[chore] bump golang.org/x/net@v0.38.0, github.com/gin-contrib/cors@v1.7.4, github.com/spf13/viper@v1.20.1, github.com/tdewolff/minify/v2@v2.22.4 (#3959)

vendor/github.com/gin-contrib/cors/.golangci.yml

@@ -7,7 +7,6 @@ linters:
     - dogsled
     - dupl
     - errcheck
-    - exportloopref
     - exhaustive
     - gochecknoinits
     - goconst

vendor/github.com/gin-contrib/cors/config.go

@@ -2,6 +2,7 @@ package cors
 
 import (
 	"net/http"
+	"regexp"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -122,21 +123,32 @@ func (cors *cors) isOriginValid(c *gin.Context, origin string) bool {
 	return valid
 }
 
+var originRegex = regexp.MustCompile(`^/(.+)/[gimuy]?$`)
+
 func (cors *cors) validateOrigin(origin string) bool {
 	if cors.allowAllOrigins {
 		return true
 	}
+
 	for _, value := range cors.allowOrigins {
-		if value == origin {
+		if !originRegex.MatchString(value) && value == origin {
+			return true
+		}
+
+		if originRegex.MatchString(value) &&
+			regexp.MustCompile(originRegex.FindStringSubmatch(value)[1]).MatchString(origin) {
 			return true
 		}
 	}
+
 	if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) {
 		return true
 	}
+
 	if cors.allowOriginFunc != nil {
 		return cors.allowOriginFunc(origin)
 	}
+
 	return false
 }
 

vendor/github.com/gin-contrib/cors/cors.go

@@ -3,6 +3,7 @@ package cors
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -103,8 +104,17 @@ func (c Config) getAllowedSchemas() []string {
 	return allowedSchemas
 }
 
+var regexpBasedOrigin = regexp.MustCompile(`^\/(.+)\/[gimuy]?$`)
+
 func (c Config) validateAllowedSchemas(origin string) bool {
 	allowedSchemas := c.getAllowedSchemas()
+
+	if regexpBasedOrigin.MatchString(origin) {
+		// Normalize regexp-based origins
+		origin = regexpBasedOrigin.FindStringSubmatch(origin)[1]
+		origin = strings.Replace(origin, "?", "", 1)
+	}
+
 	for _, schema := range allowedSchemas {
 		if strings.HasPrefix(origin, schema) {
 			return true