Skip to content

feat: module to ease cors configuration #831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

feat: module to ease cors configuration #831

wants to merge 4 commits into from

Conversation

jeromevdl
Copy link
Contributor

Issue #, if available:

Description of changes:

This module simplifies the configuration of CORS headers when using API Gateway and Lambda proxy. It removes boilerplate code in the function itself.

Checklist

Breaking change checklist

RFC issue #:

  • Migration process documented
  • Implement warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jeromevdl jeromevdl mentioned this pull request Jan 12, 2023
Open
@jeromevdl jeromevdl marked this pull request as draft March 20, 2023 10:00
@jeromevdl
Copy link
Contributor Author

Converting to draft as it may be included in a larger module (cf. Python API GW handler)

stevehouel
stevehouel reviewed Mar 20, 2023
View reviewed changes
...ls-cors/src/main/java/software/amazon/lambda/powertools/cors/internal/CrossOriginAspect.java
return result;
}

CrossOriginHandler crossOriginHandler = new CrossOriginHandler(crossOrigin);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Problem:
This line of code lacks validation when processing input data through the following parameter: 'crossOrigin' (index: 1 | type: CrossOrigin). The parameter is exposed to external callers, because its enclosing class and method are publicly accessible. This means that upstream validation, if it exists, can be bypassed. Other validated parameters: 'pjp'. The same parameter type is validated here for example: aws-lambda-powertools-java/powertools-cors/src/main/java/software/amazon/lambda/powertools/cors/internal/CrossOriginHandler.java:43. Malicious, malformed, or unbounded inputs can cause unexpected runtime behavior or crashes, and can slow performance.

Fix:
Add checks to ensure the validity of the parameter's value, such as testing it for nullness (for example, using the @nonnull annotation as described in the Lombok library), emptiness, or equality. Or to prevent direct calls to it, reduce the method's visibility.

Learn more about potential threats and guidance from the Common Weakness Enumeration website and the OWASP Cheat Sheet series.

@jeromevdl jeromevdl mentioned this pull request Mar 20, 2023
Open
@scottgerring
Copy link
Contributor

Closing for now to refocus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pankajagrawal16 pankajagrawal16 pankajagrawal16 left review comments

@stevehouel stevehouel stevehouel left review comments

Assignees
No one assigned
Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jeromevdl @scottgerring @pankajagrawal16 @stevehouel