Merge pull request from GHSA-qxrj-hx23-xp82

fengmk2 · web-flow · commit f31dac99f535 · 2023-12-11T09:46:27.000+08:00
This is a security update for the Same Origin Policy (SOP), and also a BREAKING CHANGE. closes GHSA-qxrj-hx23-xp82
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -12,8 +12,6 @@ on:
     branches:
       - main
       - master
-  schedule:
-    - cron: '0 2 * * *'
 
 jobs:
   build:
@@ -22,7 +20,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [14, 16, 18]
+        node-version: [14, 16, 18, 20]
         os: [ubuntu-latest]
 
     steps:
diff --git a/README.md b/README.md
@@ -1,5 +1,4 @@
-@koa/cors
-=======
+# @koa/cors
 
 [![NPM version][npm-image]][npm-url]
 [![Node.js CI](https://github.com/koajs/cors/actions/workflows/nodejs.yml/badge.svg)](https://github.com/koajs/cors/actions/workflows/nodejs.yml)
@@ -43,7 +42,8 @@ app.use(cors());
  * CORS middleware
  *
  * @param {Object} [options]
- *  - {String|Function(ctx)} origin `Access-Control-Allow-Origin`, default is request Origin header
+ *  - {String|Function(ctx)} origin `Access-Control-Allow-Origin`, default is '*'
+ *    If `credentials` set and return `true, the `origin` default value will set to the request `Origin` header
  *  - {String|Array} allowMethods `Access-Control-Allow-Methods`, default is 'GET,HEAD,PUT,POST,DELETE,PATCH'
  *  - {String|Array} exposeHeaders `Access-Control-Expose-Headers`
  *  - {String|Array} allowHeaders `Access-Control-Allow-Headers`
@@ -57,6 +57,18 @@ app.use(cors());
  */
 ```
 
+## Breaking change between 5.0 and 4.0
+
+The default `origin` is set to `*`, if you want to keep the 4.0 behavior, you can set the `origin` handler like this:
+
+```js
+app.use(cors({
+  origin(ctx) {
+    return ctx.get('Origin') || '*';
+  },
+}));
+```
+
 ## License
 
 [MIT](./LICENSE)
diff --git a/index.js b/index.js
@@ -1,12 +1,11 @@
-'use strict';
-
 const vary = require('vary');
 
 /**
  * CORS middleware
  *
  * @param {Object} [options]
- *  - {String|Function(ctx)} origin `Access-Control-Allow-Origin`, default is request Origin header
+ *  - {String|Function(ctx)} origin `Access-Control-Allow-Origin`, default is '*'
+ *    If `credentials` set and return `true, the `origin` default value will set to the request `Origin` header
  *  - {String|Array} allowMethods `Access-Control-Allow-Methods`, default is 'GET,HEAD,PUT,POST,DELETE,PATCH'
  *  - {String|Array} exposeHeaders `Access-Control-Expose-Headers`
  *  - {String|Array} allowHeaders `Access-Control-Allow-Headers`
@@ -61,9 +60,11 @@ module.exports = function(options) {
     let origin;
     if (typeof options.origin === 'function') {
       origin = await options.origin(ctx);
-      if (!origin) return await next();
+      if (!origin) {
+        return await next();
+      }
     } else {
-      origin = options.origin || requestOrigin;
+      origin = options.origin || '*';
     }
 
     let credentials;
diff --git a/package.json b/package.json
@@ -46,7 +46,7 @@
     "node": ">= 14.0.0"
   },
   "ci": {
-    "version": "14, 16, 18",
+    "version": "14, 16, 18, 20",
     "os": "linux"
   },
   "author": "fengmk2 <fengmk2@gmail.com> (http://github.com/fengmk2)",
diff --git a/test/cors.test.js b/test/cors.test.js
@@ -1,5 +1,3 @@
-'use strict';
-
 const assert = require('assert');
 const Koa = require('koa');
 const request = require('supertest');
@@ -13,22 +11,19 @@ describe('cors.test.js', function() {
       ctx.body = { foo: 'bar' };
     });
 
-    it('should not set `Access-Control-Allow-Origin` when request Origin header missing', function(done) {
+    it('should set `Access-Control-Allow-Origin` to `*` when request Origin header missing', function(done) {
       request(app.listen())
         .get('/')
         .expect({ foo: 'bar' })
-        .expect(200, function(err, res) {
-          assert(!err);
-          assert(!res.headers['access-control-allow-origin']);
-          done();
-        });
+        .expect('access-control-allow-origin', '*')
+        .expect(200, done);
     });
 
-    it('should set `Access-Control-Allow-Origin` to request origin header', function(done) {
+    it('should set `Access-Control-Allow-Origin` to `*`', function(done) {
       request(app.listen())
         .get('/')
         .set('Origin', 'http://koajs.com')
-        .expect('Access-Control-Allow-Origin', 'http://koajs.com')
+        .expect('Access-Control-Allow-Origin', '*')
         .expect({ foo: 'bar' })
         .expect(200, done);
     });
@@ -38,7 +33,7 @@ describe('cors.test.js', function() {
         .options('/')
         .set('Origin', 'http://koajs.com')
         .set('Access-Control-Request-Method', 'PUT')
-        .expect('Access-Control-Allow-Origin', 'http://koajs.com')
+        .expect('Access-Control-Allow-Origin', '*')
         .expect('Access-Control-Allow-Methods', 'GET,HEAD,PUT,POST,DELETE,PATCH')
         .expect(204, done);
     });
@@ -87,6 +82,44 @@ describe('cors.test.js', function() {
     });
   });
 
+  describe('options.origin set the request Origin header', function() {
+    const app = new Koa();
+    app.use(cors({
+      origin(ctx) {
+        return ctx.get('Origin') || '*';
+      },
+    }));
+    app.use(function(ctx) {
+      ctx.body = { foo: 'bar' };
+    });
+
+    it('should set `Access-Control-Allow-Origin` to request `Origin` header', function(done) {
+      request(app.listen())
+        .get('/')
+        .set('Origin', 'http://koajs.com')
+        .expect('Access-Control-Allow-Origin', 'http://koajs.com')
+        .expect({ foo: 'bar' })
+        .expect(200, done);
+    });
+
+    it('should set `Access-Control-Allow-Origin` to request `origin` header', function(done) {
+      request(app.listen())
+        .get('/')
+        .set('origin', 'http://origin.koajs.com')
+        .expect('Access-Control-Allow-Origin', 'http://origin.koajs.com')
+        .expect({ foo: 'bar' })
+        .expect(200, done);
+    });
+
+    it('should set `Access-Control-Allow-Origin` to `*`, even if no Origin is passed on request', function(done) {
+      request(app.listen())
+        .get('/')
+        .expect('Access-Control-Allow-Origin', '*')
+        .expect({ foo: 'bar' })
+        .expect(200, done);
+    });
+  });
+
   describe('options.secureContext=true', function() {
     const app = new Koa();
     app.use(cors({
@@ -651,7 +684,11 @@ describe('cors.test.js', function() {
   describe('options.headersKeptOnError', function() {
     it('should keep CORS headers after an error', function(done) {
       const app = new Koa();
-      app.use(cors());
+      app.use(cors({
+        origin(ctx) {
+          return ctx.get('Origin') || '*';
+        },
+      }));
       app.use(function(ctx) {
         ctx.body = { foo: 'bar' };
         throw new Error('Whoops!');
@@ -668,7 +705,11 @@ describe('cors.test.js', function() {
 
     it('should not affect OPTIONS requests', function(done) {
       const app = new Koa();
-      app.use(cors());
+      app.use(cors({
+        origin(ctx) {
+          return ctx.get('Origin') || '*';
+        },
+      }));
       app.use(function(ctx) {
         ctx.body = { foo: 'bar' };
         throw new Error('Whoops!');
@@ -684,7 +725,11 @@ describe('cors.test.js', function() {
 
     it('should not keep unrelated headers', function(done) {
       const app = new Koa();
-      app.use(cors());
+      app.use(cors({
+        origin(ctx) {
+          return ctx.get('Origin') || '*';
+        },
+      }));
       app.use(function(ctx) {
         ctx.body = { foo: 'bar' };
         ctx.set('X-Example', 'Value');
@@ -752,6 +797,7 @@ describe('cors.test.js', function() {
         .expect(200, done);
     });
   });
+
   describe('other middleware has set vary header on Error', function() {
     it('should append `Origin to other `Vary` header', function(done) {
       const app = new Koa();
