fix(middleware/cors): Validation of multiple Origins (#2883)

* fix: allow origins check Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic. fixes #2882 * test: AllowOrigins with whitespace * test(middleware/cors): add benchmarks * chore: fix linter errors * test(middleware/cors): use h() instead of app.Test() * test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme * chore: refactor validate and normalize * test(cors/middleware): add more benchmarks
gofiber · Mar 1, 2024 · d456e7d · d456e7d
1 parent ddc6b23
commit d456e7d
Show file tree

Hide file tree

Showing 2 changed files with 513 additions and 15 deletions.
diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go
@@ -113,24 +113,32 @@ func New(config ...Config) fiber.Handler {
 		panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
 	}
 
-	// Validate and normalize static AllowOrigins if not using AllowOriginsFunc
-	if cfg.AllowOriginsFunc == nil && cfg.AllowOrigins != "" && cfg.AllowOrigins != "*" {
-		validatedOrigins := []string{}
-		for _, origin := range strings.Split(cfg.AllowOrigins, ",") {
-			isValid, normalizedOrigin := normalizeOrigin(origin)
+	// allowOrigins is a slice of strings that contains the allowed origins
+	// defined in the 'AllowOrigins' configuration.
+	var allowOrigins []string
+
+	// Validate and normalize static AllowOrigins
+	if cfg.AllowOrigins != "" && cfg.AllowOrigins != "*" {
+		origins := strings.Split(cfg.AllowOrigins, ",")
+		allowOrigins = make([]string, len(origins))
+
+		for i, origin := range origins {
+			trimmedOrigin := strings.TrimSpace(origin)
+			isValid, normalizedOrigin := normalizeOrigin(trimmedOrigin)
+
 			if isValid {
-				validatedOrigins = append(validatedOrigins, normalizedOrigin)
+				allowOrigins[i] = normalizedOrigin
 			} else {
-				log.Warnf("[CORS] Invalid origin format in configuration: %s", origin)
+				log.Warnf("[CORS] Invalid origin format in configuration: %s", trimmedOrigin)
 				panic("[CORS] Invalid origin provided in configuration")
 			}
 		}
-		cfg.AllowOrigins = strings.Join(validatedOrigins, ",")
+	} else {
+		// If AllowOrigins is set to a wildcard or not set,
+		// set allowOrigins to a slice with a single element
+		allowOrigins = []string{cfg.AllowOrigins}
 	}
 
-	// Convert string to slice
-	allowOrigins := strings.Split(strings.ReplaceAll(cfg.AllowOrigins, " ", ""), ",")
-
 	// Strip white spaces
 	allowMethods := strings.ReplaceAll(cfg.AllowMethods, " ", "")
 	allowHeaders := strings.ReplaceAll(cfg.AllowHeaders, " ", "")
@@ -165,10 +173,8 @@ func New(config ...Config) fiber.Handler {
 		// Run AllowOriginsFunc if the logic for
 		// handling the value in 'AllowOrigins' does
 		// not result in allowOrigin being set.
-		if allowOrigin == "" && cfg.AllowOriginsFunc != nil {
-			if cfg.AllowOriginsFunc(originHeader) {
-				allowOrigin = originHeader
-			}
+		if allowOrigin == "" && cfg.AllowOriginsFunc != nil && cfg.AllowOriginsFunc(originHeader) {
+			allowOrigin = originHeader
 		}
 
 		// Simple request