Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cors): consider using allow_origins_by_regex only when it is not nil #9028

Merged
merged 19 commits into from
Mar 24, 2023
Merged

fix(cors): consider using allow_origins_by_regex only when it is not nil #9028

merged 19 commits into from
Mar 24, 2023

Conversation

chenjinfeng0505
Copy link
Contributor

@chenjinfeng0505 chenjinfeng0505 commented Mar 7, 2023
edited by spacewander
Loading

Description

Fixes #9027
-- If allow_origins_by_regex is not nil, should be considered to allow_origins_by_regex only.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

qihaiyan
qihaiyan previously approved these changes Mar 9, 2023
View reviewed changes
apisix/plugins/cors.lua Outdated
if not match_origins(req_origin, allow_origins) then
allow_origins = process_with_allow_origins_by_regex(conf, ctx, req_origin)
allow_origins = process_with_allow_origins_by_regex(conf, ctx, req_origin)
if not match_origins(req_origin, allow_origins) and conf.allow_origins_by_regex == nil then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With cors plugin's default config, when a request doesn't have a origin header, the match_origins method will return true, then the following process_with_allow_origins method won't be executed.

@spacewander spacewander mentioned this pull request Mar 10, 2023
Merged
5 tasks
spacewander
spacewander reviewed Mar 10, 2023
View reviewed changes
t/plugin/cors.t Outdated



=== TEST 36: set route ( regex specified and allow_origins is default value )
Copy link
Member

@spacewander spacewander Mar 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add new tests to the other test file.

When the test file is too large, for example > 800 lines, you should split it to a new file. Please take a look at t/plugin/limit-conn.t and t/plugin/limit-conn2.t.

https://github.com/apache/apisix/blob/master/CONTRIBUTING.md#check-code-style-and-test-case-style

apisix/plugins/cors.lua Outdated
@@ -297,13 +297,13 @@ end

function _M.header_filter(conf, ctx)
local req_origin = ctx.original_request_origin
-- Try allow_origins first, if mismatched, try allow_origins_by_regex.
-- If allow_origins_by_regex is not nil, should be considered to allow_origins_by_regex only
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update docs for the new try order.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update docs for the new try order.

Thank you for reminding. I have modified it.

@qihaiyan
Copy link
Contributor

Is this PR ready to merge? @spacewander

spacewander
spacewander reviewed Mar 14, 2023
View reviewed changes
apisix/plugins/cors.lua Outdated
allow_origins = process_with_allow_origins(conf.allow_origins, ctx, req_origin)
if not match_origins(req_origin, allow_origins) then
allow_origins = process_with_allow_origins_by_regex(conf, ctx, req_origin)
allow_origins = process_with_allow_origins_by_regex(conf, ctx, req_origin)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look like we can skip this function call by checking the conf.allow_origins_by_regex == nil first. For example,

if conf.allow_origins_by_regex ~= nil then

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

This function named process_with_allow_origins_by_regex has checked whether allow_origins_by_regex is nil.
Does it need to be checked again before the method invocation?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. We can move it out, and avoid the repeated and conf.allow_origins_by_regex == nil check below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks and I has changed it.

@spacewander
Copy link
Member

Let's merge master to make CI pass.

@spacewander
Copy link
Member

https://github.com/apache/apisix/actions/runs/4446285829/jobs/7839374950?pr=9028

#   Failed test 't/plugin/cors2.t TEST 5: regex specified match - header Vary ok'
#   at /apisix/test-nginx/lib/Test/Nginx/Socket.pm line 1011.
#          got: 'Via'
#     expected: 'Via, Origin'
# Looks like you failed 1 test of 35.
[02:10:05] t/plugin/cors2.t ..

Please make the CI pass, thanks!

@chenjinfeng0505
Copy link
Contributor Author

@spacewander I have just updated it. Thanks

@qihaiyan
Copy link
Contributor

Merging needs another approving of reviewer with write access. @spacewander

@leslie-tsang leslie-tsang merged commit 6c9e34a into apache:master Mar 24, 2023
@leslie-tsang leslie-tsang changed the title fix: If allow_origins_by_regex is not nil, should be considered to allow_origins_by_regex only fix(cors): consider using allow_origins_by_regex only when it is not nil Mar 24, 2023
@KID-G
Copy link

KID-G commented Mar 27, 2023
edited
Loading

Hi, @Qiuqiu0505
Thank you for your contribution to Apache APISIX!
Can you tell me your email address? We have prepared electronic certificates for new contributors.

@chenjinfeng0505
Copy link
Contributor Author

@KID-G Hi, my email address is [email protected].
I am so lucky to receive certificate. Thanks.

hongbinhsu added a commit to fitphp/apix that referenced this pull request Apr 11, 2023
@hongbinhsu
Merge branch 'upstream/master' into github/master
a6808a0 
* upstream/master: (25 commits)
  fix: upgrade lua-resty-ldap to 0.2.2 (apache#9254)
  feat(cli): support bypassing Admin API Auth by configuration (apache#9147)
  fix(ci): write version into xds first (apache#9274)
  fix: skip warning log when apisix.data_encryption.enable is false (apache#9057)
  docs: add-api7-information (apache#9260)
  docs: Fixed typo (apache#9244)
  docs: clarify what is client.ca in client-to-apisix-mtls.md (apache#9221)
  docs: Corrected typos and grammatical errors (apache#9216)
  docs: updated ssl sni parameter requirement in admin-api.md (apache#9176)
  fix: check upstream reference in traffic-split plugin when delete upstream (apache#9044)
  docs: Update proxy-rewrite headers.add docs (apache#9220)
  feat: suppot header injection for fault-injection plugin (apache#9039)
  fix: upgrade lua-resty-etcd to 1.10.4 (apache#9235)
  docs: fix incorrect semantic.yml link (apache#9231)
  feat: Upstream status report (apache#9151)
  fix: host_hdr should not be false (apache#9150)
  docs: remove APISIX base instruction (apache#9117)
  fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (apache#9146)
  docs: fix 404 link (apache#9160)
  fix(cors): consider using `allow_origins_by_regex` only when it is not `nil` (apache#9028)
  ...
AlinsRan pushed a commit to AlinsRan/apisix that referenced this pull request Jun 25, 2023
@chenjinfeng0505 @AlinsRan
fix(cors): consider using allow_origins_by_regex only when it is no…
e8c1875 
…t `nil` (apache#9028)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leslie-tsang leslie-tsang leslie-tsang approved these changes

@soulbird soulbird soulbird approved these changes

@qihaiyan qihaiyan qihaiyan approved these changes

@spacewander spacewander spacewander approved these changes

Assignees
No one assigned
Labels
need backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: If allow_origins_by_regex is not nil,using other domain is also verified.
6 participants
@chenjinfeng0505 @qihaiyan @spacewander @KID-G @soulbird @leslie-tsang