Bug 1813799 - CORS allowed origin is too lenient
Summary: CORS allowed origin is too lenient
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Latha S
QA Contact: Xiaoli Tian
Latha S
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-16 06:19 UTC by Jason Shepherd
Modified: 2022-08-08 10:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-08 10:07:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jason Shepherd 2020-03-16 06:19:58 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.11/architecture/infrastructure_components/web_console.html#overview

Section Number and Name: 
Overview

Describe the issue: 
The CORS allowed origin regex has a vulnerability, see https://access.redhat.com/security/cve/CVE-2020-1741

Suggestions for improvement: 
Replace:
---
corsAllowedOrigins:
- (?i)//my\.subdomain\.domain\.com(:|\z)
The (?i) makes it case-insensitive.

The // pins to the beginning of the domain (and matches the double slash following http: or https:).

The \. escapes dots in the domain name.

The (:|\z) matches the end of the domain name (\z) or a port separator (:).
---

With:
---
corsAllowedOrigins:
- ^(?i)https://my\.subdomain\.domain\.com(:|\z)
The ^ matches the start of the string.

The (?i) makes it case-insensitive.

The \. escapes dots in the domain name.

The (:|\z) matches the end of the domain name (\z) or a port separator (:).
---
Note You need to log in before you can comment on or make changes to this bug.