From 4204f7fe0395c8a7ef12537c0a3f1226e430e7d1 Mon Sep 17 00:00:00 2001 From: Aleksei Vesnin Date: Tue, 8 Feb 2022 18:52:35 +0100 Subject: [PATCH 1/3] Escape dashes in origin pattern --- lib/cors.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/cors.lua b/lib/cors.lua index 6372278..f183928 100644 --- a/lib/cors.lua +++ b/lib/cors.lua @@ -61,8 +61,9 @@ M.build_pattern = function(pattern) pattern = pattern:gsub("[:]+%*$", "[:]+[0-9]+") end - -- escape dots in pattern + -- escape dots and dashes in pattern pattern = pattern:gsub("%.", "%%.") + pattern = pattern:gsub("%-", "%%-") -- append end character pattern = pattern .. "$" From 27a5539230d7761de4a8280b7e7e1b12d7503486 Mon Sep 17 00:00:00 2001 From: Aleksei Vesnin Date: Tue, 8 Feb 2022 19:10:33 +0100 Subject: [PATCH 2/3] tests --- lib/cors.lua | 8 ++++---- tests/cors_tests.lua | 13 +++++++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/lib/cors.lua b/lib/cors.lua index f183928..b4a7e3c 100644 --- a/lib/cors.lua +++ b/lib/cors.lua @@ -56,15 +56,15 @@ M.build_pattern = function(pattern) pattern = "//" .. pattern end + -- escape dots and dashes in pattern + pattern = pattern:gsub("%.", "%%.") + pattern = pattern:gsub("%-", "%%-") + -- an asterisk for the port means allow all ports if string.find(pattern, "[:]+%*$") ~= nil then pattern = pattern:gsub("[:]+%*$", "[:]+[0-9]+") end - -- escape dots and dashes in pattern - pattern = pattern:gsub("%.", "%%.") - pattern = pattern:gsub("%-", "%%-") - -- append end character pattern = pattern .. "$" return pattern diff --git a/tests/cors_tests.lua b/tests/cors_tests.lua index c8cf8d8..29b640b 100644 --- a/tests/cors_tests.lua +++ b/tests/cors_tests.lua @@ -96,6 +96,11 @@ function test_build_pattern_7() luaunit.assertEquals(result, "http://test%.com[:]+[0-9]+$") end +function test_build_pattern_8() + local result = cors.build_pattern("te-st.com") + luaunit.assertEquals(result, "//te%-st%.com$") +end + function test_get_allowed_origin_case_1() local result = cors.get_allowed_origin("http://test.com", {"http://test.com"}) luaunit.assertEquals(result, "http://test.com") @@ -151,11 +156,15 @@ function test_get_allowed_origin_case_11() luaunit.assertEquals(result, "*") end - function test_get_allowed_origin_case_12() local result = cors.get_allowed_origin("http://test.com:8080", {"http://test.com:*"}) luaunit.assertEquals(result, "http://test.com:8080") end +function test_get_allowed_origin_case_13() + local result = cors.get_allowed_origin("https://te-st.com", {"te-st.com"}) + luaunit.assertEquals(result, "https://te-st.com") +end + -- this line must go at the end -os.exit(luaunit.LuaUnit.run()) \ No newline at end of file +os.exit(luaunit.LuaUnit.run()) From d6fc6b8484da0667c24c76b9f345b8b4d8573bfc Mon Sep 17 00:00:00 2001 From: Aleksei Vesnin Date: Tue, 8 Feb 2022 19:55:08 +0100 Subject: [PATCH 3/3] escape optimized --- lib/cors.lua | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/cors.lua b/lib/cors.lua index b4a7e3c..a1a2249 100644 --- a/lib/cors.lua +++ b/lib/cors.lua @@ -57,8 +57,7 @@ M.build_pattern = function(pattern) end -- escape dots and dashes in pattern - pattern = pattern:gsub("%.", "%%.") - pattern = pattern:gsub("%-", "%%-") + pattern = pattern:gsub("([%.%-])", "%%%1") -- an asterisk for the port means allow all ports if string.find(pattern, "[:]+%*$") ~= nil then