public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddDefaultPolicy(builder =>
{
builder.WithOrigins("*"); // Noncompliant
builder.WithOrigins(Star); // Noncompliant
builder.WithOrigins("*", "*", "*"); // Noncompliant
});
options.AddPolicy("EnableAllPolicy", builder =>
{
builder.WithOrigins("https://trustedwebsite.com", "*"); // Noncompliant
});
options.AddPolicy("OtherPolicy", builder =>
{
builder.AllowAnyOrigin(); // Noncompliant
});
options.AddPolicy("Safe", builder =>
{
builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com");
});
options.AddPolicy("MyAllowSubdomainPolicy", builder =>
{
builder.WithOrigins("https://*.example.com")
.SetIsOriginAllowedToAllowWildcardSubdomains();
});
var unsafeBuilder = new CorsPolicyBuilder("*"); // Noncompliant
options.AddPolicy("UnsafeBuilder", unsafeBuilder.Build());
var unsafeBuilderWithAlias = new CPB("*"); // FN - for performance reasons type alias is not supported
options.AddPolicy("UnsafeBuilderWithAlias", unsafeBuilderWithAlias.Build());
var safeBuilder = new CorsPolicyBuilder("https://trustedwebsite.com");
options.AddPolicy("SafeBuilder", safeBuilder.Build());
CorsPolicyBuilder builder = new ("*"); // FN
builder = new CorsPolicyBuilder {
};
});
services.AddControllers();
}
public void AllowAnyHeaders_AllowsAny()
{
// Arrange
var builder = new CorsPolicyBuilder();
// Act
builder.AllowAnyHeader();
// Assert
var corsPolicy = builder.Build();
Assert.True(corsPolicy.AllowAnyHeader);
Assert.Equal(new List <string>()
{
"*"
}, corsPolicy.Headers);
}
public void WithHeaders_AddsHeaders()
{
// Arrange
var builder = new CorsPolicyBuilder();
// Act
builder.WithHeaders("example1", "example2");
// Assert
var corsPolicy = builder.Build();
Assert.False(corsPolicy.AllowAnyHeader);
Assert.Equal(new List <string>()
{
"example1", "example2"
}, corsPolicy.Headers);
}
public void WithMethods_AddsMethods()
{
// Arrange
var builder = new CorsPolicyBuilder();
// Act
builder.WithMethods("PUT", "GET");
// Assert
var corsPolicy = builder.Build();
Assert.False(corsPolicy.AllowAnyOrigin);
Assert.Equal(new List <string>()
{
"PUT", "GET"
}, corsPolicy.Methods);
}
public void WithOrigins_AddsOrigins()
{
// Arrange
var builder = new CorsPolicyBuilder();
// Act
builder.WithOrigins("http://example.com", "http://example2.com");
// Assert
var corsPolicy = builder.Build();
Assert.False(corsPolicy.AllowAnyOrigin);
Assert.Equal(new List <string>()
{
"http://example.com", "http://example2.com"
}, corsPolicy.Origins);
}
/// <summary>
/// Adds a new policy.
/// </summary>
/// <param name="name">The name of the policy.</param>
/// <param name="configurePolicy">A delegate which can use a policy builder to build a policy.</param>
public void AddPolicy(string name, Action <CorsPolicyBuilder> configurePolicy)
{
if (name == null)
{
throw new ArgumentNullException(nameof(name));
}
if (configurePolicy == null)
{
throw new ArgumentNullException(nameof(configurePolicy));
}
var policyBuilder = new CorsPolicyBuilder();
configurePolicy(policyBuilder);
PolicyMap[name] = policyBuilder.Build();
}
public async Task Invoke_WithCustomPolicyProviderThatReturnsAsynchronously_Works()
{
// Arrange
var corsService = new CorsService(Options.Create(new CorsOptions()), NullLoggerFactory.Instance);
var mockProvider = new Mock <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
var policy = new CorsPolicyBuilder()
.WithOrigins(OriginUrl)
.WithHeaders("AllowedHeader")
.Build();
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.ReturnsAsync(policy, TimeSpan.FromMilliseconds(10));
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.Request.Method = "OPTIONS";
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { OriginUrl });
httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestMethod, new[] { "PUT" });
// Act
await middleware.Invoke(httpContext, mockProvider.Object);
// Assert
var response = httpContext.Response;
Assert.Collection(
response.Headers.OrderBy(o => o.Key),
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowHeaders, kvp.Key);
Assert.Equal("AllowedHeader", Assert.Single(kvp.Value));
},
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowOrigin, kvp.Key);
Assert.Equal(OriginUrl, Assert.Single(kvp.Value));
});
}
public void Constructor_WithNoOrigin()
{
// Arrange & Act
var builder = new CorsPolicyBuilder();
// Assert
var corsPolicy = builder.Build();
Assert.False(corsPolicy.AllowAnyHeader);
Assert.False(corsPolicy.AllowAnyMethod);
Assert.False(corsPolicy.AllowAnyOrigin);
Assert.False(corsPolicy.SupportsCredentials);
Assert.Empty(corsPolicy.ExposedHeaders);
Assert.Empty(corsPolicy.Headers);
Assert.Empty(corsPolicy.Methods);
Assert.Empty(corsPolicy.Origins);
Assert.Null(corsPolicy.PreflightMaxAge);
}
public void Constructor_WithParamsOrigin_InitializesOrigin(string origin)
{
// Arrange
var origins = origin.Split(',');
// Act
var builder = new CorsPolicyBuilder(origins);
// Assert
var corsPolicy = builder.Build();
Assert.False(corsPolicy.AllowAnyHeader);
Assert.False(corsPolicy.AllowAnyMethod);
Assert.False(corsPolicy.AllowAnyOrigin);
Assert.False(corsPolicy.SupportsCredentials);
Assert.Empty(corsPolicy.ExposedHeaders);
Assert.Empty(corsPolicy.Headers);
Assert.Empty(corsPolicy.Methods);
Assert.Equal(origins.ToList(), corsPolicy.Origins);
Assert.Null(corsPolicy.PreflightMaxAge);
}
public async Task Invoke_HasEndpointRequireCorsMetadata_MiddlewareHasPolicy_RunsCorsWithPolicyName()
{
// Arrange
var defaultPolicy = new CorsPolicyBuilder().Build();
var metadataPolicy = new CorsPolicyBuilder().Build();
var mockCorsService = new Mock <ICorsService>();
var mockProvider = new Mock <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.Returns(Task.FromResult <CorsPolicy>(null))
.Verifiable();
mockCorsService.Setup(o => o.EvaluatePolicy(It.IsAny <HttpContext>(), It.IsAny <CorsPolicy>()))
.Returns(new CorsResult())
.Verifiable();
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
mockCorsService.Object,
defaultPolicy,
loggerFactory);
var httpContext = new DefaultHttpContext();
httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new CorsPolicyMetadata(metadataPolicy)), "Test endpoint"));
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext, mockProvider.Object);
// Assert
mockProvider.Verify(
o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()),
Times.Never);
mockCorsService.Verify(
o => o.EvaluatePolicy(It.IsAny <HttpContext>(), metadataPolicy),
Times.Once);
}
public void ConstructorWithPolicy_HavingNullPreflightMaxAge_AddsTheGivenPolicy()
{
// Arrange
var originalPolicy = new CorsPolicy();
originalPolicy.Origins.Add("http://existing.com");
// Act
var builder = new CorsPolicyBuilder(originalPolicy);
// Assert
var corsPolicy = builder.Build();
Assert.Null(corsPolicy.PreflightMaxAge);
Assert.False(corsPolicy.AllowAnyHeader);
Assert.False(corsPolicy.AllowAnyMethod);
Assert.False(corsPolicy.AllowAnyOrigin);
Assert.NotSame(originalPolicy.Origins, corsPolicy.Origins);
Assert.Equal(originalPolicy.Origins, corsPolicy.Origins);
Assert.Empty(corsPolicy.Headers);
Assert.Empty(corsPolicy.Methods);
Assert.Empty(corsPolicy.ExposedHeaders);
}
public async Task PreFlight_WithCredentialsAllowed_ReflectsRequestHeaders()
{
// Arrange
var policy = new CorsPolicyBuilder(OriginUrl)
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials()
.Build();
var hostBuilder = new WebHostBuilder()
.Configure(app =>
{
app.UseCors("customPolicy");
app.Run(async context =>
{
await context.Response.WriteAsync("Cross origin response");
});
})
.ConfigureServices(services =>
{
services.AddCors(options =>
{
options.AddPolicy("customPolicy", policy);
});
});
using (var server = new TestServer(hostBuilder))
{
// Act
// Preflight request.
var response = await server.CreateRequest("/")
.AddHeader(CorsConstants.Origin, OriginUrl)
.AddHeader(CorsConstants.AccessControlRequestMethod, "PUT")
.AddHeader(CorsConstants.AccessControlRequestHeaders, "X-Test1,X-Test2")
.SendAsync(CorsConstants.PreflightHttpMethod);
// Assert
response.EnsureSuccessStatusCode();
Assert.Collection(
response.Headers.OrderBy(h => h.Key),
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowCredentials, kvp.Key);
Assert.Equal(new[] { "true" }, kvp.Value);
},
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowHeaders, kvp.Key);
Assert.Equal(new[] { "X-Test1,X-Test2" }, kvp.Value);
},
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowMethods, kvp.Key);
Assert.Equal(new[] { "PUT" }, kvp.Value);
},
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowOrigin, kvp.Key);
Assert.Equal(new[] { OriginUrl }, kvp.Value);
});
}
}
