feat: add wildcard support to trusted-origins (#7697)

2026-04-13 03:05:50 -05:00 · 2026-03-25 15:04:06 -04:00
parent d544846caa
commit 4d615f18a9
2 changed files with 63 additions and 2 deletions
--- a/test/unit/node/http.test.ts
+++ b/test/unit/node/http.test.ts
@@ -19,6 +19,30 @@ describe("http", () => {
    expect(http.relativeRoot("/foo/bar/")).toStrictEqual("./../..")
  })

+  describe("isTrustedOrigin", () => {
+    it("should match exact origins", () => {
+      expect(http.isTrustedOrigin("localhost:8080", ["localhost:8080"])).toBe(true)
+      expect(http.isTrustedOrigin("example.com", ["example.com"])).toBe(true)
+      expect(http.isTrustedOrigin("example.com", ["other.com"])).toBe(false)
+    })
+
+    it("should match the wildcard *", () => {
+      expect(http.isTrustedOrigin("anything.example.com", ["*"])).toBe(true)
+      expect(http.isTrustedOrigin("localhost:8080", ["*"])).toBe(true)
+    })
+
+    it("should match *.example.com wildcard (same style as --proxy-domain)", () => {
+      expect(http.isTrustedOrigin("sub.example.com", ["*.example.com"])).toBe(true)
+      expect(http.isTrustedOrigin("example.com", ["*.example.com"])).toBe(true)
+      expect(http.isTrustedOrigin("evil.com", ["*.example.com"])).toBe(false)
+      expect(http.isTrustedOrigin("example.com.evil.com", ["*.example.com"])).toBe(false)
+    })
+
+    it("should return false for an empty trusted origins list", () => {
+      expect(http.isTrustedOrigin("example.com", [])).toBe(false)
+    })
+  })
+
  describe("origin", () => {
    ;[
      {
@@ -54,6 +78,22 @@ describe("http", () => {
        host: "localhost:8080",
        expected: "malformed", // Parsing fails completely.
      },
+      {
+        origin: "http://sub.example.com",
+        host: "other.com",
+        trustedOrigins: ["*.example.com"],
+      },
+      {
+        origin: "http://evil.com",
+        host: "other.com",
+        trustedOrigins: ["*.example.com"],
+        expected: "does not match",
+      },
+      {
+        origin: "http://sub.example.com",
+        host: "other.com",
+        trustedOrigins: ["*"],
+      },
    ].forEach((test) => {
      ;[
        ["host", test.host],
@@ -70,7 +110,9 @@ describe("http", () => {
              origin: test.origin,
              [key]: value,
            },
-            args: {},
+            args: {
+              "trusted-origins": (test as { trustedOrigins?: string[] }).trustedOrigins,
+            },
          })
          if (typeof test.expected === "string") {
            expect(() => http.authenticateOrigin(req)).toThrow(test.expected)