From d9d79e930dff6218a873f4f02115df61c38b15db Mon Sep 17 00:00:00 2001
From: Kevin Wan <wanjunfeng@gmail.com>
Date: Sat, 4 Mar 2023 23:34:11 +0800
Subject: [PATCH] Merge pull request from GHSA-fgxv-gw55-r5fq

* fix: Authorization Bypass Through User-Controlled Key

* chore: add not safe domain test
---
 rest/internal/cors/handlers.go      | 12 +++++++++---
 rest/internal/cors/handlers_test.go |  5 +++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/rest/internal/cors/handlers.go b/rest/internal/cors/handlers.go
index e2a64b749..58187bcba 100644
--- a/rest/internal/cors/handlers.go
+++ b/rest/internal/cors/handlers.go
@@ -77,12 +77,18 @@ func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string
 }
 
 func isOriginAllowed(allows []string, origin string) bool {
-	for _, o := range allows {
-		if o == allOrigins {
+	origin = strings.ToLower(origin)
+	for _, allow := range allows {
+		if allow == allOrigins {
 			return true
 		}
 
-		if strings.HasSuffix(origin, o) {
+		allow = strings.ToLower(allow)
+		if origin == allow {
+			return true
+		}
+
+		if strings.HasSuffix(origin, "."+allow) {
 			return true
 		}
 	}
diff --git a/rest/internal/cors/handlers_test.go b/rest/internal/cors/handlers_test.go
index 2082228a5..c9de97a33 100644
--- a/rest/internal/cors/handlers_test.go
+++ b/rest/internal/cors/handlers_test.go
@@ -53,6 +53,11 @@ func TestCorsHandlerWithOrigins(t *testing.T) {
 			origins:   []string{"http://local", "http://remote"},
 			reqOrigin: "http://another",
 		},
+		{
+			name:      "not safe origin",
+			origins:   []string{"safe.com"},
+			reqOrigin: "not-safe.com",
+		},
 	}
 
 	methods := []string{