refactor the algorithm for testing the cors

while here: - send cors headers even if the status is 404 - add: access_control_expose_headers config option - list of additional headers sent in Access-Control-Expose-Headers - add: access_control_allow_credentials config option - if true return Access-Control-Allow-Credentials header equal "true"
2022-09-08 03:12:44 +02:00
parent 04164ff967
commit 222a1c8a1f
9 changed files with 245 additions and 89 deletions
--- a/winixd/functions/functionbase.cpp
+++ b/winixd/functions/functionbase.cpp
@@ -142,6 +142,15 @@ bool FunctionBase::HasAccess()
 }


+/*
+ * this is in a response to the normal OPTIONS method (not cors request)
+ */
+void FunctionBase::AddAllowMethodsHeader()
+{
+	cur->request->out_headers.add(Header::allow, L"GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH");
+}
+
+
 bool FunctionBase::IsCorsMethodAvailable(Request::Method method)
 {
 	return method == Request::get || method == Request::head || method == Request::post || method == Request::put ||
@@ -172,7 +181,7 @@ bool FunctionBase::IsCorsOriginAvailable(const std::wstring & origin_url)

 bool FunctionBase::AreCorsCredentialsAvailable()
 {
-	return true;
+	return config && config->access_control_allow_credentials;
 }


@@ -222,7 +231,10 @@ void FunctionBase::AddAccessControlAllowOriginHeader(const std::wstring & origin
 */
 void FunctionBase::AddAccessControlAllowHeadersHeader(const std::wstring & headers)
 {
-	cur->request->AddHeader(Header::access_control_allow_headers, headers);
+	if( Header::is_header_value_correct(headers) )
+	{
+		cur->request->AddHeader(Header::access_control_allow_headers, headers);
+	}
 }


@@ -239,6 +251,158 @@ void FunctionBase::AddAccessControlAllowCredentialsHeader()
 }


+void FunctionBase::AddAccessControlExposeHeadersHeader()
+{
+	if( config )
+	{
+		if( !config->access_control_expose_headers.empty() )
+		{
+			pt::WTextStream headers;
+			bool is_first = true;
+
+			for(std::wstring & str : config->access_control_expose_headers)
+			{
+				if( !is_first )
+					headers << ", ";
+
+				headers << str;
+				is_first = false;
+			}
+
+			cur->request->AddHeader(Header::access_control_expose_headers, headers);
+		}
+	}
+}
+
+
+void FunctionBase::AddCorsPreflightRequestHeaders(const std::wstring & origin, Request::Method method, const std::wstring * request_headers)
+{
+	AddAccessControlAllowMethodsHeader(method);
+	AddAccessControlAllowOriginHeader(origin);
+	AddAccessControlMaxAgeHeader();
+	AddAccessControlExposeHeadersHeader();
+
+	if( AreCorsCredentialsAvailable() )
+	{
+		AddAccessControlAllowCredentialsHeader();
+	}
+
+	if( request_headers )
+	{
+		AddAccessControlAllowHeadersHeader(*request_headers);
+	}
+
+	log << log3 << "FunctionBase: this cors request is permitted" << logend;
+}
+
+
+void FunctionBase::AddCorsNormalRequestHeaders(const std::wstring & origin)
+{
+	AddAccessControlAllowOriginHeader(origin);
+
+	if( AreCorsCredentialsAvailable() )
+	{
+		AddAccessControlAllowCredentialsHeader();
+	}
+}
+
+
+void FunctionBase::AddResponseHeadersForOrigin(const std::wstring & origin)
+{
+	if( cur->request->method == Request::Method::options )
+	{
+		pt::Space * cors_method = cur->request->headers_in.get_space_nc(L"Access_Control_Request_Method"); // FastCGI changes '-' to '_'
+		pt::Space * cors_headers = cur->request->headers_in.get_space_nc(L"Access_Control_Request_Headers");
+
+		if( cors_method && cors_method->is_wstr() )
+		{
+			/*
+			 * this is a preflight request
+			 * https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
+			 * (we allow Access-Control-Request-Headers not to be present)
+			 */
+			Request::Method method = Request::CheckRequestMethod(cors_method->get_wstr()->c_str());
+			cur->request->http_status = Header::status_204_no_content;
+
+			if( IsCorsMethodAvailable(method) )
+			{
+				bool cors_headers_available = true;
+				std::wstring * headers = nullptr;
+
+				if( cors_headers && cors_headers->is_wstr() )
+				{
+					headers = cors_headers->get_wstr();
+					cors_headers_available = AreCorsHeadersAvailable(*headers);
+				}
+
+				if( cors_headers_available )
+				{
+					AddCorsPreflightRequestHeaders(origin, method, headers);
+				}
+				else
+				{
+					if( headers )
+					{
+						log << log2 << "FunctionBase: these cors headers: " << *headers << " are not permitted in cors requests" << logend;
+					}
+				}
+			}
+			else
+			{
+				log << log2 << "FunctionBase: this method: " << *cors_method->get_wstr() << " is not permitted in cors requests" << logend;
+			}
+		}
+		else
+		{
+			/*
+			 * this is not a preflight cors request
+			 */
+			AddAllowMethodsHeader();
+			AddCorsNormalRequestHeaders(origin);
+		}
+	}
+	else
+	{
+		AddCorsNormalRequestHeaders(origin);
+	}
+}
+
+
+void FunctionBase::CheckOriginHeader()
+{
+	pt::Space * origin = cur->request->headers_in.get_space_nc(L"Origin");
+
+	if( origin && origin->is_wstr() )
+	{
+		if( IsCorsOriginAvailable(*origin->get_wstr()) )
+		{
+			AddResponseHeadersForOrigin(*origin->get_wstr());
+		}
+		else
+		{
+			cur->request->http_status = Header::status_204_no_content;
+			log << log2 << "FunctionBase: this origin: " << *origin->get_wstr() << " is not permitted for cors requests" << logend;
+		}
+
+		/*
+		 * https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
+		 * https://security.stackexchange.com/questions/151590/vary-origin-response-header-and-cors-exploitation
+		 * It's important to include the Vary: Origin header to prevent caching. The header indicates that the response
+		 * is in some way dependent on the origin and should therefore not be served from cache for any other origin.
+		 * If the header is missing, cache poisoning attacks might be possible
+		 */
+		cur->request->AddHeader(Header::very, Header::origin);
+	}
+	else
+	{
+		if( cur->request->method == Request::Method::options )
+		{
+			AddAllowMethodsHeader();
+		}
+	}
+}
+
+

 void FunctionBase::MakeGet()
 {
@@ -247,7 +411,7 @@ void FunctionBase::MakeGet()

 void FunctionBase::MakeHead()
 {
-	// by default call MakeGet() but do not return any content at the end of the request
+	// by default call MakeGet() but we do not return any content at the end of the request
 	MakeGet();
 }

@@ -271,65 +435,11 @@ void FunctionBase::MakeConnect()
 	// do nothing by default
 }

-
 void FunctionBase::MakeOptions()
 {
-	cur->request->http_status = Header::status_204_no_content;
-
-	pt::Space * cors_method = cur->request->headers_in.get_space_nc(L"Access_Control_Request_Method"); // FastCGI changes '-' to '_'
-	pt::Space * cors_headers = cur->request->headers_in.get_space_nc(L"Access_Control_Request_Headers");
-	pt::Space * cors_origin = cur->request->headers_in.get_space_nc(L"Origin");
-
-	if( cors_method && cors_origin && cors_method->is_wstr() && cors_origin->is_wstr() )
-	{
-		/*
-		 * this is a preflight request
-		 * https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
-		 * (we allow Access-Control-Request-Headers not to be present)
-		 */
-		Request::Method method = Request::CheckRequestMethod(cors_method->get_wstr()->c_str());
-		bool cors_available = false;
-
-		if( IsCorsMethodAvailable(method) && IsCorsOriginAvailable(*cors_origin->get_wstr()) )
-		{
-			cors_available = true;
-
-			if( cors_headers && cors_headers->is_wstr() )
-			{
-				cors_available = AreCorsHeadersAvailable(*cors_headers->get_wstr());
-			}
-		}
-
-		if( cors_available )
-		{
-			AddAccessControlAllowMethodsHeader(method);
-			AddAccessControlAllowOriginHeader(*cors_origin->get_wstr());
-			AddAccessControlMaxAgeHeader();
-
-			if( AreCorsCredentialsAvailable() )
-			{
-				AddAccessControlAllowCredentialsHeader();
-			}
-
-			if( cors_headers && cors_headers->is_wstr() )
-			{
-				AddAccessControlAllowHeadersHeader(*cors_headers->get_wstr());
-			}
-
-			log << log3 << "FunctionBase: cors requests are permitted" << logend;
-		}
-		else
-		{
-			log << log2 << "FunctionBase: cors requests are not permitted" << logend;
-		}
-	}
-	else
-	{
-		cur->request->out_headers.add(Header::allow, L"GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH");
-	}
+	// do nothing by default
 }

-
 void FunctionBase::MakeTrace()
 {
 	// do nothing by default
--- a/winixd/functions/functionbase.h
+++ b/winixd/functions/functionbase.h
@@ -111,6 +111,8 @@ public:

 	virtual bool HasAccess();

+	virtual void AddAllowMethodsHeader();
+
 	virtual bool IsCorsMethodAvailable(Request::Method method);
 	virtual bool IsCorsOriginAvailable(const std::wstring & origin_url);
 	virtual bool AreCorsCredentialsAvailable();
@@ -121,6 +123,11 @@ public:
 	virtual void AddAccessControlAllowHeadersHeader(const std::wstring & headers);
 	virtual void AddAccessControlMaxAgeHeader();
 	virtual void AddAccessControlAllowCredentialsHeader();
+	virtual void AddAccessControlExposeHeadersHeader();
+	virtual void AddCorsPreflightRequestHeaders(const std::wstring & origin, Request::Method method, const std::wstring * request_headers);
+	virtual void AddCorsNormalRequestHeaders(const std::wstring & origin);
+	virtual void AddResponseHeadersForOrigin(const std::wstring & origin);
+	virtual void CheckOriginHeader();


 	virtual void MakeGet();