fix(SKY-11916): tighten cloud credentialed CORS (#7151)

This commit is contained in:
Aaron Perez 2026-07-07 04:45:35 -05:00 committed by GitHub
parent f22243ea3f
commit 4c4db2a1c3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 51 additions and 8 deletions

27
skyvern/cors.py Normal file
View file

@ -0,0 +1,27 @@
from collections.abc import Sequence
import structlog
LOG = structlog.get_logger(__name__)
def credentialed_cors_allow_origins(allowed_origins: Sequence[str]) -> list[str]:
wildcard_origin_count = 0
credentialed_origins: list[str] = []
for origin in allowed_origins:
stripped_origin = origin.strip()
if not stripped_origin:
continue
if "*" in stripped_origin:
wildcard_origin_count += 1
continue
credentialed_origins.append(stripped_origin)
if wildcard_origin_count:
LOG.warning(
"Ignoring wildcard CORS origins for credentialed requests",
wildcard_origin_count=wildcard_origin_count,
)
return credentialed_origins

View file

@ -26,6 +26,7 @@ from starlette_context.middleware import RawContextMiddleware
from starlette_context.plugins.base import Plugin
from skyvern.config import _ensure_sqlite_dir, settings
from skyvern.cors import credentialed_cors_allow_origins
from skyvern.exceptions import SkyvernHTTPException
from skyvern.forge import app as forge_app
from skyvern.forge.forge_app_initializer import start_forge_app
@ -56,6 +57,16 @@ from skyvern.services.workflow_schedule_service import (
LOG = structlog.get_logger()
def add_credentialed_cors_middleware(fastapi_app: FastAPI) -> None:
fastapi_app.add_middleware(
CORSMiddleware,
allow_origins=credentialed_cors_allow_origins(settings.ALLOWED_ORIGINS),
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
def format_validation_errors(exc: ValidationError) -> str:
"""Format a Pydantic ValidationError into a human-readable string.
@ -344,14 +355,7 @@ def create_api_app() -> FastAPI:
fastapi_app = FastAPI(lifespan=lifespan)
# Add CORS middleware
fastapi_app.add_middleware(
CORSMiddleware,
allow_origins=settings.ALLOWED_ORIGINS,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
add_credentialed_cors_middleware(fastapi_app)
fastapi_app.include_router(base_router, prefix="/v1")
fastapi_app.include_router(legacy_base_router, prefix="/api/v1")

12
tests/unit/test_cors.py Normal file
View file

@ -0,0 +1,12 @@
from skyvern.cors import credentialed_cors_allow_origins
def test_credentialed_cors_allow_origins_drops_wildcards() -> None:
assert credentialed_cors_allow_origins(
[
" https://app.example.test ",
"*",
"https://*.example.test",
"",
]
) == ["https://app.example.test"]