From a31cb35890eed304c09c722810f9714c9e58b27e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= <yoann@hibernate.org>
Date: Wed, 13 Dec 2023 14:31:37 +0100
Subject: [PATCH] Fix CORS origin regexps

And test that, because that's starting to be a lot of problems.
---
 src/main/resources/application.properties     |  2 +-
 .../quarkus/search/app/SearchServiceTest.java | 40 +++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index bc31e3f4..a1b4ed5a 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -15,7 +15,7 @@ quarkusio.localized.ja.git-uri=https://github.com/quarkusio/ja.quarkus.io.git
 indexing.scheduled.cron=0 0 19 * * ?
 # More secure HTTP defaults
 quarkus.http.cors=true
-quarkus.http.cors.origins=https://quarkus.io,/https://.*\.quarkus\.io/,/https://quarkus-(web)?site-pr-[0-9]+-preview\.surge\.sh/
+quarkus.http.cors.origins=https://quarkus.io,/https://.*\\\\.quarkus\\\\.io/,/https://quarkus-(web)?site-pr-[0-9]+-preview\\\\.surge\\\\.sh/
 quarkus.http.cors.methods=GET
 quarkus.http.header."X-Content-Type-Options".value=nosniff
 quarkus.http.header."X-Frame-Options".value=deny
diff --git a/src/test/java/io/quarkus/search/app/SearchServiceTest.java b/src/test/java/io/quarkus/search/app/SearchServiceTest.java
index 60a0b3f5..dc9e2580 100644
--- a/src/test/java/io/quarkus/search/app/SearchServiceTest.java
+++ b/src/test/java/io/quarkus/search/app/SearchServiceTest.java
@@ -26,6 +26,7 @@
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import org.assertj.core.api.InstanceOfAssertFactories;
 import org.assertj.core.api.ThrowingConsumer;
@@ -149,6 +150,45 @@ void queryNotProvided() {
         assertThat(result.total()).isEqualTo(10);
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "https://quarkus.io",
+            "https://es.quarkus.io",
+            "https://cn.quarkus.io",
+            "https://ja.quarkus.io",
+            "https://pt.quarkus.io",
+            "https://quarkus-site-pr-1825-preview.surge.sh",
+            "https://quarkus-website-pr-1825-preview.surge.sh"
+    })
+    void cors_allowed(String origin) {
+        given()
+                .header("Origin", origin)
+                .queryParam("q", "foo")
+                .when().get(GUIDES_SEARCH)
+                .then()
+                .statusCode(200)
+                .header("access-control-allow-origin", origin);
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "http://localhost:8080/guides",
+            "https://localhost:8080/guides",
+            "https://example.com/guides",
+            "https://example.com/",
+            "https://my-quarkus.io",
+            "https://quarkus-site-pr-1825-preview-surge.sh",
+            "https://quarkus-website-pr-1825-preview-surge.sh"
+    })
+    void cors_denied(String origin) {
+        given()
+                .header("Origin", origin)
+                .queryParam("q", "foo")
+                .when().get(GUIDES_SEARCH)
+                .then()
+                .statusCode(403);
+    }
+
     @ParameterizedTest
     @MethodSource
     void relevance(String query, URI[] expectedGuideUrls) {