🛡️ Sentinel: [HIGH] Fix CORS partial wildcard match

[EffortlessSteven]

🚨 Severity: HIGH
💡 Vulnerability: The CORS middleware allowed partial domain matches when using wildcard subdomains (e.g., https://*.example.com matched https://evilexample.com).
🎯 Impact: Attackers could bypass CORS restrictions by registering domains that suffix-match the allowed wildcard domain, potentially allowing them to access sensitive API data.
🔧 Fix: Enforced that wildcard matches must be preceded by a dot (.), ensuring only proper subdomains are allowed.
✅ Verification: Added test_cors_config_subdomain_wildcard_security in crates/app-http and crates/http-middleware to verify that partial matches are rejected while valid subdomains are still allowed.

---

PR created automatically by Jules for task 1160147892567240900 started by @EffortlessSteven

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @EffortlessSteven, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security fix for the CORS middleware, addressing a high-severity vulnerability that could lead to unauthorized access to sensitive API data. The core change involves refining the logic for wildcard subdomain matching to ensure that only legitimate subdomains are allowed, effectively closing a potential bypass vector. The update also includes new tests to validate the enhanced security measures and documentation of the vulnerability.

Highlights

• Security Vulnerability Addressed: Fixed a high-severity CORS vulnerability where wildcard subdomains (e.g., "*.example.com") incorrectly matched partial domains (e.g., "evilexample.com"), potentially allowing attackers to bypass CORS restrictions.
• Enhanced Wildcard Matching Logic: Modified the CORS middleware to strictly enforce that wildcard subdomain matches must be preceded by a dot, preventing "suffix confusion" attacks.
• Comprehensive Test Coverage: Added new test cases ("test_cors_config_subdomain_wildcard_security") in both "crates/app-http" and "crates/http-middleware" to verify the fix and ensure proper subdomain wildcard security.
• Security Documentation Updated: Documented the CORS partial wildcard match vulnerability, its learning, and prevention strategies in the ".jules/sentinel.md" file.

Changelog

• .jules/sentinel.md
  • Added a new entry detailing the CORS partial wildcard match vulnerability, including its description, lessons learned, and prevention methods.
• crates/app-http/src/middleware/cors.rs
  • Modified the "is_origin_allowed" function to include a check for a preceding dot when matching wildcard subdomains, enhancing security.
  • Introduced "test_cors_config_subdomain_wildcard_security" to verify that partial domain matches are rejected while valid subdomains are allowed.
• crates/http-middleware/src/cors.rs
  • Updated the "is_origin_allowed" function to enforce that wildcard subdomain matches must be preceded by a dot.
  • Added "test_cors_config_subdomain_wildcard_security" to confirm the correct behavior of wildcard subdomain matching.

Activity

• PR created automatically by Jules for task 1160147892567240900, started by @EffortlessSteven.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses a high-severity CORS vulnerability where partial domain matches were possible with wildcard subdomains. The fix is logical and enforces that a wildcard match must be a proper subdomain by checking for a preceding dot. The inclusion of specific tests to verify this security fix is also a great addition.

However, the need to apply the same fix in two separate files (crates/app-http/src/middleware/cors.rs and crates/http-middleware/src/cors.rs) highlights a significant code duplication issue. This duplication of security-sensitive logic creates a maintainability risk, as future updates could easily be missed in one of the locations. I've added comments to this effect. While this PR should be merged to fix the vulnerability, I strongly recommend creating a follow-up task to refactor the CORS logic into a single, reusable component within the http-middleware crate.

[gemini-code-assist]

This logic is also present in crates/http-middleware/src/cors.rs. This code duplication for security-sensitive logic is a maintainability risk. A future refactoring should aim to have a single implementation of this logic in the http-middleware crate, which app-http can then call. This will ensure that future security patches only need to be applied in one place.

[gemini-code-assist]

This logic is also present in crates/app-http/src/middleware/cors.rs. This code duplication for security-sensitive logic is a maintainability risk. A future refactoring should aim to consolidate this logic into this crate (http-middleware) so that it can be reused by other crates like app-http without duplication. This will ensure that future security patches only need to be applied in one place.

[Copilot]

Pull request overview

This PR fixes a CORS origin validation vulnerability where wildcard subdomain rules (e.g., https://*.example.com) could be bypassed by partial suffix matches (e.g., https://evilexample.com). The change applies to both CORS implementations in the codebase (in http-middleware and app-http) and adds regression tests to prevent reintroduction.

Changes:

• Tighten wildcard subdomain origin matching by requiring the matched suffix to be preceded by ..
• Add security regression tests ensuring partial-suffix origins are rejected while valid subdomains remain allowed.
• Document the vulnerability and prevention guidance in .jules/sentinel.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
crates/http-middleware/src/cors.rs	Adds dot-anchored validation for wildcard subdomain matches and a regression test.
crates/app-http/src/middleware/cors.rs	Mirrors the same dot-anchored wildcard subdomain fix and adds the corresponding regression test.
.jules/sentinel.md	Records the vulnerability, learning, and prevention guidance for future reference.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.