Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional CORS validation #385

Merged
merged 1 commit into from
Feb 7, 2019
Merged

Additional CORS validation #385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions lib/cors.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ const xml2js = require("xml2js");

const templateBuilder = require("./xml-template-builder");

// https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html#cors-allowed-methods
const corsAllowedMethods = ["GET", "PUT", "POST", "DELETE", "HEAD"];

function createWildcardRegExp(str, flags = "") {
const parts = str.split("*");
if (parts.length > 2)
Expand Down Expand Up @@ -32,6 +35,15 @@ module.exports = function cors(config) {
);
}

for (const method of rule.AllowedMethod) {
if (!corsAllowedMethods.includes(method)) {
throw new Error(
"Found unsupported HTTP method in CORS config. Unsupported method is " +
method
);
}
}

// Keep track if the rule has the plain wildcard '*' origin since S3 responds with '*'
// instead of echoing back the request origin in this case
rule.hasWildcardOrigin = rule.AllowedOrigin.includes("*");
Expand Down
10 changes: 10 additions & 0 deletions test/resources/cors_invalid1.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<CORSConfiguration>
<CORSRule>
<!-- Only one wildcard is allowed -->
<AllowedOrigin>https://*.*</AllowedOrigin>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
9 changes: 9 additions & 0 deletions test/resources/cors_invalid2.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<!-- Method must be one of GET, PUT, POST, DELETE, HEAD -->
<AllowedMethod>*</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
7 changes: 7 additions & 0 deletions test/resources/cors_invalid3.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<CORSConfiguration>
<CORSRule>
<!-- At least one AllowedOrigin or AllowedMethod must be specified -->
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
64 changes: 64 additions & 0 deletions test/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1117,6 +1117,70 @@ describe("S3rver CORS Policy Tests", function() {
}
});

it("should fail to initialize a configuration with multiple wildcard characters", function*() {
let error;
try {
let server;
yield thunkToPromise(done => {
server = new S3rver({
port: 4569,
hostname: "localhost",
silent: true,
cors: fs.readFileSync("./test/resources/cors_invalid1.xml")
}).run(done);
});
yield thunkToPromise(done => server.close(done));
} catch (err) {
error = err;
}
expect(error).to.exist;
expect(error.message).to.include(" can not have more than one wildcard.");
});

it("should fail to initialize a configuration with an illegal AllowedMethod", function*() {
let error;
try {
let server;
yield thunkToPromise(done => {
server = new S3rver({
port: 4569,
hostname: "localhost",
silent: true,
cors: fs.readFileSync("./test/resources/cors_invalid2.xml")
}).run(done);
});
yield thunkToPromise(done => server.close(done));
} catch (err) {
error = err;
}
expect(error).to.exist;
expect(error.message).to.include(
"Found unsupported HTTP method in CORS config."
);
});

it("should fail to initialize a configuration with missing required fields", function*() {
let error;
try {
let server;
yield thunkToPromise(done => {
server = new S3rver({
port: 4569,
hostname: "localhost",
silent: true,
cors: fs.readFileSync("./test/resources/cors_invalid3.xml")
}).run(done);
});
yield thunkToPromise(done => server.close(done));
} catch (err) {
error = err;
}
expect(error).to.exist;
expect(error.message).to.include(
"CORSRule must have at least one AllowedOrigin and AllowedMethod"
);
});

it("should add the Access-Control-Allow-Origin header for default (wildcard) configurations", function*() {
const origin = "http://a-test.example.com";
const params = { Bucket: bucket, Key: "image" };
Expand Down