Bug 1813799

Summary: CORS allowed origin is too lenient
Product: OpenShift Container Platform Reporter: Jason Shepherd <jshepherd>
Component: DocumentationAssignee: Latha S <lmurthy>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact: Latha S <lmurthy>
Priority: unspecified    
Version: 3.11.0CC: aos-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-08 10:07:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Shepherd 2020-03-16 06:19:58 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.11/architecture/infrastructure_components/web_console.html#overview

Section Number and Name: 
Overview

Describe the issue: 
The CORS allowed origin regex has a vulnerability, see https://access.redhat.com/security/cve/CVE-2020-1741

Suggestions for improvement: 
Replace:
---
corsAllowedOrigins:
- (?i)//my\.subdomain\.domain\.com(:|\z)
The (?i) makes it case-insensitive.

The // pins to the beginning of the domain (and matches the double slash following http: or https:).

The \. escapes dots in the domain name.

The (:|\z) matches the end of the domain name (\z) or a port separator (:).
---

With:
---
corsAllowedOrigins:
- ^(?i)https://my\.subdomain\.domain\.com(:|\z)
The ^ matches the start of the string.

The (?i) makes it case-insensitive.

The \. escapes dots in the domain name.

The (:|\z) matches the end of the domain name (\z) or a port separator (:).
---