From f59cdf9ad5443a7526df4cef6d3cd136676589d3 Mon Sep 17 00:00:00 2001
From: Mohamed Marrouchi <marrouchi.mohamed@gmail.com>
Date: Sun, 1 Dec 2024 08:22:47 +0100
Subject: [PATCH] fix: webchannel cors check

---
 .../channels/web/base-web-channel.ts          | 27 ++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/api/src/extensions/channels/web/base-web-channel.ts b/api/src/extensions/channels/web/base-web-channel.ts
index b1544ca3..389ec00d 100644
--- a/api/src/extensions/channels/web/base-web-channel.ts
+++ b/api/src/extensions/channels/web/base-web-channel.ts
@@ -298,12 +298,27 @@ export default abstract class BaseWebChannelHandler<
     if (req.headers && req.headers.origin) {
       // Get the allowed origins
       const origins: string[] = settings.allowed_domains.split(',');
-      const foundOrigin = origins.some((origin: string) => {
-        origin = origin.trim();
-        // If we find a whitelisted origin, send the Access-Control-Allow-Origin header
-        // to greenlight the request.
-        return origin == req.headers.origin || origin == '*';
-      });
+      const foundOrigin = origins
+        .map((origin) => {
+          try {
+            return new URL(origin.trim()).origin;
+          } catch (error) {
+            this.logger.error(
+              `Invalid URL in allowed domains: ${origin}`,
+              error,
+            );
+            return null;
+          }
+        })
+        .filter(
+          (normalizedOrigin): normalizedOrigin is string =>
+            normalizedOrigin !== null,
+        )
+        .some((origin: string) => {
+          // If we find a whitelisted origin, send the Access-Control-Allow-Origin header
+          // to greenlight the request.
+          return origin === req.headers.origin || origin === '*';
+        });
 
       if (!foundOrigin) {
         // For HTTP requests, set the Access-Control-Allow-Origin header to '', which the browser will