mirror of
https://github.com/minio/minio.git
synced 2025-08-16 11:06:57 +02:00
af3d0e0bfb
- Preserve backward compatibility: wildcard origins allow credentials by default - Add MINIO_API_CORS_ALLOW_CREDENTIALS_WITH_WILDCARD=off for enhanced security - Addresses CORS specification compliance while preventing service disruption - Existing deployments continue working unchanged
255 lines
9.4 KiB
Go
255 lines
9.4 KiB
Go
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
)
|
|
|
|
// Test that CORS credentials are properly handled for wildcard origins
|
|
func TestCORSCredentialsWithWildcard(t *testing.T) {
|
|
// Save original config and restore after test
|
|
originalOrigins := globalAPIConfig.getCorsAllowOrigins()
|
|
originalAllowCredentialsWithWildcard := globalAPIConfig.getCorsAllowCredentialsWithWildcard()
|
|
defer func() {
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = originalOrigins
|
|
globalAPIConfig.corsAllowCredentialsWithWildcard = originalAllowCredentialsWithWildcard
|
|
globalAPIConfig.mu.Unlock()
|
|
}()
|
|
|
|
// Test 1: Default secure behavior (wildcard without credentials)
|
|
t.Run("Secure Default", func(t *testing.T) {
|
|
// Setup wildcard CORS config with default secure behavior
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = []string{"*"}
|
|
globalAPIConfig.corsAllowCredentialsWithWildcard = false // default secure behavior
|
|
globalAPIConfig.mu.Unlock()
|
|
|
|
// Create a simple handler
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
// Wrap with CORS handler
|
|
corsWrappedHandler := corsHandler(handler)
|
|
|
|
// Test preflight request
|
|
req := httptest.NewRequest("OPTIONS", "/", nil)
|
|
req.Header.Set("Origin", "https://example.com")
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
rr := httptest.NewRecorder()
|
|
corsWrappedHandler.ServeHTTP(rr, req)
|
|
|
|
// Verify specific origin is echoed back (rs/cors library behavior)
|
|
if got := rr.Header().Get("Access-Control-Allow-Origin"); got != "https://example.com" {
|
|
t.Errorf("Expected Access-Control-Allow-Origin: https://example.com, got: %s", got)
|
|
}
|
|
|
|
// Verify credentials header is NOT present (security fix)
|
|
if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "" {
|
|
t.Errorf("Expected no Access-Control-Allow-Credentials header with wildcard origin, got: %s", got)
|
|
}
|
|
})
|
|
|
|
// Test 2: Backward compatibility opt-out (wildcard with credentials - insecure)
|
|
t.Run("Backward Compatibility Opt-out", func(t *testing.T) {
|
|
// Setup wildcard CORS config with explicit opt-out for backward compatibility
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = []string{"*"}
|
|
globalAPIConfig.corsAllowCredentialsWithWildcard = true // explicitly allow insecure behavior
|
|
globalAPIConfig.mu.Unlock()
|
|
|
|
// Create a simple handler
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
// Wrap with CORS handler
|
|
corsWrappedHandler := corsHandler(handler)
|
|
|
|
// Test preflight request
|
|
req := httptest.NewRequest("OPTIONS", "/", nil)
|
|
req.Header.Set("Origin", "https://example.com")
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
rr := httptest.NewRecorder()
|
|
corsWrappedHandler.ServeHTTP(rr, req)
|
|
|
|
// Verify specific origin is echoed back (rs/cors library behavior)
|
|
if got := rr.Header().Get("Access-Control-Allow-Origin"); got != "https://example.com" {
|
|
t.Errorf("Expected Access-Control-Allow-Origin: https://example.com, got: %s", got)
|
|
}
|
|
|
|
// Verify credentials header IS present (backward compatibility)
|
|
if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
|
|
t.Errorf("Expected Access-Control-Allow-Credentials: true with opt-out enabled, got: %s", got)
|
|
}
|
|
})
|
|
}
|
|
|
|
// Test that CORS credentials are allowed for specific origins
|
|
func TestCORSCredentialsWithSpecificOrigin(t *testing.T) {
|
|
// Save original config and restore after test
|
|
originalOrigins := globalAPIConfig.getCorsAllowOrigins()
|
|
defer func() {
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = originalOrigins
|
|
globalAPIConfig.mu.Unlock()
|
|
}()
|
|
|
|
// Setup specific origin CORS config
|
|
allowedOrigin := "https://example.com"
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = []string{allowedOrigin}
|
|
globalAPIConfig.mu.Unlock()
|
|
|
|
// Create a simple handler
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
// Wrap with CORS handler
|
|
corsWrappedHandler := corsHandler(handler)
|
|
|
|
// Test preflight request
|
|
req := httptest.NewRequest("OPTIONS", "/", nil)
|
|
req.Header.Set("Origin", allowedOrigin)
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
rr := httptest.NewRecorder()
|
|
corsWrappedHandler.ServeHTTP(rr, req)
|
|
|
|
// Verify specific origin is echoed back
|
|
if got := rr.Header().Get("Access-Control-Allow-Origin"); got != allowedOrigin {
|
|
t.Errorf("Expected Access-Control-Allow-Origin: %s, got: %s", allowedOrigin, got)
|
|
}
|
|
|
|
// Verify credentials header IS present for specific origins
|
|
if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
|
|
t.Errorf("Expected Access-Control-Allow-Credentials: true with specific origin, got: %s", got)
|
|
}
|
|
|
|
// Test actual GET request
|
|
req = httptest.NewRequest("GET", "/", nil)
|
|
req.Header.Set("Origin", allowedOrigin)
|
|
|
|
rr = httptest.NewRecorder()
|
|
corsWrappedHandler.ServeHTTP(rr, req)
|
|
|
|
// Verify specific origin is echoed back
|
|
if got := rr.Header().Get("Access-Control-Allow-Origin"); got != allowedOrigin {
|
|
t.Errorf("Expected Access-Control-Allow-Origin: %s, got: %s", allowedOrigin, got)
|
|
}
|
|
|
|
// Verify credentials header IS present
|
|
if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
|
|
t.Errorf("Expected Access-Control-Allow-Credentials: true with specific origin, got: %s", got)
|
|
}
|
|
}
|
|
|
|
// Test that unauthorized origins are rejected properly
|
|
func TestCORSUnauthorizedOrigin(t *testing.T) {
|
|
// Save original config and restore after test
|
|
originalOrigins := globalAPIConfig.getCorsAllowOrigins()
|
|
defer func() {
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = originalOrigins
|
|
globalAPIConfig.mu.Unlock()
|
|
}()
|
|
|
|
// Setup specific origin CORS config (no wildcard)
|
|
allowedOrigin := "https://example.com"
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = []string{allowedOrigin}
|
|
globalAPIConfig.mu.Unlock()
|
|
|
|
// Create a simple handler
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
// Wrap with CORS handler
|
|
corsWrappedHandler := corsHandler(handler)
|
|
|
|
// Test preflight request from unauthorized origin
|
|
req := httptest.NewRequest("OPTIONS", "/", nil)
|
|
req.Header.Set("Origin", "https://example.org") // This origin is NOT in the allowed list
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
rr := httptest.NewRecorder()
|
|
corsWrappedHandler.ServeHTTP(rr, req)
|
|
|
|
// Verify no CORS headers are set for unauthorized origin
|
|
if got := rr.Header().Get("Access-Control-Allow-Origin"); got != "" {
|
|
t.Errorf("Expected no Access-Control-Allow-Origin header for unauthorized origin, got: %s", got)
|
|
}
|
|
|
|
if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "" {
|
|
t.Errorf("Expected no Access-Control-Allow-Credentials header for unauthorized origin, got: %s", got)
|
|
}
|
|
}
|
|
|
|
// Test mixed configuration with both wildcard and specific origins
|
|
func TestCORSMixedConfiguration(t *testing.T) {
|
|
// Save original config and restore after test
|
|
originalOrigins := globalAPIConfig.getCorsAllowOrigins()
|
|
originalAllowCredentialsWithWildcard := globalAPIConfig.getCorsAllowCredentialsWithWildcard()
|
|
defer func() {
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = originalOrigins
|
|
globalAPIConfig.corsAllowCredentialsWithWildcard = originalAllowCredentialsWithWildcard
|
|
globalAPIConfig.mu.Unlock()
|
|
}()
|
|
|
|
// Setup mixed CORS config (wildcard + specific origins) with default secure behavior
|
|
globalAPIConfig.mu.Lock()
|
|
globalAPIConfig.corsAllowOrigins = []string{"*", "https://example.com"}
|
|
globalAPIConfig.corsAllowCredentialsWithWildcard = false // default secure behavior
|
|
globalAPIConfig.mu.Unlock()
|
|
|
|
// Create a simple handler
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
// Wrap with CORS handler
|
|
corsWrappedHandler := corsHandler(handler)
|
|
|
|
// Test request that should match wildcard
|
|
req := httptest.NewRequest("OPTIONS", "/", nil)
|
|
req.Header.Set("Origin", "https://example.com")
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
rr := httptest.NewRecorder()
|
|
corsWrappedHandler.ServeHTTP(rr, req)
|
|
|
|
// The rs/cors library echoes back the specific origin even with wildcard config
|
|
if got := rr.Header().Get("Access-Control-Allow-Origin"); got != "https://example.com" {
|
|
t.Errorf("Expected Access-Control-Allow-Origin: https://example.com, got: %s", got)
|
|
}
|
|
|
|
// Verify credentials header is NOT present due to wildcard in config (secure default)
|
|
if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "" {
|
|
t.Errorf("Expected no Access-Control-Allow-Credentials header with wildcard in config, got: %s", got)
|
|
}
|
|
}
|