Merge pull request #8954 from jackyalbo/jacky-cors-fixes

jackyalbo · web-flow · commit d3ce5e982244 · 2025-04-09T14:50:11.000+03:00
Rejecting wildcard('*') in expose headers - like AWS
diff --git a/src/endpoint/s3/ops/s3_put_bucket_cors.js b/src/endpoint/s3/ops/s3_put_bucket_cors.js
@@ -17,6 +17,13 @@ async function put_bucket_cors(req) {
                 message: `Found unsupported HTTP method in CORS config. Unsupported method is ${unsupported_method}`
             });
         }
+        const wildcard_expose_header = rule.ExposeHeader?.find(item => item.includes('*'));
+        if (wildcard_expose_header) {
+            throw new S3Error({
+                ...S3Error.InvalidRequest,
+                message: `ExposeHeader "${wildcard_expose_header}" contains wildcard. We currently do not support wildcard for ExposeHeader.`
+            });
+        }
         return _.omitBy({
             allowed_headers: rule.AllowedHeader,
             allowed_methods: rule.AllowedMethod,
diff --git a/src/test/unit_tests/test_s3_ops.js b/src/test/unit_tests/test_s3_ops.js
@@ -532,6 +532,29 @@ mocha.describe('s3_ops', function() {
             }
         });
 
+        mocha.it('should fail on wildcar in ExposeHeader', async function() {
+            const wildcard_expose_header = "x-amz-server-side-*";
+            const params = {
+                Bucket: "cors-bucket",
+                CORSConfiguration: {
+                    CORSRules: [{
+                        AllowedOrigins: ["http://www.example.com"],
+                        AllowedMethods: ["PUT", "POST", "DELETE"],
+                        ExposeHeaders: ["Content-Length", wildcard_expose_header]
+                    }]
+                }
+            };
+            try {
+                await s3.putBucketCors(params);
+                assert.fail(`should reject put bucket cors with wildcar expose header ${wildcard_expose_header}`);
+            } catch (err) {
+                assert.strictEqual(err.Code, 'InvalidRequest',
+                    `ExposeHeader "${wildcard_expose_header}" contains wildcard. We currently do not support wildcard for ExposeHeader.`
+                );
+                assert.strictEqual(err.$metadata.httpStatusCode, 400);
+            }
+        });
+
         mocha.after(async function() {
             await s3.deleteBucket({ Bucket: "cors-bucket" });
         });
