Skip to content

feat: add regex support to trusted-origins #7697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abdulsattar wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add regex support to trusted-origins #7697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion src/node/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,33 @@ export function ensureOrigin(req: express.Request, _?: express.Response, next?:
}
}

/**
* Return true if the origin matches any trusted origin. Entries are matched
* as exact strings, the special wildcard `"*"`, or regex literals in the form
* `/pattern/flags` (e.g. `/^.*\.example\.com$/i`).
*/
export function isTrustedOrigin(origin: string, trustedOrigins: string[]): boolean {
return trustedOrigins.some((trusted) => {
if (trusted === "*" || trusted === origin) {
return true
}
// Regex literal: /pattern/ or /pattern/flags
if (trusted.startsWith("/")) {
const closingSlash = trusted.lastIndexOf("/")
Copy link
Member

@code-asher code-asher Mar 11, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I would expect a regex like /http:\/\/.+\.example\.com/ to work but the lastIndexOf here would cause regexes like this to fail.

Would it be sufficient to allow a * instead of allowing full regex, so one could do https://*.example.com?

Internally we could still convert it to a regex, but from the user's perspective they only deal with * and the rest is literal (similar to how proxy-domain is handled).

Copy link
Author

@abdulsattar abdulsattar Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why /http:\/\/.+\.example\.com/ would fail lastIndexOf? lastIndexOf here is used only for getting the flags.

Copy link
Member

@code-asher code-asher Mar 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops sorry I mistyped, I meant /http:\/\/.+\.example\.com (no trailing slash). We end up using http:\/\ as the pattern and .+\.example\.com as a flag, both of which are invalid. More fundamentally though, since slashes can change meaning based on context, lastIndexOf seems like a brittle approach.

It might be OK in practice (I am not seeing any way this could lead to accidental exposure unless your domain consisted of only valid regex flags somehow). It would just fail to match anything and eventually the user would probably figure it out.

But ideally, if the user enters a malformed regex, we could error immediately so they can fix it, rather than accept an input that can never match anything, or we make it more lenient. Or we may not even need to allow flags at all and we could accept the pattern only? I think the only flag that would be useful is i, and maybe we should default to case-insensitive matching anyway.

But making the input a regex feels unnecessarily complicated to me anyway if our only goal is to allow any subdomain, and we have prior art with --proxy-domain. http://*.example.com is easier to type and read as well.

if (closingSlash > 0) {
const pattern = trusted.slice(1, closingSlash)
const flags = trusted.slice(closingSlash + 1)
try {
return new RegExp(pattern, flags).test(origin)
} catch {
return false
}
}
}
return false
})
}

/**
* Authenticate the request origin against the host. Throw if invalid.
*/
Expand All @@ -370,7 +397,7 @@ export function authenticateOrigin(req: express.Request): void {
}

const trustedOrigins = req.args["trusted-origins"] || []
if (trustedOrigins.includes(origin) || trustedOrigins.includes("*")) {
if (isTrustedOrigin(origin, trustedOrigins)) {
return
}

Expand Down
50 changes: 49 additions & 1 deletion test/unit/node/http.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,36 @@ describe("http", () => {
expect(http.relativeRoot("/foo/bar/")).toStrictEqual("./../..")
})

describe("isTrustedOrigin", () => {
it("should match exact origins", () => {
expect(http.isTrustedOrigin("localhost:8080", ["localhost:8080"])).toBe(true)
expect(http.isTrustedOrigin("example.com", ["example.com"])).toBe(true)
expect(http.isTrustedOrigin("example.com", ["other.com"])).toBe(false)
})

it("should match the wildcard *", () => {
expect(http.isTrustedOrigin("anything.example.com", ["*"])).toBe(true)
expect(http.isTrustedOrigin("localhost:8080", ["*"])).toBe(true)
})

it("should match regex patterns", () => {
expect(http.isTrustedOrigin("sub.example.com", ["/\\.example\\.com$/"])).toBe(true)
expect(http.isTrustedOrigin("evil.com", ["/\\.example\\.com$/"])).toBe(false)
})

it("should support regex flags", () => {
expect(http.isTrustedOrigin("SUB.EXAMPLE.COM", ["/\\.example\\.com$/i"])).toBe(true)
})

it("should return false for invalid regex patterns", () => {
expect(http.isTrustedOrigin("example.com", ["/[invalid/"])).toBe(false)
})

it("should return false for an empty trusted origins list", () => {
expect(http.isTrustedOrigin("example.com", [])).toBe(false)
})
})

describe("origin", () => {
;[
{
Expand Down Expand Up @@ -54,6 +84,22 @@ describe("http", () => {
host: "localhost:8080",
expected: "malformed", // Parsing fails completely.
},
{
origin: "http://sub.example.com",
host: "other.com",
trustedOrigins: ["/\\.example\\.com$/"],
},
{
origin: "http://evil.com",
host: "other.com",
trustedOrigins: ["/\\.example\\.com$/"],
expected: "does not match",
},
{
origin: "http://sub.example.com",
host: "other.com",
trustedOrigins: ["*"],
},
].forEach((test) => {
;[
["host", test.host],
Expand All @@ -70,7 +116,9 @@ describe("http", () => {
origin: test.origin,
[key]: value,
},
args: {},
args: {
"trusted-origins": (test as { trustedOrigins?: string[] }).trustedOrigins,
},
})
if (typeof test.expected === "string") {
expect(() => http.authenticateOrigin(req)).toThrow(test.expected)
Expand Down
Loading