-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(apigateway): allowedOrigins are incorrectly interpreted as regexes #26648
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call, but this change will break everyone who is aware that the field accepts a regex and relies on it.
Better to add a new field, maybe called allowedOriginsLiteral
(or something) and document that the current one accepts regexes.
Note that the first origin in the array is not treated as a regex, only additional ones starting from the second item. Combined with the fact the documentation doesn't mention regexes anywhere, IMHO the fact that it ever treated some of the input as regexes was a bug and not something that needs to be kept for backwards compatibility. |
This confused me for a bit, but I now see that the code is modal. It's not between the first and other elements, but it's between a singleton array and an array with multiple elements. Those get treated differently, and in the multiple elements case all elements get treated as regexes. Given that, I'm inclined to agree with you. |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Allowed origins for CORS preflight were treated like regular expressions in the checking condition.
For example, with this spec:
Calling:
The response header would include the header (allowing the invalid origin from the request):
This fix solves the issue.
Closes #26623.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license