Skip to content

fix(wrangler): improve R2 CORS validation and error messaging #12456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
petebacondarwin merged 5 commits into from
Apr 15, 2026
+86 −7
Merged

fix(wrangler): improve R2 CORS validation and error messaging #12456

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d839cc4
fix(wrangler): validate R2 CORS file and provide helpful error messag…
venkatnikhilm Feb 6, 2026
90c3092
fix(wrangler): add R2 CORS validation and changeset
venkatnikhilm Feb 6, 2026
7f72952
fix(wrangler): add defensive check for null entries in CORS rules
venkatnikhilm Feb 6, 2026
c404661
chore: remove test JSON files from wrangler root
venkatnikhilm Feb 6, 2026
a960018
fix: convert indentation to tabs, fix closing paren alignment, add te…
petebacondarwin Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/nasty-years-taste.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"wrangler": patch
---

Improve validation and error messaging for R2 CORS configuration files to catch AWS S3-style formatting mistake.
42 changes: 42 additions & 0 deletions packages/wrangler/src/__tests__/r2/bucket.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3550,6 +3550,48 @@ describe("r2", () => {
});
});
describe("set", () => {
it("should reject AWS S3 format with CORSRules key", async () => {
const filePath = "cors-s3-format.json";
const s3Config = {
CORSRules: [
{
AllowedOrigins: ["*"],
AllowedMethods: ["GET"],
},
],
};

fs.writeFileSync(filePath, JSON.stringify(s3Config));

await expect(
runWrangler(
`r2 bucket cors set my-bucket --file ${filePath} --force`
)
).rejects.toThrowError(
/Wrangler detected an AWS S3 CORS configuration format/
);
});

it("should reject AWS S3 style PascalCase keys in rules", async () => {
const filePath = "cors-s3-keys.json";
const s3StyleConfig = {
rules: [
{
AllowedOrigins: ["*"],
AllowedMethods: ["GET"],
},
],
};

fs.writeFileSync(filePath, JSON.stringify(s3StyleConfig));

await expect(
runWrangler(
`r2 bucket cors set my-bucket --file ${filePath} --force`
)
).rejects.toThrowError(/Wrangler detected AWS S3 style keys/);
});

it("should set CORS configuration from a JSON file", async () => {
const bucketName = "my-bucket";
const filePath = "cors-configuration.json";
Expand Down
46 changes: 39 additions & 7 deletions packages/wrangler/src/r2/cors.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,17 +100,49 @@ export const r2BucketCORSSetCommand = createCommand({

const jsonFilePath = path.resolve(file);

const corsConfig = parseJSON(readFileSync(jsonFilePath), jsonFilePath) as {
rules: CORSRule[];
};
const corsConfig = parseJSON(
readFileSync(jsonFilePath),
jsonFilePath
) as Record<string, unknown>;

if (!corsConfig.rules || !Array.isArray(corsConfig.rules)) {
// Detect AWS S3 top-level format (CORSRules instead of rules)
if (corsConfig.CORSRules) {
throw new UserError(
`The CORS configuration file must contain a 'rules' array as expected by the request body of the CORS API: ` +
"Wrangler detected an AWS S3 CORS configuration format.\n" +
"Cloudflare R2 expects a 'rules' array instead of 'CORSRules'.\n" +
"See: https://developers.cloudflare.com/r2/buckets/cors/#example"
);
}

// Validate existence of rules array
const rules = corsConfig.rules;
if (!rules || !Array.isArray(rules)) {
throw new UserError(
`The CORS configuration file must contain a 'rules' array as expected by the R2 API: ` +
`https://developers.cloudflare.com/api/operations/r2-put-bucket-cors-policy`
);
}

// Detect AWS S3 individual rule format (AllowedOrigins, AllowedMethods, AllowedHeaders)
const hasS3Keys = (rules as Record<string, unknown>[]).some(
(rule) =>
rule &&
typeof rule === "object" &&
!Array.isArray(rule) &&
("AllowedOrigins" in rule ||
"AllowedMethods" in rule ||
"AllowedHeaders" in rule)
);

if (hasS3Keys) {
throw new UserError(
"Wrangler detected AWS S3 style keys (e.g. 'AllowedOrigins').\n" +
"Cloudflare R2 requires lowercase keys nested inside an 'allowed' object.\n" +
'Example: { "allowed": { "origins": ["*"], "methods": ["GET"] } }\n' +
"See: https://developers.cloudflare.com/r2/buckets/cors/#example"
);
}

if (!force) {
const confirmedRemoval = await confirm(
`Are you sure you want to overwrite the existing CORS configuration for bucket '${bucket}'?`
Expand All @@ -122,13 +154,13 @@ export const r2BucketCORSSetCommand = createCommand({
}

logger.log(
`Setting CORS configuration (${corsConfig.rules.length} rules) for bucket '${bucket}'...`
`Setting CORS configuration (${rules.length} rules) for bucket '${bucket}'...`
);
await putCORSPolicy(
config,
accountId,
bucket,
corsConfig.rules,
rules as CORSRule[],
jurisdiction
);
logger.log(`✨ Set CORS configuration for bucket '${bucket}'.`);
Expand Down
Loading