From 03ed57507479bb24a1038c61c0842ccd0e717a83 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 31 Mar 2025 06:10:16 +0000
Subject: [PATCH] [chore]: Bump github.com/gin-contrib/cors from 1.7.3 to 1.7.4

Bumps [github.com/gin-contrib/cors](https://github.com/gin-contrib/cors) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/gin-contrib/cors/releases)
- [Changelog](https://github.com/gin-contrib/cors/blob/master/.goreleaser.yaml)
- [Commits](https://github.com/gin-contrib/cors/compare/v1.7.3...v1.7.4)

---
updated-dependencies:
- dependency-name: github.com/gin-contrib/cors
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod                                           |  4 ++--
 go.sum                                           |  4 ++--
 vendor/github.com/gin-contrib/cors/.golangci.yml |  1 -
 vendor/github.com/gin-contrib/cors/config.go     | 14 +++++++++++++-
 vendor/github.com/gin-contrib/cors/cors.go       | 10 ++++++++++
 vendor/modules.txt                               |  4 ++--
 6 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/go.mod b/go.mod
index 51d5954a6..0b47b8b92 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/superseriousbusiness/gotosocial
 
 go 1.23.0
 
-toolchain go1.23.3
+toolchain go1.24.1
 
 // Replace go-swagger with our version that fixes (ours particularly) use of Go1.23
 replace github.com/go-swagger/go-swagger => codeberg.org/superseriousbusiness/go-swagger v0.31.0-gts-go1.23-fix
@@ -37,7 +37,7 @@ require (
 	github.com/SherClockHolmes/webpush-go v1.4.0
 	github.com/buckket/go-blurhash v1.1.0
 	github.com/coreos/go-oidc/v3 v3.12.0
-	github.com/gin-contrib/cors v1.7.3
+	github.com/gin-contrib/cors v1.7.4
 	github.com/gin-contrib/gzip v1.2.2
 	github.com/gin-contrib/sessions v1.0.2
 	github.com/gin-gonic/gin v1.10.0
diff --git a/go.sum b/go.sum
index 18e1f2f4a..dd019548f 100644
--- a/go.sum
+++ b/go.sum
@@ -133,8 +133,8 @@ github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3G
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/gavv/httpexpect v2.0.0+incompatible h1:1X9kcRshkSKEjNJJxX9Y9mQ5BRfbxU5kORdjhlA1yX8=
 github.com/gavv/httpexpect v2.0.0+incompatible/go.mod h1:x+9tiU1YnrOvnB725RkpoLv1M62hOWzwo5OXotisrKc=
-github.com/gin-contrib/cors v1.7.3 h1:hV+a5xp8hwJoTw7OY+a70FsL8JkVVFTXw9EcfrYUdns=
-github.com/gin-contrib/cors v1.7.3/go.mod h1:M3bcKZhxzsvI+rlRSkkxHyljJt1ESd93COUvemZ79j4=
+github.com/gin-contrib/cors v1.7.4 h1:/fC6/wk7rCRtqKqki8lLr2Xq+hnV49aXDLIuSek9g4k=
+github.com/gin-contrib/cors v1.7.4/go.mod h1:vGc/APSgLMlQfEJV5NAzkrAHb0C8DetL3K6QZuvGii0=
 github.com/gin-contrib/gzip v1.2.2 h1:iUU/EYCM8ENfkjmZaVrxbjF/ZC267Iqv5S0MMCMEliI=
 github.com/gin-contrib/gzip v1.2.2/go.mod h1:C1a5cacjlDsS20cKnHlZRCPUu57D3qH6B2pV0rl+Y/s=
 github.com/gin-contrib/sessions v1.0.2 h1:UaIjUvTH1cMeOdj3in6dl+Xb6It8RiKRF9Z1anbUyCA=
diff --git a/vendor/github.com/gin-contrib/cors/.golangci.yml b/vendor/github.com/gin-contrib/cors/.golangci.yml
index d59c99bd4..67edf0ac8 100644
--- a/vendor/github.com/gin-contrib/cors/.golangci.yml
+++ b/vendor/github.com/gin-contrib/cors/.golangci.yml
@@ -7,7 +7,6 @@ linters:
     - dogsled
     - dupl
     - errcheck
-    - exportloopref
     - exhaustive
     - gochecknoinits
     - goconst
diff --git a/vendor/github.com/gin-contrib/cors/config.go b/vendor/github.com/gin-contrib/cors/config.go
index 8a295e3db..a955c3171 100644
--- a/vendor/github.com/gin-contrib/cors/config.go
+++ b/vendor/github.com/gin-contrib/cors/config.go
@@ -2,6 +2,7 @@ package cors
 
 import (
 	"net/http"
+	"regexp"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -122,21 +123,32 @@ func (cors *cors) isOriginValid(c *gin.Context, origin string) bool {
 	return valid
 }
 
+var originRegex = regexp.MustCompile(`^/(.+)/[gimuy]?$`)
+
 func (cors *cors) validateOrigin(origin string) bool {
 	if cors.allowAllOrigins {
 		return true
 	}
+
 	for _, value := range cors.allowOrigins {
-		if value == origin {
+		if !originRegex.MatchString(value) && value == origin {
+			return true
+		}
+
+		if originRegex.MatchString(value) &&
+			regexp.MustCompile(originRegex.FindStringSubmatch(value)[1]).MatchString(origin) {
 			return true
 		}
 	}
+
 	if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) {
 		return true
 	}
+
 	if cors.allowOriginFunc != nil {
 		return cors.allowOriginFunc(origin)
 	}
+
 	return false
 }
 
diff --git a/vendor/github.com/gin-contrib/cors/cors.go b/vendor/github.com/gin-contrib/cors/cors.go
index 2261df759..cacb34a6c 100644
--- a/vendor/github.com/gin-contrib/cors/cors.go
+++ b/vendor/github.com/gin-contrib/cors/cors.go
@@ -3,6 +3,7 @@ package cors
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -103,8 +104,17 @@ func (c Config) getAllowedSchemas() []string {
 	return allowedSchemas
 }
 
+var regexpBasedOrigin = regexp.MustCompile(`^\/(.+)\/[gimuy]?$`)
+
 func (c Config) validateAllowedSchemas(origin string) bool {
 	allowedSchemas := c.getAllowedSchemas()
+
+	if regexpBasedOrigin.MatchString(origin) {
+		// Normalize regexp-based origins
+		origin = regexpBasedOrigin.FindStringSubmatch(origin)[1]
+		origin = strings.Replace(origin, "?", "", 1)
+	}
+
 	for _, schema := range allowedSchemas {
 		if strings.HasPrefix(origin, schema) {
 			return true
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 5b20c6326..cae5efa70 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -391,8 +391,8 @@ github.com/gabriel-vasile/mimetype
 github.com/gabriel-vasile/mimetype/internal/charset
 github.com/gabriel-vasile/mimetype/internal/json
 github.com/gabriel-vasile/mimetype/internal/magic
-# github.com/gin-contrib/cors v1.7.3
-## explicit; go 1.21.0
+# github.com/gin-contrib/cors v1.7.4
+## explicit; go 1.23.0
 github.com/gin-contrib/cors
 # github.com/gin-contrib/gzip v1.2.2
 ## explicit; go 1.21.0