CORS filter throws 500 on invalid Origin URL

[blazmrak]

This popped up on our production and is caused by random bots. You can reproduce by sending a request with invalid URL in the Origin header. It should maybe be a 4xx.

curl -H 'Origin: https://%s' url

The code responsible is here: https://github.com/quarkusio/quarkus/blame/6241ec356a30d1eaf674f5e931034a85599ae970/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java#L254-L255

Should these two URI.create calls be wrapped in a try-catch block or is this behavior not worth changing?

[gsmet]

Should these two URI.create calls be wrapped in a try-catch block or is this behavior not worth changing?

Yeah, we shouldn't end up with a 500 for a bad request.

[quarkus-bot]

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

[gsmet]

/cc @michalvavrik

[geoand]

We should definitely address this. For Vert.x we do something similar here

@blazmrak would you be willing to contribute a fix?

[blazmrak]

@geoand yeah, I'll have a PR ready later today.