TrueCloudLab/frostfs-http-gw
17
1
Fork 18
Code Issues 10 Pull requests 4 Projects Releases 16 Packages 1 Activity Actions

[#226] Improve CORS validation
All checks were successful
/ DCO (pull_request) Successful in 33s
Details
/ Vulncheck (pull_request) Successful in 52s
Details
/ OCI image (pull_request) Successful in 1m14s
Details
/ Lint (pull_request) Successful in 2m25s
Details
/ Tests (pull_request) Successful in 1m8s
Details
/ Integration tests (pull_request) Successful in 5m46s
Details
/ Builds (pull_request) Successful in 43s
Details

Browse source 
Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
This commit is contained in:
Marina Biryukova 2025-04-30 16:06:04 +03:00
parent 96a22d98f2
commit 871ae5d763
3 changed files with 115 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

90
internal/handler/cors_test.go
View file

@ -176,6 +176,55 @@ func TestPreflight(t *testing.T) {
},
status: fasthttp.StatusBadRequest,
},
{
name: "invalid allowed origin",
corsConfig: &data.CORSConfiguration{
CORSRules: []data.CORSRule{
{
AllowedOrigins: []string{"*.example.*"},
AllowedMethods: []string{"HEAD"},
},
},
},
requestHeaders: map[string]string{
fasthttp.HeaderOrigin: "http://www.example.com",
fasthttp.HeaderAccessControlRequestMethod: "HEAD",
},
expectedHeaders: map[string]string{
fasthttp.HeaderAccessControlAllowOrigin: "",
fasthttp.HeaderAccessControlAllowMethods: "",
fasthttp.HeaderAccessControlAllowHeaders: "",
fasthttp.HeaderAccessControlExposeHeaders: "",
fasthttp.HeaderAccessControlMaxAge: "",
fasthttp.HeaderAccessControlAllowCredentials: "",
},
status: fasthttp.StatusForbidden,
},
{
name: "invalid allowed header",
corsConfig: &data.CORSConfiguration{
CORSRules: []data.CORSRule{
{
AllowedOrigins: []string{"*example.com"},
AllowedMethods: []string{"HEAD"},
AllowedHeaders: []string{"x-amz-*-*"},
},
},
},
requestHeaders: map[string]string{
fasthttp.HeaderOrigin: "http://www.example.com",
fasthttp.HeaderAccessControlRequestMethod: "HEAD",
},
expectedHeaders: map[string]string{
fasthttp.HeaderAccessControlAllowOrigin: "",
fasthttp.HeaderAccessControlAllowMethods: "",
fasthttp.HeaderAccessControlAllowHeaders: "",
fasthttp.HeaderAccessControlExposeHeaders: "",
fasthttp.HeaderAccessControlMaxAge: "",
fasthttp.HeaderAccessControlAllowCredentials: "",
},
status: fasthttp.StatusForbidden,
},
} {
t.Run(tc.name, func(t *testing.T) {
if tc.corsConfig != nil {
@ -328,6 +377,47 @@ func TestSetCORSHeaders(t *testing.T) {
fasthttp.HeaderAccessControlAllowCredentials: "",
},
},
{
name: "invalid allowed origin",
corsConfig: &data.CORSConfiguration{
CORSRules: []data.CORSRule{
{
AllowedOrigins: []string{"*.example.*"},
AllowedMethods: []string{"GET"},
},
},
},
requestHeaders: map[string]string{
fasthttp.HeaderOrigin: "http://www.example.com",
},
expectedHeaders: map[string]string{
fasthttp.HeaderAccessControlAllowOrigin: "",
fasthttp.HeaderAccessControlAllowMethods: "",
fasthttp.HeaderVary: "",
fasthttp.HeaderAccessControlAllowCredentials: "",
},
},
{
name: "invalid allowed header",
corsConfig: &data.CORSConfiguration{
CORSRules: []data.CORSRule{
{
AllowedOrigins: []string{"*example.com"},
AllowedMethods: []string{"GET"},
AllowedHeaders: []string{"x-amz-*-*"},
},
},
},
requestHeaders: map[string]string{
fasthttp.HeaderOrigin: "http://www.example.com",
},
expectedHeaders: map[string]string{
fasthttp.HeaderAccessControlAllowOrigin: "",
fasthttp.HeaderAccessControlAllowMethods: "",
fasthttp.HeaderVary: "",
fasthttp.HeaderAccessControlAllowCredentials: "",
},
},
} {
t.Run(tc.name, func(t *testing.T) {
epoch++