Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

isRequestOriginAllowed function returning random (invalid) results when Regex is used #151

Closed
2 tasks done
Tom-Brouwer opened this issue Sep 27, 2021 · 2 comments · Fixed by #152
Closed
2 tasks done

isRequestOriginAllowed function returning random (invalid) results when Regex is used #151

Tom-Brouwer opened this issue Sep 27, 2021 · 2 comments · Fixed by #152

Comments

@Tom-Brouwer
Copy link
Contributor

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the bug has not already been reported

Fastify version

3.20.2

Plugin version

6.0.2

Node.js version

16.6.2

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

PopOS 20.04

Description

Every other request, the isRequestOriginAllowed function, will return an invalid result, in case a Regex is used.

The behaviour can be tracked back to this line in the code

The .test function is called, although this function retains state in the regex object. E.g. on first invocation, it will go through the regex until it is matched, and return the result. On second invocation, it will go through the remainder of the regex and reset, returning a wrong result. Then on the third invocation it produces the right result again. This behaviour is also described on the MDN page of the function:

As with exec() (or in combination with it), test() called multiple times on the same global regular expression instance will advance past the previous match.

Steps to Reproduce

Initialize the plugin with a Regex or list of regexes:

fastify.register(require('fastify-cors'), {
    origin: new RegExp('floodtags.com', 'gi'),
    methods: ['OPTIONS', 'GET', 'POST'],
    credentials: true,
    allowedHeaders: ['Authorization'],
  });

Now every other request from e.g. https://www.floodtags.com/ will not get the correct Access-Control-Allow-Origin header

Expected Behavior

The 'isRequestOriginAllowed' should return the same result on every invocation.

This can be achieved by e.g. using the String.match function instead of Regex.test. I can submit a pull-request for this if needed, please let me know!
@mcollina
Copy link
Member

Would you like to send a Pull Request to address this issue? Remember to add unit tests.

@Tom-Brouwer Tom-Brouwer mentioned this issue Sep 27, 2021
Merged
@Tom-Brouwer
Copy link
Contributor Author

Would you like to send a Pull Request to address this issue? Remember to add unit tests.

Ok, great! Please review the Pull-request above.

zekth pushed a commit that referenced this issue Feb 23, 2022
@Tom-Brouwer
fix: 'isRequestOriginAllowed' returns mixed results when regex is used (
dc7ad95 
#152)

The 'isRequestOriginAllowed' function returned random results for
global regexes, since the .test function was used, and the output
of this function depends on previous invocations of the function. By
resetting the 'lastIndex', every invocation of the function should now
return the same result.

This also updates the corresponding test to use a global regex, and do
the same validation twice, in order to check consistency

fixes #151

Co-authored-by: Tom Brouwer <brouwer@floodtags.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix 'isRequestOriginAllowed' returns mixed results when regex is used
2 participants
@mcollina @Tom-Brouwer