Fix GHSA-4xqm-4p72-87h6 (#52276)

Author: oioki

src/sentry/api/base.py

@@ -121,7 +121,7 @@ def allow_cors_options_wrapper(self, request: Request, *args, **kwargs):
         # to be sent.
         basehost = options.get("system.base-hostname")
         if basehost and origin:
-            if origin.endswith(basehost):
+            if origin.endswith(("://" + basehost, "." + basehost)):
                 response["Access-Control-Allow-Credentials"] = "true"
 
         return response

tests/sentry/api/test_base.py

@@ -162,15 +162,16 @@ def test_allow_credentials_incorrect(self):
         org = self.create_organization()
         apikey = ApiKey.objects.create(organization_id=org.id, allowed_origins="*")
 
-        request = self.make_request(method="GET")
-        request.META["HTTP_ORIGIN"] = "http://acme.example.com"
-        request.META["HTTP_AUTHORIZATION"] = b"Basic " + base64.b64encode(
-            apikey.key.encode("utf-8")
-        )
+        for http_origin in ["http://acme.example.com", "http://fakeacme.com"]:
+            request = self.make_request(method="GET")
+            request.META["HTTP_ORIGIN"] = http_origin
+            request.META["HTTP_AUTHORIZATION"] = b"Basic " + base64.b64encode(
+                apikey.key.encode("utf-8")
+            )
 
-        response = _dummy_endpoint(request)
-        response.render()
-        assert "Access-Control-Allow-Credentials" not in response
+            response = _dummy_endpoint(request)
+            response.render()
+            assert "Access-Control-Allow-Credentials" not in response
 
     def test_invalid_cors_without_auth(self):
         request = self.make_request(method="GET")