-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathCorsGin.go
More file actions
106 lines (100 loc) · 2.85 KB
/
CorsGin.go
File metadata and controls
106 lines (100 loc) · 2.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package main
import (
"net/http"
"time"
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
/*
** Function is vulnerable due to AllowAllOrigins = true aka Access-Control-Allow-Origin: null
*/
func vunlnerable() {
router := gin.Default()
// CORS for https://foo.com and null
// - PUT and PATCH methods
// - Origin header
// - Credentials share
// - Preflight requests cached for 12 hours
config_vulnerable := cors.Config{
AllowMethods: []string{"PUT", "PATCH"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
MaxAge: 12 * time.Hour,
}
config_vulnerable.AllowOrigins = []string{"null", "https://foo.com"}
router.Use(cors.New(config_vulnerable))
router.GET("/", func(c *gin.Context) {
c.String(http.StatusOK, "hello world")
})
router.Run()
}
/*
** Function is safe due to hardcoded origin and AllowCredentials: true
*/
func safe() {
router := gin.Default()
// CORS for https://foo.com origin, allowing:
// - PUT and PATCH methods
// - Origin header
// - Credentials share
// - Preflight requests cached for 12 hours
config_safe := cors.Config{
AllowMethods: []string{"PUT", "PATCH"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
MaxAge: 12 * time.Hour,
}
config_safe.AllowOrigins = []string{"https://foo.com"}
router.Use(cors.New(config_safe))
router.GET("/", func(c *gin.Context) {
c.String(http.StatusOK, "hello world")
})
router.Run()
}
/*
** Function is safe due to AllowAllOrigins = true aka Access-Control-Allow-Origin: *
*/
func AllowAllTrue() {
router := gin.Default()
// CORS for "*" origin, allowing:
// - PUT and PATCH methods
// - Origin header
// - Credentials share
// - Preflight requests cached for 12 hours
config_allowall := cors.Config{
AllowMethods: []string{"PUT", "PATCH"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
MaxAge: 12 * time.Hour,
}
config_allowall.AllowOrigins = []string{"null"}
config_allowall.AllowAllOrigins = true
router.Use(cors.New(config_allowall))
router.GET("/", func(c *gin.Context) {
c.String(http.StatusOK, "hello world")
})
router.Run()
}
func NoVariableVulnerable() {
router := gin.Default()
// CORS for https://foo.com origin, allowing:
// - PUT and PATCH methods
// - Origin header
// - Credentials share
// - Preflight requests cached for 12 hours
router.Use(cors.New(cors.Config{
AllowMethods: []string{"GET", "POST"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowOrigins: []string{"null", "https://foo.com"},
AllowCredentials: true,
MaxAge: 12 * time.Hour,
}))
router.GET("/", func(c *gin.Context) {
c.String(http.StatusOK, "hello world")
})
router.Run()
}