CVE-2024-6844

[danizen]

Hi, I hope you are aware of CVE-2024-6844. I am trying to justify using work-time to contribute a fix through our Open Source Office, but I didn't see a clear issue so I wanted to make you aware of the issue.

Claimed Exploit

Target domain for CORs could be spoofed by registering a similar domain with spaces where + is supposed to be (or vice versa).

How to reproduce

Run one service on http://spoof.local:8080/service+path and another local server on http://spoof.local:8080/service path. Configure CORS to allow one but not the other. Manipulate requested domain to get authorization on incorrect domain.

How it affects me

My team uses flask-cors indirectly because we need to run moto[server] to mock AWS S3. We register a test bucket and file s3://test-bucket/sample.csv. Because moto is running a Flask service on an ephemeral port, we can then start spark within our Python process and have it connect to that mocked S3, allowing us to run our full Glue script as a local test (without containers).

I have a contractor switching to using testcontainers, but think it would be good to fix the underlying issue.

[GhamHenderson]

+1 on this, -> my issue is flagging this exploit along with 2 others also. :) #384

[LewisCowlesMotive]

@GhamHenderson perhaps adding the CVE names to that issue would help it's find-ability?

[GhamHenderson]

@LewisCowlesMotive Yes, good idea. apologies added CVE names in the comments! :)

[adrianosela]

Hi @danizen - if you would like to you could give the code in this PR a shot^