[apisix] branch master updated: feat(cors): validate allow_origins (#4757)

Fri, 06 Aug 2021 03:05:44 -0700 

This is an automated email from the ASF dual-hosted git repository.

tzssangglass pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 391a2d3  feat(cors): validate allow_origins (#4757)
391a2d3 is described below

commit 391a2d3e40578b15127c4b2f5f26af7156721a2f
Author: 罗泽轩 <[email protected]>
AuthorDate: Fri Aug 6 18:05:35 2021 +0800

    feat(cors): validate allow_origins (#4757)
    
    Fix #4717
    
    Signed-off-by: spacewander <[email protected]>
---
 apisix/plugins/cors.lua            |  1 +
 t/config-center-yaml/global-rule.t |  2 +-
 t/plugin/cors.t                    |  4 +-
 t/plugin/cors2.t                   | 91 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua
index 4b0b7c4..173c176 100644
--- a/apisix/plugins/cors.lua
+++ b/apisix/plugins/cors.lua
@@ -37,6 +37,7 @@ local schema = {
                 "'**' to allow forcefully(it will bring some security risks, 
be carefully)," ..
                 "multiple origin use ',' to split. default: *.",
             type = "string",
+            pattern = [[^(\*|\*\*|null|\w+://[^,]+(,\w+://[^,]+)*)$]],
             default = "*"
         },
         allow_methods = {
diff --git a/t/config-center-yaml/global-rule.t 
b/t/config-center-yaml/global-rule.t
index 67bc24a..2621a69 100644
--- a/t/config-center-yaml/global-rule.t
+++ b/t/config-center-yaml/global-rule.t
@@ -122,7 +122,7 @@ global_rules:
         id: 1
         plugins:
             cors:
-                allow_origins: "a.com,b.com"
+                allow_origins: "http://a.com,http://b.com";
 #END
 --- request
 GET /apisix/prometheus/metrics
diff --git a/t/plugin/cors.t b/t/plugin/cors.t
index 8c561e7..eef790d 100644
--- a/t/plugin/cors.t
+++ b/t/plugin/cors.t
@@ -30,7 +30,7 @@ __DATA__
         content_by_lua_block {
             local plugin = require("apisix.plugins.cors")
             local ok, err = plugin.check_schema({
-                allow_origins = '',
+                allow_origins = 'http://test.com',
                 allow_methods = '',
                 allow_headers = '',
                 expose_headers = '',
@@ -59,7 +59,7 @@ done
         content_by_lua_block {
             local plugin = require("apisix.plugins.cors")
             local ok, err = plugin.check_schema({
-                allow_origins = '',
+                allow_origins = 'http://test.com',
                 allow_methods = '',
                 allow_headers = '',
                 expose_headers = '',
diff --git a/t/plugin/cors2.t b/t/plugin/cors2.t
new file mode 100644
index 0000000..67f6d6b
--- /dev/null
+++ b/t/plugin/cors2.t
@@ -0,0 +1,91 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+no_shuffle();
+log_level("info");
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+
+    if (!$block->no_error_log && !$block->error_log) {
+        $block->set_value("no_error_log", "[error]\n[alert]");
+    }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: validate allow_origins
+--- config
+    location /t {
+        content_by_lua_block {
+            local plugin = require("apisix.plugins.cors")
+            local function validate(val)
+                local conf = {}
+                conf.allow_origins = val
+                return plugin.check_schema(conf)
+            end
+
+            local good = {
+                "*",
+                "**",
+                "null",
+                "http://y.com.uk";,
+                "https://x.com";,
+                "https://x.com,http://y.com.uk";,
+                "https://x.com,http://y.com.uk,http://c.tv";,
+                "https://x.com,http://y.com.uk:12000,http://c.tv";,
+            }
+            for _, g in ipairs(good) do
+                local ok, err = validate(g)
+                if not ok then
+                    ngx.say("failed to validate ", g, ", ", err)
+                end
+            end
+
+            local bad = {
+                "",
+                "*a",
+                "*,http://y.com";,
+                "nulll",
+                "http//y.com.uk",
+                "x.com",
+                "https://x.com,y.com.uk";,
+                "https://x.com,*,https://y.com.uk";,
+                "https://x.com,http://y.com.uk,http:c.tv";,
+            }
+            for _, b in ipairs(bad) do
+                local ok, err = validate(b)
+                if ok then
+                    ngx.say("failed to reject ", b)
+                end
+            end
+
+            ngx.say("done")
+        }
+    }
+--- response_body
+done

Reply via email to