flask-cors icon indicating copy to clipboard operation
flask-cors copied to clipboard
verified publisher icon corydolphin

Let user be explicit about origins encoding: plain, glob, regex or regex_partial

Open danbst opened this issue 8 years ago • 1 comments

See https://github.com/corydolphin/flask-cors/pull/160#issuecomment-226674064 which discussed a security issue when regular strings were considered regexes.

Even if glob encoding isn't supported, it isn't neither prohibited explicitly, so when user uses Glob-style

origins = [ "https://api.*.company.com" ]

he should be aware that Origin https://api-company-com.malware.com will match by setting origin matching schema to regex_partial

What would be great to have:

  • plain - no regex matching is done, all origins should be explicit
  • glob - wildcards are expanded
  • regex - origin is matched to a regex, but with ^...$ wrappers, so no domain hijacking should be possible
  • regex_partial - origin is matched to a regex, but user has full freedom for matching

danbst avatar Oct 03 '17 11:10 danbst

@danbst sorry for the delay in getting back to you!

This is definitely an issue. I think the only way to safely fix this is by issuing a V3 which will make it more explicit, and safer by default.

I think it can be simplified further such that the only valid options for the origins should be: '*', a valid hostname string, or a regex object. I believe that would simplify the logic substantially. If you have energy, I would welcome a contribution which made this happen.

corydolphin avatar Jan 29 '18 19:01 corydolphin