From 8f5060767965aea8af17c85b8cdb8983a9d17a3b Mon Sep 17 00:00:00 2001 From: Aithscel <74430681+aithscel@users.noreply.github.com> Date: Tue, 24 Oct 2023 17:20:36 +0200 Subject: [PATCH] Escape $ in ressource paths compile (#270) --- lib/rack/cors/resource.rb | 2 +- test/unit/cors_test.rb | 7 +++++++ test/unit/test.ru | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/rack/cors/resource.rb b/lib/rack/cors/resource.rb index 2fb1daa..30fdc3b 100644 --- a/lib/rack/cors/resource.rb +++ b/lib/rack/cors/resource.rb @@ -106,7 +106,7 @@ def ensure_enum(var) def compile(path) if path.respond_to? :to_str - special_chars = %w[. + ( )] + special_chars = %w[. + ( ) $] pattern = path.to_str.gsub(%r{((:\w+)|/\*|[\*#{special_chars.join}])}) do |match| case match diff --git a/test/unit/cors_test.rb b/test/unit/cors_test.rb index 00d6431..c9e7157 100644 --- a/test/unit/cors_test.rb +++ b/test/unit/cors_test.rb @@ -351,6 +351,13 @@ def load_app(name, options = {}) _(last_response.headers['Access-Control-Allow-Origin']).must_equal '*' end + it "should allow resource paths containing $ char" do + preflight_request('http://localhost:3000', '/$batch', method: :post ) + _(last_response).must_render_cors_success + _(last_response.headers['Access-Control-Allow-Origin']).wont_equal nil + _(last_response.headers['Access-Control-Allow-Methods']).must_equal 'POST' + end + it "should allow '//' resource if match pattern is //*" do preflight_request('http://localhost:3000', '/wildcard/') _(last_response).must_render_cors_success diff --git a/test/unit/test.ru b/test/unit/test.ru index b03b88b..7a43aec 100644 --- a/test/unit/test.ru +++ b/test/unit/test.ru @@ -23,6 +23,7 @@ use Rack::Cors do resource '/conditional', methods: :get, if: proc { |env| !!env['HTTP_X_OK'] } resource '/vary_test', methods: :get, vary: %w[Origin Host] resource '/patch_test', methods: :patch + resource '/$batch', methods: :post resource '/wildcard/*', methods: :any # resource '/file/at/*', # :methods => [:get, :post, :put, :delete],