[cors] Reject user info in Origins

Playacem · Nov 2, 2024 · 7c953cb · 7c953cb
1 parent 53e0ea0
commit 7c953cb
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/javalin/src/main/java/io/javalin/plugin/bundled/CorsUtils.kt b/javalin/src/main/java/io/javalin/plugin/bundled/CorsUtils.kt
@@ -61,6 +61,9 @@ internal object CorsUtils {
             if (uri.path.isNullOrEmpty().not()) {
                 return false
             }
+            if (uri.userInfo.isNullOrEmpty().not()) {
+                return false
+            }
             if (uri.query.isNullOrEmpty().not()) {
                 return false
             }

diff --git a/javalin/src/test/java/io/javalin/TestCorsUtils.kt b/javalin/src/test/java/io/javalin/TestCorsUtils.kt
@@ -61,7 +61,7 @@ class TestCorsUtils {
 
         @ParameterizedTest
         @EmptySource
-        @CsvSource(value = ["://no-scheme", "o_O://illegal-underscore", "https://example.com/", "https://example.com?query=true", "https://example.com:fakeport", "https://example.com:8${SHAN_ZERO}", "https://example.com:8${BOLD_ZERO}", "https://example.com#fragment"])
+        @CsvSource(value = ["://no-scheme", "o_O://illegal-underscore", "https://example.com/", "https://example.com?query=true", "https://example.com:fakeport", "https://example.com:8${SHAN_ZERO}", "https://example.com:8${BOLD_ZERO}", "https://example.com#fragment", "https://user:[email protected]"])
         fun `rejects invalid origins`(it: String) {
             assertThat(CorsUtils.isValidOrigin(it)).describedAs(it).isFalse
         }
@@ -80,7 +80,7 @@ class TestCorsUtils {
 
         @ParameterizedTest
         @EmptySource
-        @CsvSource(value = ["://no-scheme", "o_O://illegal-underscore", "https://example.com/", "https://example.com?query=true", "https://example.com:fakeport", "https://example.com:8${SHAN_ZERO}", "https://example.com:8${BOLD_ZERO}", "https://example.com#fragment"])
+        @CsvSource(value = ["://no-scheme", "o_O://illegal-underscore", "https://example.com/", "https://example.com?query=true", "https://example.com:fakeport", "https://example.com:8${SHAN_ZERO}", "https://example.com:8${BOLD_ZERO}", "https://example.com#fragment", "https://user:[email protected]"])
         fun `rejects invalid origins JDK`(it: String) {
             assertThat(CorsUtils.isValidOriginJdk(it)).describedAs(it).isFalse
         }
@@ -245,6 +245,11 @@ class TestCorsUtils {
             assertThat(scheme).isEqualTo("https")
             assertThat(host).isEqualTo("example.com")
             assertThat(port).isEqualTo(443)
+
+            val (scheme2, host2, port2) = CorsUtils.parseAsOriginPartsJdk("http://example.com")
+            assertThat(scheme2).isEqualTo("http")
+            assertThat(host2).isEqualTo("example.com")
+            assertThat(port2).isEqualTo(80)
         }
 
         @Test