mirror of
https://github.com/Skyvern-AI/skyvern.git
synced 2026-07-09 16:09:13 +00:00
fix(SKY-11916): tighten cloud credentialed CORS (#7151)
This commit is contained in:
parent
f22243ea3f
commit
4c4db2a1c3
3 changed files with 51 additions and 8 deletions
27
skyvern/cors.py
Normal file
27
skyvern/cors.py
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
from collections.abc import Sequence
|
||||
|
||||
import structlog
|
||||
|
||||
LOG = structlog.get_logger(__name__)
|
||||
|
||||
|
||||
def credentialed_cors_allow_origins(allowed_origins: Sequence[str]) -> list[str]:
|
||||
wildcard_origin_count = 0
|
||||
credentialed_origins: list[str] = []
|
||||
|
||||
for origin in allowed_origins:
|
||||
stripped_origin = origin.strip()
|
||||
if not stripped_origin:
|
||||
continue
|
||||
if "*" in stripped_origin:
|
||||
wildcard_origin_count += 1
|
||||
continue
|
||||
credentialed_origins.append(stripped_origin)
|
||||
|
||||
if wildcard_origin_count:
|
||||
LOG.warning(
|
||||
"Ignoring wildcard CORS origins for credentialed requests",
|
||||
wildcard_origin_count=wildcard_origin_count,
|
||||
)
|
||||
|
||||
return credentialed_origins
|
||||
|
|
@ -26,6 +26,7 @@ from starlette_context.middleware import RawContextMiddleware
|
|||
from starlette_context.plugins.base import Plugin
|
||||
|
||||
from skyvern.config import _ensure_sqlite_dir, settings
|
||||
from skyvern.cors import credentialed_cors_allow_origins
|
||||
from skyvern.exceptions import SkyvernHTTPException
|
||||
from skyvern.forge import app as forge_app
|
||||
from skyvern.forge.forge_app_initializer import start_forge_app
|
||||
|
|
@ -56,6 +57,16 @@ from skyvern.services.workflow_schedule_service import (
|
|||
LOG = structlog.get_logger()
|
||||
|
||||
|
||||
def add_credentialed_cors_middleware(fastapi_app: FastAPI) -> None:
|
||||
fastapi_app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=credentialed_cors_allow_origins(settings.ALLOWED_ORIGINS),
|
||||
allow_credentials=True,
|
||||
allow_methods=["*"],
|
||||
allow_headers=["*"],
|
||||
)
|
||||
|
||||
|
||||
def format_validation_errors(exc: ValidationError) -> str:
|
||||
"""Format a Pydantic ValidationError into a human-readable string.
|
||||
|
||||
|
|
@ -344,14 +355,7 @@ def create_api_app() -> FastAPI:
|
|||
|
||||
fastapi_app = FastAPI(lifespan=lifespan)
|
||||
|
||||
# Add CORS middleware
|
||||
fastapi_app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=settings.ALLOWED_ORIGINS,
|
||||
allow_credentials=True,
|
||||
allow_methods=["*"],
|
||||
allow_headers=["*"],
|
||||
)
|
||||
add_credentialed_cors_middleware(fastapi_app)
|
||||
|
||||
fastapi_app.include_router(base_router, prefix="/v1")
|
||||
fastapi_app.include_router(legacy_base_router, prefix="/api/v1")
|
||||
|
|
|
|||
12
tests/unit/test_cors.py
Normal file
12
tests/unit/test_cors.py
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
from skyvern.cors import credentialed_cors_allow_origins
|
||||
|
||||
|
||||
def test_credentialed_cors_allow_origins_drops_wildcards() -> None:
|
||||
assert credentialed_cors_allow_origins(
|
||||
[
|
||||
" https://app.example.test ",
|
||||
"*",
|
||||
"https://*.example.test",
|
||||
"",
|
||||
]
|
||||
) == ["https://app.example.test"]
|
||||
Loading…
Add table
Add a link
Reference in a new issue