Throw if CORS policy is configured to allow credentials and any origin (#7751)

* Throw if CORS policy is configured to allow credentials and any origin

Fixes #3106

Author: pranavkm

src/Middleware/CORS/samples/SampleDestination/Startup.cs

@@ -50,8 +50,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("AllowAll", policy => policy
                     .AllowAnyOrigin()
                     .AllowAnyMethod()
-                    .AllowAnyHeader()
-                    .AllowCredentials());
+                    .AllowAnyHeader());
             });
             services.AddRouting();
         }

src/Middleware/CORS/samples/SampleDestination/StartupWithoutEndpointRouting.cs

@@ -73,8 +73,7 @@ public void Configure(IApplicationBuilder app)
                 innerBuilder.UseCors(policy => policy
                     .AllowAnyOrigin()
                     .AllowAnyMethod()
-                    .AllowAnyHeader()
-                    .AllowCredentials());
+                    .AllowAnyHeader());
 
                 innerBuilder.UseMiddleware<SampleMiddleware>();
             });

src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs

@@ -224,6 +224,11 @@ public CorsPolicyBuilder SetIsOriginAllowedToAllowWildcardSubdomains()
         /// <returns>The constructed <see cref="CorsPolicy"/>.</returns>
         public CorsPolicy Build()
         {
+            if (_policy.AllowAnyOrigin && _policy.SupportsCredentials)
+            {
+                throw new InvalidOperationException(Resources.InsecureConfiguration);
+            }
+
             return _policy;
         }
 

src/Middleware/CORS/src/Infrastructure/CorsService.cs

@@ -8,7 +8,6 @@
 using Microsoft.AspNetCore.Cors.Internal;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 
@@ -77,7 +76,7 @@ public CorsResult EvaluatePolicy(HttpContext context, CorsPolicy policy)
 
             if (policy.AllowAnyOrigin && policy.SupportsCredentials)
             {
-                _logger.InsecureConfiguration();
+                throw new ArgumentException(Resources.InsecureConfiguration, nameof(policy));
             }
 
             var origin = context.Request.Headers[CorsConstants.Origin];

src/Middleware/CORS/src/Internal/CORSLoggerExtensions.cs

@@ -18,7 +18,6 @@ internal static class CORSLoggerExtensions
         private static readonly Action<ILogger, string, Exception> _requestHeaderNotAllowed;
         private static readonly Action<ILogger, Exception> _failedToSetCorsHeaders;
         private static readonly Action<ILogger, Exception> _noCorsPolicyFound;
-        private static readonly Action<ILogger, Exception> _insecureConfiguration;
         private static readonly Action<ILogger, Exception> _isNotPreflightRequest;
 
         static CORSLoggerExtensions()
@@ -73,11 +72,6 @@ static CORSLoggerExtensions()
                 new EventId(10, "NoCorsPolicyFound"),
                 "No CORS policy found for the specified request.");
 
-            _insecureConfiguration = LoggerMessage.Define(
-                LogLevel.Warning,
-                new EventId(11, "InsecureConfiguration"),
-                "The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the policy by listing individual origins if credentials needs to be supported.");
-
             _isNotPreflightRequest = LoggerMessage.Define(
                 LogLevel.Debug,
                 new EventId(12, "IsNotPreflightRequest"),
@@ -134,11 +128,6 @@ public static void NoCorsPolicyFound(this ILogger logger)
             _noCorsPolicyFound(logger, null);
         }
 
-        public static void InsecureConfiguration(this ILogger logger)
-        {
-            _insecureConfiguration(logger, null);
-        }
-
         public static void IsNotPreflightRequest(this ILogger logger)
         {
             _isNotPreflightRequest(logger, null);

src/Middleware/CORS/src/Properties/Resources.Designer.cs

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <root>
-    <!-- 
+  <!-- 
     Microsoft ResX Schema 
     
     Version 2.0
@@ -60,63 +60,66 @@
             : and then encoded with base64 encoding.
     -->
   <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
-      <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
-      <xsd:element name="root" msdata:IsDataSet="true">
-          <xsd:complexType>
-              <xsd:choice maxOccurs="unbounded">
-                  <xsd:element name="metadata">
-                      <xsd:complexType>
-                          <xsd:sequence>
-                              <xsd:element name="value" type="xsd:string" minOccurs="0" />
-                          </xsd:sequence>
-                          <xsd:attribute name="name" use="required" type="xsd:string" />
-                          <xsd:attribute name="type" type="xsd:string" />
-                          <xsd:attribute name="mimetype" type="xsd:string" />
-                          <xsd:attribute ref="xml:space" />
-                      </xsd:complexType>
-                  </xsd:element>
-                  <xsd:element name="assembly">
-                      <xsd:complexType>
-                          <xsd:attribute name="alias" type="xsd:string" />
-                          <xsd:attribute name="name" type="xsd:string" />
-                      </xsd:complexType>
-                  </xsd:element>
-                  <xsd:element name="data">
-                      <xsd:complexType>
-                          <xsd:sequence>
-                              <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
-                              <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
-                          </xsd:sequence>
-                          <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
-                          <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
-                          <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
-                          <xsd:attribute ref="xml:space" />
-                      </xsd:complexType>
-                  </xsd:element>
-                  <xsd:element name="resheader">
-                      <xsd:complexType>
-                          <xsd:sequence>
-                              <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
-                          </xsd:sequence>
-                          <xsd:attribute name="name" type="xsd:string" use="required" />
-                      </xsd:complexType>
-                  </xsd:element>
-              </xsd:choice>
-          </xsd:complexType>
-      </xsd:element>
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
   </xsd:schema>
   <resheader name="resmimetype">
-      <value>text/microsoft-resx</value>
+    <value>text/microsoft-resx</value>
   </resheader>
   <resheader name="version">
-      <value>2.0</value>
+    <value>2.0</value>
   </resheader>
   <resheader name="reader">
-      <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
   <resheader name="writer">
-      <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
+  <data name="InsecureConfiguration" xml:space="preserve">
+    <value>The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials needs to be supported.</value>
+  </data>
   <data name="PreflightMaxAgeOutOfRange" xml:space="preserve">
     <value>PreflightMaxAge must be greater than or equal to 0.</value>
   </data>

src/Middleware/CORS/src/Resources.Designer.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -285,7 +285,6 @@ public void AllowCredential_SetsSupportsCredentials_ToTrue()
             Assert.True(corsPolicy.SupportsCredentials);
         }
 
-
         [Fact]
         public void DisallowCredential_SetsSupportsCredentials_ToFalse()
         {
@@ -300,6 +299,21 @@ public void DisallowCredential_SetsSupportsCredentials_ToFalse()
             Assert.False(corsPolicy.SupportsCredentials);
         }
 
+        [Fact]
+        public void Build_ThrowsIfConfiguredToAllowAnyOriginWithCredentials()
+        {
+            // Arrange
+            var builder = new CorsPolicyBuilder()
+                .AllowAnyOrigin()
+                .AllowCredentials();
+
+            // Act
+            var ex = Assert.Throws<InvalidOperationException>(() => builder.Build());
+
+            // Assert
+            Assert.Equal(Resources.InsecureConfiguration, ex.Message);
+        }
+
         [Theory]
         [InlineData("Some-String", "some-string")]
         [InlineData("x:\\Test", "x:\\test")]