From 0a3a83de37d3a8543eb32011726a3148d02e68cc Mon Sep 17 00:00:00 2001
From: Arksine <arksine.code@gmail.com>
Date: Wed, 10 Mar 2021 18:10:03 -0500
Subject: [PATCH] authorization:  check for dangerous "cors_domains"

A user may unintentionally allow access to dangerous domains if they place a wildcard in the top level domain portion of an entry.  Raise a config error when this condition is detected.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
---
 moonraker/authorization.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/moonraker/authorization.py b/moonraker/authorization.py
index b545359..ca3b7b0 100644
--- a/moonraker/authorization.py
+++ b/moonraker/authorization.py
@@ -28,9 +28,17 @@ class Authorization:
         self.access_tokens = {}
 
         # Get allowed cors domains
+        self.cors_domains = []
         cors_cfg = config.get('cors_domains', "").strip()
-        self.cors_domains = [d.strip().replace(".", "\\.").replace("*", ".*")
-                             for d in cors_cfg.split('\n')if d.strip()]
+        cds = [d.strip() for d in cors_cfg.split('\n')if d.strip()]
+        for domain in cds:
+            bad_match = re.search(r"^.+\.[^:]*\*", domain)
+            if bad_match is not None:
+                raise config.error(
+                    f"Unsafe CORS Domain '{domain}'.  Wildcards are not"
+                    " permitted in the top level domain.")
+            self.cors_domains.append(
+                domain.replace(".", "\\.").replace("*", ".*"))
 
         # Get Trusted Clients
         self.trusted_ips = []