diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index d6e92b34db..066d791ef3 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -49,9 +49,9 @@ var ( // Method must contain valid methods list (PUT, GET, POST, BLA) // May contain or not spaces between each verb corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`) - // Expose Headers must contain valid values only (*, X-HEADER12, X-ABC) + // CORS Headers must contain valid values only (*, X-HEADER12, X-ABC) // May contain or not spaces between each Header - corsExposeHeadersRegex = regexp.MustCompile(`^(([A-Za-z0-9\-\_]+|\*),?\s?)+$`) + corsHeadersRegex = regexp.MustCompile(`^(([A-Za-z0-9\-\_]+|\*),?\s?)+$`) ) const ( @@ -82,11 +82,11 @@ var corsAnnotation = parser.Annotation{ It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`, }, corsAllowHeadersAnnotation: { - Validator: parser.ValidateRegex(parser.HeadersVariable, true), + Validator: parser.ValidateRegex(corsHeadersRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls which headers are accepted. - This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -`, + This is a multi-valued field, separated by ',' and accepts letters, numbers, _, - and *.`, }, corsAllowMethodsAnnotation: { Validator: parser.ValidateRegex(corsMethodsRegex, true), @@ -102,7 +102,7 @@ var corsAnnotation = parser.Annotation{ Documentation: `This annotation controls if credentials can be passed during CORS operations.`, }, corsExposeHeadersAnnotation: { - Validator: parser.ValidateRegex(corsExposeHeadersRegex, true), + Validator: parser.ValidateRegex(corsHeadersRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls which headers are exposed to response. @@ -225,7 +225,7 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { } config.CorsAllowHeaders, err = parser.GetStringAnnotation(corsAllowHeadersAnnotation, ing, c.annotationConfig.Annotations) - if err != nil || !parser.HeadersVariable.MatchString(config.CorsAllowHeaders) { + if err != nil || !corsHeadersRegex.MatchString(config.CorsAllowHeaders) { config.CorsAllowHeaders = defaultCorsHeaders } @@ -245,7 +245,7 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { } config.CorsExposeHeaders, err = parser.GetStringAnnotation(corsExposeHeadersAnnotation, ing, c.annotationConfig.Annotations) - if err != nil || !corsExposeHeadersRegex.MatchString(config.CorsExposeHeaders) { + if err != nil || !corsHeadersRegex.MatchString(config.CorsExposeHeaders) { config.CorsExposeHeaders = "" } diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go index a69390a174..be02e2649f 100644 --- a/internal/ingress/annotations/cors/main_test.go +++ b/internal/ingress/annotations/cors/main_test.go @@ -77,7 +77,7 @@ func TestIngressCorsConfigValid(t *testing.T) { // Valid data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" - data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" + data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "*, DNT,X-CustomHeader, Keep-Alive,User-Agent" data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "false" data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH" data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443" @@ -103,7 +103,7 @@ func TestIngressCorsConfigValid(t *testing.T) { t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)], nginxCors.CorsAllowCredentials) } - if nginxCors.CorsAllowHeaders != "DNT,X-CustomHeader, Keep-Alive,User-Agent" { + if nginxCors.CorsAllowHeaders != "*, DNT,X-CustomHeader, Keep-Alive,User-Agent" { t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)], nginxCors.CorsAllowHeaders) }