fix CORS issue for CreateBucket and ListBuckets (#7961)

bentsku · web-flow · commit 00d3a5983e16 · 2023-03-25T13:43:56.000+01:00
diff --git a/localstack/aws/handlers/cors.py b/localstack/aws/handlers/cors.py
@@ -118,10 +118,6 @@ def should_enforce_self_managed_service(context: RequestContext) -> bool:
     if context.service:
         service_name = context.service.service_name
         if not config.DISABLE_CUSTOM_CORS_S3 and service_name == "s3":
-            # ListBuckets is not concerned by S3 CORS handling, it should follow general LocalStack CORS rules.
-            # we can also check if the path is "/", no need for operation
-            if context.operation and context.operation.name == "ListBuckets":
-                return True
             return False
         if not config.DISABLE_CUSTOM_CORS_APIGATEWAY and service_name == "apigateway":
             is_user_request = (
diff --git a/localstack/services/s3/cors.py b/localstack/services/s3/cors.py
@@ -1,3 +1,4 @@
+import logging
 import re
 from typing import Optional, Tuple
 
@@ -18,6 +19,9 @@
 from localstack.services.s3.models import BucketCorsIndex
 from localstack.services.s3.utils import S3_VIRTUAL_HOSTNAME_REGEX
 
+# TODO: add more logging statements
+LOG = logging.getLogger(__name__)
+
 _s3_virtual_host_regex = re.compile(S3_VIRTUAL_HOSTNAME_REGEX)
 FAKE_HOST_ID = "9Gjjt1m+cjU4OPvX9O9/8RuvnG41MRb/18Oux2o5H5MY7ISNTlXN+Dz9IG62/ILVxhAGI0qyPfg="
 
@@ -249,3 +253,28 @@ def _get_op_from_request(self, request: Request):
         except Exception:
             # if we can't parse the request, just set GetObject
             return self._service.operation_model("GetObject")
+
+
+def s3_cors_request_handler(chain: HandlerChain, context: RequestContext, response: Response):
+    """
+    Handler to add default CORS headers to S3 operations not concerned with CORS configuration
+    """
+    # if DISABLE_CUSTOM_CORS_S3 is true, the default CORS handling will take place, so we won't need to do it here
+    if config.LEGACY_S3_PROVIDER or config.DISABLE_CUSTOM_CORS_S3:
+        return
+
+    if context.service.service_name != "s3":
+        return
+
+    if not context.operation or context.operation.name not in ("ListBuckets", "CreateBucket"):
+        return
+
+    if not config.DISABLE_CORS_CHECKS and not is_origin_allowed_default(context.request.headers):
+        LOG.info(
+            "Blocked CORS request from forbidden origin %s",
+            context.request.headers.get("origin") or context.request.headers.get("referer"),
+        )
+        response.status_code = 403
+        chain.terminate()
+
+    add_default_headers(response_headers=response.headers, request_headers=context.request.headers)
diff --git a/localstack/services/s3/provider.py b/localstack/services/s3/provider.py
@@ -98,7 +98,7 @@
 from localstack.services.moto import call_moto
 from localstack.services.plugins import ServiceLifecycleHook
 from localstack.services.s3 import constants as s3_constants
-from localstack.services.s3.cors import S3CorsHandler
+from localstack.services.s3.cors import S3CorsHandler, s3_cors_request_handler
 from localstack.services.s3.models import S3Store, get_moto_s3_backend, s3_stores
 from localstack.services.s3.notifications import NotificationDispatcher, S3EventNotificationContext
 from localstack.services.s3.presigned_url import (
@@ -1409,5 +1409,6 @@ def bucket_get_permission(fn, self, *args, **kwargs):
 
 
 def register_custom_handlers():
+    serve_custom_service_request_handlers.append(s3_cors_request_handler)
     serve_custom_service_request_handlers.append(s3_presigned_url_request_handler)
     modify_service_response.append(S3Provider.service, s3_presigned_url_response_handler)
