From 7ea9acc97f4c884ecdaebd06ed0353b28263d118 Mon Sep 17 00:00:00 2001
From: Albin Kerouanton <albinker@gmail.com>
Date: Wed, 12 Apr 2023 12:33:48 +0200
Subject: [PATCH] cmd/dockerd: deprecate `api-cors-header`

CORS headers were originally added by 6d5bdff.

These headers could be set without any Authz plugin enabled
beforehand, making this feature quite dangerous.

This commit marks the daemon flag `api-cors-header` as deprecated
and requires the env var `DOCKERD_DEPRECATED_CORS_HEADER` to be
set. When enabled, the daemon will write a deprecation warning to
the logs and the endpoint `GET /info` will return the same
deprecation warning.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 api/server/middleware/cors.go | 4 ++++
 cmd/dockerd/config.go         | 3 ++-
 cmd/dockerd/daemon.go         | 5 +++--
 daemon/config/config.go       | 2 +-
 daemon/info.go                | 4 ++++
 5 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/api/server/middleware/cors.go b/api/server/middleware/cors.go
index a55aa60407..0fa5a1daf7 100644
--- a/api/server/middleware/cors.go
+++ b/api/server/middleware/cors.go
@@ -10,11 +10,15 @@ import (
 
 // CORSMiddleware injects CORS headers to each request
 // when it's configured.
+//
+// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
 type CORSMiddleware struct {
 	defaultHeaders string
 }
 
 // NewCORSMiddleware creates a new CORSMiddleware with default headers.
+//
+// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
 func NewCORSMiddleware(d string) CORSMiddleware {
 	return CORSMiddleware{defaultHeaders: d}
 }
diff --git a/cmd/dockerd/config.go b/cmd/dockerd/config.go
index 449a293fe4..02d606cc1e 100644
--- a/cmd/dockerd/config.go
+++ b/cmd/dockerd/config.go
@@ -53,7 +53,6 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.StringVar(&conf.LogConfig.Type, "log-driver", "json-file", "Default driver for container logs")
 	flags.Var(opts.NewNamedMapOpts("log-opts", conf.LogConfig.Config, nil), "log-opt", "Default log driver options for containers")
 
-	flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API")
 	flags.IntVar(&conf.MaxConcurrentDownloads, "max-concurrent-downloads", conf.MaxConcurrentDownloads, "Set the max concurrent downloads")
 	flags.IntVar(&conf.MaxConcurrentUploads, "max-concurrent-uploads", conf.MaxConcurrentUploads, "Set the max concurrent uploads")
 	flags.IntVar(&conf.MaxDownloadAttempts, "max-download-attempts", conf.MaxDownloadAttempts, "Set the max download attempts for each pull")
@@ -76,6 +75,8 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 
 	// Deprecated flags / options
 
+	flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API; deprecated, and will be removed in the next release")
+	_ = flags.MarkDeprecated("api-cors-header", "accessing Docker API through a browser is insecure; use a reverse proxy if you need CORS headers")
 	flags.BoolVarP(&conf.AutoRestart, "restart", "r", true, "--restart on the daemon has been deprecated in favor of --restart policies on docker run")
 	_ = flags.MarkDeprecated("restart", "Please use a restart policy on docker run")
 
diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
index 6882e4140f..47d3823ba0 100644
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@@ -729,8 +729,9 @@ func initMiddlewares(s *apiserver.Server, cfg *config.Config, pluginStore plugin
 	}
 	s.UseMiddleware(*vm)
 
-	if cfg.CorsHeaders != "" {
-		c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
+	if cfg.CorsHeaders != "" && os.Getenv("DOCKERD_DEPRECATED_CORS_HEADER") != "" {
+		logrus.Warnf(`DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option will be removed in the next release. Use a reverse proxy if you need CORS headers.`)
+		c := middleware.NewCORSMiddleware(cfg.CorsHeaders) //nolint:staticcheck // ignore SA1019 (NewCORSMiddleware is deprecated); will be removed in the next release.
 		s.UseMiddleware(c)
 	}
 
diff --git a/daemon/config/config.go b/daemon/config/config.go
index a72fba044d..04f5ec1385 100644
--- a/daemon/config/config.go
+++ b/daemon/config/config.go
@@ -160,7 +160,7 @@ type CommonConfig struct {
 	Root                  string   `json:"data-root,omitempty"`
 	ExecRoot              string   `json:"exec-root,omitempty"`
 	SocketGroup           string   `json:"group,omitempty"`
-	CorsHeaders           string   `json:"api-cors-header,omitempty"`
+	CorsHeaders           string   `json:"api-cors-header,omitempty"` // Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
 
 	// Proxies holds the proxies that are configured for the daemon.
 	Proxies `json:"proxies"`
diff --git a/daemon/info.go b/daemon/info.go
index 8e56bd9a68..67398c1c04 100644
--- a/daemon/info.go
+++ b/daemon/info.go
@@ -235,6 +235,10 @@ func (daemon *Daemon) fillAPIInfo(v *system.Info, cfg *config.Config) {
          to the 'Docker daemon attack surface' section in the documentation for
          more information: https://docs.docker.com/go/attack-surface/`
 
+	if cfg.CorsHeaders != "" {
+		v.Warnings = append(v.Warnings, `DEPRECATED: The "api-cors-header" config parameter and the dockerd "--api-cors-header" option will be removed in the next release. Use a reverse proxy if you need CORS headers.`)
+	}
+
 	for _, host := range cfg.Hosts {
 		// cnf.Hosts is normalized during startup, so should always have a scheme/proto
 		proto, addr, _ := strings.Cut(host, "://")