feat: add regex support for origin validation in CORS configuration (#159)

appleboy · arizz96 · web-flow · commit 45b197ea81b6 · 2025-03-17T17:06:35.000+08:00
* Allow regexp on AllowOrigins

* Regexp AllowOrigins requires slashes at start and end

* Merge branch 'gin-contrib/master' into feature/regexp-origin-match

# Conflicts:
#	config.go
#	cors.go

* Optimization

* Add regexp origin tests

* Fix regexp allowed origin schema check

* refactor: refactor regular expression handling in schema validation

- Define a new `regexpBasedOrigin` variable for compiling the regular expression
- Replace inline regular expression compilation with the `regexpBasedOrigin` variable in `validateAllowedSchemas` function

Signed-off-by: Bo-Yi Wu &lt;appleboy.tw@gmail.com&gt;

* refactor: simplify origin validation with precompiled regex

- Define `originRegex` as a precompiled regular expression
- Simplify origin validation logic using `originRegex`
- Remove redundant regular expression compilation and matching logic

Signed-off-by: Bo-Yi Wu &lt;appleboy.tw@gmail.com&gt;

* refactor: refactor codebase for improved readability and maintainability

- Remove `exportloopref` linter from `.golangci.yml`
- Update regex pattern in `config.go` to use backticks instead of double quotes
- Refactor `validateOrigin` function for better readability by splitting a long line into two lines

Signed-off-by: Bo-Yi Wu &lt;appleboy.tw@gmail.com&gt;

---------

Signed-off-by: Bo-Yi Wu &lt;appleboy.tw@gmail.com&gt;
Co-authored-by: arizz96 &lt;arizz96@gmail.com&gt;
diff --git a/.golangci.yml b/.golangci.yml
@@ -7,7 +7,6 @@ linters:
     - dogsled
     - dupl
     - errcheck
-    - exportloopref
     - exhaustive
     - gochecknoinits
     - goconst
diff --git a/config.go b/config.go
@@ -2,6 +2,7 @@ package cors
 
 import (
 	"net/http"
+	"regexp"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -122,21 +123,32 @@ func (cors *cors) isOriginValid(c *gin.Context, origin string) bool {
 	return valid
 }
 
+var originRegex = regexp.MustCompile(`^/(.+)/[gimuy]?$`)
+
 func (cors *cors) validateOrigin(origin string) bool {
 	if cors.allowAllOrigins {
 		return true
 	}
+
 	for _, value := range cors.allowOrigins {
-		if value == origin {
+		if !originRegex.MatchString(value) && value == origin {
+			return true
+		}
+
+		if originRegex.MatchString(value) &&
+			regexp.MustCompile(originRegex.FindStringSubmatch(value)[1]).MatchString(origin) {
 			return true
 		}
 	}
+
 	if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) {
 		return true
 	}
+
 	if cors.allowOriginFunc != nil {
 		return cors.allowOriginFunc(origin)
 	}
+
 	return false
 }
 
diff --git a/cors.go b/cors.go
@@ -3,6 +3,7 @@ package cors
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -103,8 +104,17 @@ func (c Config) getAllowedSchemas() []string {
 	return allowedSchemas
 }
 
+var regexpBasedOrigin = regexp.MustCompile(`^\/(.+)\/[gimuy]?$`)
+
 func (c Config) validateAllowedSchemas(origin string) bool {
 	allowedSchemas := c.getAllowedSchemas()
+
+	if regexpBasedOrigin.MatchString(origin) {
+		// Normalize regexp-based origins
+		origin = regexpBasedOrigin.FindStringSubmatch(origin)[1]
+		origin = strings.Replace(origin, "?", "", 1)
+	}
+
 	for _, schema := range allowedSchemas {
 		if strings.HasPrefix(origin, schema) {
 			return true
diff --git a/cors_test.go b/cors_test.go
@@ -112,6 +112,21 @@ func TestBadConfig(t *testing.T) {
 			AllowOrigins: []string{"google.com"},
 		})
 	})
+	assert.Panics(t, func() {
+		New(Config{
+			AllowOrigins: []string{"/http://google.com"},
+		})
+	})
+	assert.Panics(t, func() {
+		New(Config{
+			AllowOrigins: []string{"http?://google.com"},
+		})
+	})
+	assert.Panics(t, func() {
+		New(Config{
+			AllowOrigins: []string{"http?://google.com/g"},
+		})
+	})
 }
 
 func TestNormalize(t *testing.T) {
@@ -296,6 +311,15 @@ func TestValidateOrigin(t *testing.T) {
 	assert.True(t, cors.validateOrigin("https://google.com"))
 	assert.True(t, cors.validateOrigin("example.com"))
 	assert.True(t, cors.validateOrigin("chrome-extension://random-extension-id"))
+
+	cors = newCors(Config{
+		AllowOrigins: []string{"/https?://(?:.+\\.)?google\\.com/g"},
+	})
+	assert.True(t, cors.validateOrigin("http://google.com"))
+	assert.True(t, cors.validateOrigin("https://google.com"))
+	assert.True(t, cors.validateOrigin("https://maps.google.com"))
+	assert.True(t, cors.validateOrigin("https://maps.test.google.com"))
+	assert.False(t, cors.validateOrigin("https://maps.google.it"))
 }
 
 func TestValidateTauri(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package cors`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"net/http"`
	`5`	`+ "regexp"`
`5`	`6`	`"strings"`
`6`	`7`
`7`	`8`	`"github.com/gin-gonic/gin"`
`@@ -122,21 +123,32 @@ func (cors cors) isOriginValid(c gin.Context, origin string) bool {`
`122`	`123`	`return valid`
`123`	`124`	`}`
`124`	`125`
	`126`	+var originRegex = regexp.MustCompile(`^/(.+)/[gimuy]?$`)
	`127`	`+`
`125`	`128`	`func (cors *cors) validateOrigin(origin string) bool {`
`126`	`129`	`if cors.allowAllOrigins {`
`127`	`130`	`return true`
`128`	`131`	`}`
	`132`	`+`
`129`	`133`	`for _, value := range cors.allowOrigins {`
`130`		`- if value == origin {`
	`134`	`+ if !originRegex.MatchString(value) && value == origin {`
	`135`	`+ return true`
	`136`	`+ }`
	`137`	`+`
	`138`	`+ if originRegex.MatchString(value) &&`
	`139`	`+ regexp.MustCompile(originRegex.FindStringSubmatch(value)[1]).MatchString(origin) {`
`131`	`140`	`return true`
`132`	`141`	`}`
`133`	`142`	`}`
	`143`	`+`
`134`	`144`	`if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) {`
`135`	`145`	`return true`
`136`	`146`	`}`
	`147`	`+`
`137`	`148`	`if cors.allowOriginFunc != nil {`
`138`	`149`	`return cors.allowOriginFunc(origin)`
`139`	`150`	`}`
	`151`	`+`
`140`	`152`	`return false`
`141`	`153`	`}`
`142`	`154`