf, ctx, req_origin
- )
+ allow_origins_local = true
+ end
+ if conf.allow_origins_by_regex == nil then
+ if allow_origins_local then
+ allow_origins = process_with_allow_origins(
+ TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx,
req_origin
+ )
+ end
+ else
+ if allow_origins_local then
+ allow_origins = process_with_allow_origins_by_regex(
+ TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
+ conf, ctx, req_origin
+ )
+ end
end
if not match_origins(req_origin, allow_origins) then
allow_origins = process_with_allow_origins_by_metadata(
diff --git a/t/plugin/cors3.t b/t/plugin/cors3.t
index ae68dec3f..94e861091 100644
--- a/t/plugin/cors3.t
+++ b/t/plugin/cors3.t
@@ -351,3 +351,72 @@ Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 5
Access-Control-Allow-Credentials:
+
+
+
+=== TEST 13: set route (allow_origins_by_metadata specified and allow_origins
* is invalid while set allow_origins_by_metadata)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "cors": {
+ "allow_origins": "*",
+ "allow_origins_by_metadata": ["key_1"]
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 14: origin not match because allow_origins * invalid
+--- request
+GET /hello HTTP/1.1
+--- more_headers
+Origin: http://foo.example.org
+--- response_body
+hello world
+--- response_headers
+Access-Control-Allow-Origin:
+Access-Control-Allow-Methods:
+Access-Control-Allow-Headers:
+Access-Control-Expose-Headers:
+Access-Control-Max-Age:
+Access-Control-Allow-Credentials:
+
+
+
+=== TEST 15: origin matches with first allow_origins_by_metadata
+--- request
+GET /hello HTTP/1.1
+--- more_headers
+Origin: https://domain.com
+--- response_body
+hello world
+--- response_headers
+Access-Control-Allow-Origin: https://domain.com
+Access-Control-Allow-Methods: *
+Access-Control-Allow-Headers: *
+Access-Control-Expose-Headers: *
+Access-Control-Max-Age: 5
+Access-Control-Allow-Credentials:
