Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(apigateway): allowedOrigins are incorrectly interpreted as regexes #26648

Merged
merged 4 commits into from
Aug 10, 2023

Conversation

lpizzinidev
Copy link
Contributor

Allowed origins for CORS preflight were treated like regular expressions in the checking condition.

For example, with this spec:

new apigateway.RestApi(this, 'api', {
      defaultCorsPreflightOptions: {
        allowOrigins: ['https://www.firstorigin.com', 'https://www.secondorigin.com'],
      }
    })
      .root
      .addResource('hello')
      .addMethod('GET', new apigateway.MockIntegration({}));

Calling:

http OPTIONS https://xxx.execute-api.xxx.amazonaws.com/prod/hello "Origin: https://wwwXsecondorigin.com"

The response header would include the header (allowing the invalid origin from the request):

Access-Control-Allow-Origin: https://wwwXsecondorigin.com

This fix solves the issue.

Closes #26623.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team August 6, 2023 08:41
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 star-contributor [Pilot] contributed between 25-49 PRs to the CDK labels Aug 6, 2023
Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call, but this change will break everyone who is aware that the field accepts a regex and relies on it.

Better to add a new field, maybe called allowedOriginsLiteral (or something) and document that the current one accepts regexes.

@cyraxx
Copy link

cyraxx commented Aug 7, 2023

Note that the first origin in the array is not treated as a regex, only additional ones starting from the second item.

Combined with the fact the documentation doesn't mention regexes anywhere, IMHO the fact that it ever treated some of the input as regexes was a bug and not something that needs to be kept for backwards compatibility.

@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 10, 2023

Note that the first origin in the array is not treated as a regex, only additional ones starting from the second item.

This confused me for a bit, but I now see that the code is modal. It's not between the first and other elements, but it's between a singleton array and an array with multiple elements. Those get treated differently, and in the multiple elements case all elements get treated as regexes.

Given that, I'm inclined to agree with you.

rix0rrr
rix0rrr previously approved these changes Aug 10, 2023
@rix0rrr rix0rrr changed the title fix(apigateway): fixed allowed origins for CORS preflight fix(apigateway): allowedOrigins are incorrectly interpreted as regexes Aug 10, 2023
@mergify mergify bot dismissed rix0rrr’s stale review August 10, 2023 12:23

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Aug 10, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 2c3281b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit cc52e2d into aws:main Aug 10, 2023
@mergify
Copy link
Contributor

mergify bot commented Aug 10, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p1 star-contributor [Pilot] contributed between 25-49 PRs to the CDK
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-apigateway: Allowed origins for CORS preflight are treated as regular expressions
4 participants