echo.CORS is blocking the request on egress only

[khs-kks]

Even with the default configuration of the echo.CORS middleware, where only the allowed origin has been modified from the default wildcard ("*") to a specific domain, unauthorized cross-origin requests still propagate through the application stack, reaching the data layer. While egress filtering blocks the response, this occurs after data mutations have already been committed, representing an actual security concern.

Please tell if this is by design

[aldas]

Please provide example app + CURL/WGET to test it out. NB: cors in only meant for browser. Any API request can and is allowed to bypassit by not providing relevant headers etc.

you can start off from this snippet:

package main

import (
	"errors"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
	"log/slog"
	"net/http"
)

func main() {
	e := echo.New()
	
	e.Use(middleware.Logger())
	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
		// your settings
	}))

	e.GET("/", func(c echo.Context) error {
		return c.JSON(http.StatusOK, "ok")
	})

	if err := e.Start(":8082"); err != nil && !errors.Is(err, http.ErrServerClosed) {
		slog.Error("server start ended with error", "err", err)
	}
}

[khs-kks]

import (
	"errors"
	"fmt"
	"log/slog"
	"net/http"

	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

func main() {
	e := echo.New()

	e.Use(middleware.Logger())
	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
		AllowOrigins: []string{"http://localhost:43000"},
		AllowMethods: []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodOptions},
		AllowHeaders: []string{echo.HeaderOrigin, echo.HeaderContentType},
	}))

	e.GET("/", func(c echo.Context) error {
		fmt.Println("Propagated")
		return c.JSON(http.StatusOK, "ok")
	})

	if err := e.Start(":8082"); err != nil && !errors.Is(err, http.ErrServerClosed) {
		slog.Error("server start ended with error", "err", err)
	}
}

and the curl:

curl -v -X GET -H "Origin: http://localhost:3000" -H "Content-Type: application/json" http://localhost:8082/

[aldas]

Looking at the repo history and reading CORS spec. It seems that this behavior has been there for a long time. I can only say that CORS does not necessarily say that server must reject these requests as CORS is mean to be enforced on Web-browser side by the browsers. but it would make sense to reject these. I'll create PR #2732 for it.

p.s. CORS is only security measure for clients (like browsers) that adhere to CORS rules. for anything else it is just a suggestion for behavior.

[jub0bs]

This behaviour goes beyond CORS. It arguably isn't the responsibility of the CORS middleware to block such requests.

CORS is [...] security measure

No, CORS is not security measure. Quite the contrary: its goal is to relax the Same-Origin Policy; nothing more.