CORS middleware should compile allowOrigin regexp at creation.

Note: this changes MW behaviour - previously invalid regexps would cause allow origin check to fail, but now if there is a invalid AllowOrigin regexp panic will be raised during middleware creation.
labstack · Nov 21, 2024 · bab09db · bab09db
1 parent 5d98929
commit bab09db
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -31,6 +31,6 @@ benchmark: ## Run benchmarks
 help: ## Display this help screen
 	@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
-goversion ?= "1.19"
-test_version: ## Run tests inside Docker with given version (defaults to 1.19 oldest supported). Example: make test_version goversion=1.19
+goversion ?= "1.20"
+test_version: ## Run tests inside Docker with given version (defaults to 1.20 oldest supported). Example: make test_version goversion=1.20
 	@docker run --rm -it -v $(shell pwd):/project golang:$(goversion) /bin/sh -c "cd /project && make init check"
diff --git a/middleware/cors.go b/middleware/cors.go
@@ -4,6 +4,7 @@
 package middleware
 
 import (
+	"fmt"
 	"net/http"
 	"regexp"
 	"strconv"
@@ -147,13 +148,18 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 		config.AllowMethods = DefaultCORSConfig.AllowMethods
 	}
 
-	allowOriginPatterns := []string{}
+	allowOriginPatterns := make([]*regexp.Regexp, 0, len(config.AllowOrigins))
 	for _, origin := range config.AllowOrigins {
 		pattern := regexp.QuoteMeta(origin)
 		pattern = strings.ReplaceAll(pattern, "\\*", ".*")
 		pattern = strings.ReplaceAll(pattern, "\\?", ".")
 		pattern = "^" + pattern + "$"
-		allowOriginPatterns = append(allowOriginPatterns, pattern)
+
+		re, err := regexp.Compile(pattern)
+		if err != nil {
+			panic(fmt.Errorf("echo: invalid AllowOrigins regexp, err: %w", err))
+		}
+		allowOriginPatterns = append(allowOriginPatterns, re)
 	}
 
 	allowMethods := strings.Join(config.AllowMethods, ",")
@@ -239,7 +245,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 				}
 				if checkPatterns {
 					for _, re := range allowOriginPatterns {
-						if match, _ := regexp.MatchString(re, origin); match {
+						if match := re.MatchString(origin); match {
 							allowOrigin = origin
 							break
 						}

diff --git a/middleware/cors_test.go b/middleware/cors_test.go
@@ -671,3 +671,11 @@ func Test_allowOriginFunc(t *testing.T) {
 		}
 	}
 }
+
+func TestInvalidAllowOriginsAtCreationPanics(t *testing.T) {
+	assert.Panics(t, func() {
+		CORSWithConfig(CORSConfig{
+			AllowOrigins: []string{"\xff"}, // Invalid UTF-8
+		})
+	})
+}