Skip to content

fix(cors): replace reference equality with value equality in isAny and isAnyMethod#12627

Open
fatekingsama wants to merge 6 commits into
micronaut-projects:5.0.xfrom
fatekingsama:fix-cors-any-matching
Open

fix(cors): replace reference equality with value equality in isAny and isAnyMethod#12627
fatekingsama wants to merge 6 commits into
micronaut-projects:5.0.xfrom
fatekingsama:fix-cors-any-matching

Conversation

@fatekingsama
Copy link
Copy Markdown

@fatekingsama fatekingsama commented Apr 21, 2026

Summary

Fixes #12626

Changes

Replace reference equality (==) with value equality in CorsFilter#isAny
and isAnyMethod.

When CORS configuration is loaded from application.yml, deserialization
creates new List instances that are never reference-equal to the sentinel
constants CorsOriginConfiguration.ANY and ANY_METHOD, causing wildcard
checks to silently return false.

Fix

  • isAny: also returns true when the list contains a single element equal to
    CorsOriginConfiguration.ANY.getFirst()
  • isAnyMethod: also returns true when the list is empty

yawkat
yawkat reviewed Apr 22, 2026
View reviewed changes
Comment thread http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java Outdated
@yawkat
Copy link
Copy Markdown
Member

yawkat commented Apr 22, 2026

Please add a test

sdelamo
sdelamo requested changes Apr 28, 2026
View reviewed changes
Comment thread http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java Outdated
@sdelamo sdelamo added the type: bug Something isn't working label Apr 28, 2026
@github-project-automation github-project-automation Bot moved this to Backlog in 5.0.0-M3 Apr 28, 2026
@fatekingsama
Copy link
Copy Markdown
Author

fatekingsama commented Apr 28, 2026

This was caused by IntelliJ automatically optimizing imports. I've updated the configuration and replaced wildcard imports with explicit ones.

@graemerocher graemerocher requested a review from sdelamo April 28, 2026 07:24
@sdelamo sdelamo requested a review from Copilot April 29, 2026 11:08
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes CORS wildcard detection when configuration is deserialized from application.yml by avoiding reference-equality checks that fail after binding.

Changes:

  • Update CorsFilter#isAny to use value equality for wildcard origin/header lists.
  • Update CorsFilter#isAnyMethod to treat empty method lists as wildcard.
  • Add a Netty CORS preflight test exercising wildcard headers configured via application properties.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java Adjusts wildcard detection logic and simplifies static header imports.
http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsFilterSpec.groovy Adds coverage for wildcard allowed-headers behavior when configured via application properties.

Comment thread http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java Outdated
Comment thread http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java Outdated
Comment thread http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsFilterSpec.groovy

then:
HttpStatus.OK == response.status()
response.headers.contains(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)
Copy link

Copilot AI Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test asserts the preflight succeeds, but it doesn’t validate the core behavior under test: that wildcard allowed-headers actually allows the requested header. Please also assert Access-Control-Allow-Headers is present and either contains Content-Type (or returns *, depending on expected behavior), so regressions in header handling are caught.

Suggested change
response.headers.contains(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)
response.headers.contains(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)
response.headers.contains(ACCESS_CONTROL_ALLOW_HEADERS)
String allowHeaders = response.headers.get(ACCESS_CONTROL_ALLOW_HEADERS)
allowHeaders == "*" || allowHeaders.split(",")*.trim().contains("Content-Type")

Copilot uses AI. Check for mistakes.
Comment thread http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsFilterSpec.groovy Outdated
sdelamo and others added 2 commits April 29, 2026 14:45
@sdelamo
Update http-server-netty/src/test/groovy/io/micronaut/http/server/net…
df53bf6 
…ty/cors/CorsFilterSpec.groovy

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@sdelamo
Update http-server/src/main/java/io/micronaut/http/server/cors/CorsFi…
21a6adf 
…lter.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@sdelamo sdelamo removed this from 5.0.0-M3 Apr 29, 2026
@sdelamo sdelamo removed this from 5.0.0 Release Apr 29, 2026
@sdelamo sdelamo requested a review from yawkat April 29, 2026 12:47
@fatekingsama
Copy link
Copy Markdown
Author

fatekingsama commented May 12, 2026

Friendly ping 👋 @sdelamo @yawkat
Would appreciate another review when you have a chance. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sdelamo sdelamo Awaiting requested review from sdelamo

@yawkat yawkat Awaiting requested review from yawkat

Assignees

No one assigned

Labels

type: bug Something isn't working

Projects

5.0.1 Release
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CorsFilter#isAny and isAnyMethod use reference equality (==) instead of value equality, causing CORS to fail when configured via application.yml

4 participants

@fatekingsama @yawkat @sdelamo