Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require origin whitelist for CORS middleware #72

Merged
merged 3 commits into from
Jul 8, 2016
Merged

Conversation

tylertreat-wf
Copy link
Contributor

Require an origin whitelist for CORS middleware. Reject requests having an origin that does not match the whitelist. This is a breaking API change but is justified due to the security nature.

@matthewsullivan-wf @Workiva/messaging-pp

@aviary2-wf
Copy link

aviary2-wf commented Jul 8, 2016

Raven

Number of Findings: 7

  • Watched file rest/middleware/cors.go modified
  • Watched keyword Access-Control-Allow-Origin in rest/middleware/cors.go line(s) ['9'] removed
  • Watched keyword Access-Control-Allow-Headers in rest/middleware/cors.go line(s) ['20'] added
  • Watched keyword Access-Control-Allow-Methods in rest/middleware/cors.go line(s) ['10'] removed
  • Watched keyword Access-Control-Allow-Headers in rest/middleware/cors.go line(s) ['11'] removed
  • Watched keyword Access-Control-Allow-Methods in rest/middleware/cors.go line(s) ['19'] added
  • Watched keyword Access-Control-Allow-Origin in rest/middleware/cors.go line(s) ['18'] added

The finding(s) listed above require security review.

if r.Method == "OPTIONS" {
err = &corsError{code: http.StatusOK}
}
if !originMatch {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you care that your first error will be overwritten if both error conditions are true?

@rmconsole-wf
Copy link

@tylertreat-wf

  • A security review has not been completed, but one is required. Please request a security review from one of the approved security reviewers listed here.

error
Code() int
Response() []byte
type MiddlewareError struct {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this no longer implements error

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't need to.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it's killing the unit tests

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@stevenosborne-wf
Copy link

+1

@dustinhiatt-wf
Copy link

security +1


var err *rest.MiddlewareError
if r.Method == "OPTIONS" {
err = &rest.MiddlewareError{Code: http.StatusOK}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the order of these statements be switched? Right now it would always allow options requests, which would indicate to browsers they're allowed to send other requests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe OPTIONS requests are allowed to pass through as they are a pre-flight request, but the response would not have the Access-Control-* headers on the response if the origin doesn't match. As a result, the browser would know the actual request would not be processed.

@charliestrawn-wf
Copy link

+1

1 similar comment
@brianshannan-wf
Copy link

+1

@tylertreat-wf tylertreat-wf merged commit edb1b3f into master Jul 8, 2016
@tylertreat-wf tylertreat-wf deleted the cors_whitelist branch July 8, 2016 15:52
@teresarevious-wf
Copy link

RM +1

verified dependencies manually

@rmconsole-wf
Copy link

QA review can be found here: https://jira.atl.workiva.net/browse/RM-16257

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants