better usage of AllowOrigin setting (#17670)

adameat · web-flow · commit f767409d63b8 · 2025-04-24T16:55:35.000+02:00
diff --git a/ydb/core/driver_lib/run/run.cpp b/ydb/core/driver_lib/run/run.cpp
@@ -477,6 +477,7 @@ void TKikimrRunner::InitializeMonitoring(const TKikimrRunConfig& runConfig, bool
         if (securityConfig.MonitoringAllowedSIDsSize() > 0) {
             monConfig.AllowedSIDs.assign(securityConfig.GetMonitoringAllowedSIDs().begin(), securityConfig.GetMonitoringAllowedSIDs().end());
         }
+        monConfig.AllowOrigin = appConfig.GetMonitoringConfig().GetAllowOrigin();
 
         if (ModuleFactories && ModuleFactories->MonitoringFactory) {
             Monitoring = ModuleFactories->MonitoringFactory(std::move(monConfig), appConfig);
diff --git a/ydb/core/mon/mon.cpp b/ydb/core/mon/mon.cpp
@@ -16,6 +16,7 @@
 #include <library/cpp/lwtrace/mon/mon_lwtrace.h>
 #include <ydb/library/actors/core/probes.h>
 #include <ydb/core/base/monitoring_provider.h>
+#include <ydb/core/util/wildcard.h>
 
 #include <library/cpp/monlib/service/pages/version_mon_page.h>
 #include <library/cpp/monlib/service/pages/mon_page.h>
@@ -403,7 +404,19 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
             type = "application/json";
         }
         NHttp::THeaders headers(request->Headers);
-        TString origin = TString(headers["Origin"]);
+        TString allowOrigin = AppData()->Mon->GetConfig().AllowOrigin;
+        TString requestOrigin = TString(headers["Origin"]);
+        TString origin;
+        if (allowOrigin) {
+            if (IsMatchesWildcards(requestOrigin, allowOrigin)) {
+                origin = requestOrigin;
+            } else {
+                Send(Event->Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(request->CreateResponseBadRequest("Invalid CORS origin")));
+                return PassAway();
+            }
+        } else if (requestOrigin) {
+            origin = requestOrigin;
+        }
         if (origin.empty()) {
             origin = "*";
         }
diff --git a/ydb/core/mon/mon.h b/ydb/core/mon/mon.h
@@ -40,6 +40,7 @@ class TMon {
         TString Certificate;
         ui32 MaxRequestsPerSecond = 0;
         TDuration InactivityTimeout = TDuration::Minutes(2);
+        TString AllowOrigin;
     };
 
     TMon(TConfig config);
@@ -86,6 +87,10 @@ class TMon {
         });
     }
 
+    const TConfig& GetConfig() const {
+        return Config;
+    }
+
 protected:
     TConfig Config;
     TIntrusivePtr<NMonitoring::TIndexMonPage> IndexMonPage;
diff --git a/ydb/core/viewer/viewer.cpp b/ydb/core/viewer/viewer.cpp
@@ -729,11 +729,16 @@ IActor* CreateViewer(const TKikimrRunConfig& kikimrRunConfig) {
 }
 
 void TViewer::FillCORS(TStringBuilder& stream, const TRequestState& request) {
+    TString requestOrigin = request && request.HasHeader("Origin") ? request.GetHeader("Origin") : TString();
     TString origin;
     if (AllowOrigin) {
-        origin = AllowOrigin;
-    } else if (request && request.HasHeader("Origin")) {
-        origin = request.GetHeader("Origin");
+        if (IsMatchesWildcards(requestOrigin, AllowOrigin)) {
+            origin = requestOrigin;
+        } else {
+            return; // no CORS headers - no access
+        }
+    } else if (requestOrigin) {
+        origin = requestOrigin;
     }
     if (origin.empty()) {
         origin = "*";

Original file line number	Diff line number	Diff line change
`@@ -477,6 +477,7 @@ void TKikimrRunner::InitializeMonitoring(const TKikimrRunConfig& runConfig, bool`
`477`	`477`	`if (securityConfig.MonitoringAllowedSIDsSize() > 0) {`
`478`	`478`	`monConfig.AllowedSIDs.assign(securityConfig.GetMonitoringAllowedSIDs().begin(), securityConfig.GetMonitoringAllowedSIDs().end());`
`479`	`479`	`}`
	`480`	`+ monConfig.AllowOrigin = appConfig.GetMonitoringConfig().GetAllowOrigin();`
`480`	`481`
`481`	`482`	`if (ModuleFactories && ModuleFactories->MonitoringFactory) {`
`482`	`483`	`Monitoring = ModuleFactories->MonitoringFactory(std::move(monConfig), appConfig);`