mirror of
https://github.com/labstack/echo.git
synced 2024-12-24 20:14:31 +02:00
Merge pull request #1623 from KlotzAndrew/cors_regex
cors allow regex pattern
This commit is contained in:
commit
bcb316500e
@ -2,6 +2,7 @@ package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
@ -76,6 +77,15 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
config.AllowMethods = DefaultCORSConfig.AllowMethods
|
||||
}
|
||||
|
||||
allowOriginPatterns := []string{}
|
||||
for _, origin := range config.AllowOrigins {
|
||||
pattern := regexp.QuoteMeta(origin)
|
||||
pattern = strings.Replace(pattern, "\\*", ".*", -1)
|
||||
pattern = strings.Replace(pattern, "\\?", ".", -1)
|
||||
pattern = "^" + pattern + "$"
|
||||
allowOriginPatterns = append(allowOriginPatterns, pattern)
|
||||
}
|
||||
|
||||
allowMethods := strings.Join(config.AllowMethods, ",")
|
||||
allowHeaders := strings.Join(config.AllowHeaders, ",")
|
||||
exposeHeaders := strings.Join(config.ExposeHeaders, ",")
|
||||
@ -108,6 +118,26 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
||||
}
|
||||
}
|
||||
|
||||
// Check allowed origin patterns
|
||||
for _, re := range allowOriginPatterns {
|
||||
if allowOrigin == "" {
|
||||
didx := strings.Index(origin, "://")
|
||||
if didx == -1 {
|
||||
continue
|
||||
}
|
||||
domAuth := origin[didx+3:]
|
||||
// to avoid regex cost by invalid long domain
|
||||
if len(domAuth) > 253 {
|
||||
break
|
||||
}
|
||||
|
||||
if match, _ := regexp.MatchString(re, origin); match {
|
||||
allowOrigin = origin
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Simple request
|
||||
if req.Method != http.MethodOptions {
|
||||
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
||||
|
@ -83,3 +83,141 @@ func TestCORS(t *testing.T) {
|
||||
h(c)
|
||||
assert.Equal(t, "http://bbb.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
}
|
||||
|
||||
func Test_allowOriginScheme(t *testing.T) {
|
||||
tests := []struct {
|
||||
domain, pattern string
|
||||
expected bool
|
||||
}{
|
||||
{
|
||||
domain: "http://example.com",
|
||||
pattern: "http://example.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "https://example.com",
|
||||
pattern: "https://example.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "http://example.com",
|
||||
pattern: "https://example.com",
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
domain: "https://example.com",
|
||||
pattern: "http://example.com",
|
||||
expected: false,
|
||||
},
|
||||
}
|
||||
|
||||
e := echo.New()
|
||||
for _, tt := range tests {
|
||||
req := httptest.NewRequest(http.MethodOptions, "/", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
c := e.NewContext(req, rec)
|
||||
req.Header.Set(echo.HeaderOrigin, tt.domain)
|
||||
cors := CORSWithConfig(CORSConfig{
|
||||
AllowOrigins: []string{tt.pattern},
|
||||
})
|
||||
h := cors(echo.NotFoundHandler)
|
||||
h(c)
|
||||
|
||||
if tt.expected {
|
||||
assert.Equal(t, tt.domain, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
} else {
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func Test_allowOriginSubdomain(t *testing.T) {
|
||||
tests := []struct {
|
||||
domain, pattern string
|
||||
expected bool
|
||||
}{
|
||||
{
|
||||
domain: "http://aaa.example.com",
|
||||
pattern: "http://*.example.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "http://bbb.aaa.example.com",
|
||||
pattern: "http://*.example.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "http://bbb.aaa.example.com",
|
||||
pattern: "http://*.aaa.example.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "http://aaa.example.com:8080",
|
||||
pattern: "http://*.example.com:8080",
|
||||
expected: true,
|
||||
},
|
||||
|
||||
{
|
||||
domain: "http://fuga.hoge.com",
|
||||
pattern: "http://*.example.com",
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
domain: "http://ccc.bbb.example.com",
|
||||
pattern: "http://*.aaa.example.com",
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
domain: `http://1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
|
||||
.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
|
||||
.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
|
||||
.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.example.com`,
|
||||
pattern: "http://*.example.com",
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
domain: `http://1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.example.com`,
|
||||
pattern: "http://*.example.com",
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
domain: "http://ccc.bbb.example.com",
|
||||
pattern: "http://example.com",
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
domain: "https://prod-preview--aaa.bbb.com",
|
||||
pattern: "https://*--aaa.bbb.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "http://ccc.bbb.example.com",
|
||||
pattern: "http://*.example.com",
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
domain: "http://ccc.bbb.example.com",
|
||||
pattern: "http://foo.[a-z]*.example.com",
|
||||
expected: false,
|
||||
},
|
||||
}
|
||||
|
||||
e := echo.New()
|
||||
for _, tt := range tests {
|
||||
req := httptest.NewRequest(http.MethodOptions, "/", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
c := e.NewContext(req, rec)
|
||||
req.Header.Set(echo.HeaderOrigin, tt.domain)
|
||||
cors := CORSWithConfig(CORSConfig{
|
||||
AllowOrigins: []string{tt.pattern},
|
||||
})
|
||||
h := cors(echo.NotFoundHandler)
|
||||
h(c)
|
||||
|
||||
if tt.expected {
|
||||
assert.Equal(t, tt.domain, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
} else {
|
||||
assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user