FIX: Fix type error in CORS headers

gramex/handlers/basehandler.py

@@ -241,7 +241,7 @@ def _cors_options(self, *args, **kwargs):
 
         # Check if headers is in cors.headers
         headers = self.request.headers.get('Access-Control-Request-Headers', '')
-        headers = self.get_list(headers, 'headers', '', caps=False)
+        headers = self.get_list(headers, 'headers', '', caps=False))
         allowed_headers = {h.lower() for h in self._cors['headers']}
         diff = set()
         if '*' not in allowed_headers:
@@ -260,7 +260,7 @@ def _cors_options(self, *args, **kwargs):
             self._all_methods if '*' in self._cors['methods'] else ', '.join(self._cors['methods'])
         )
         self.set_header('Access-Control-Allow-Methods', methods)
-        headers |= self._cors['headers']
+        headers = set(headers) | set(self._cors['headers'])
         if '*' in headers:
             headers.remove('*')
             headers.update(self._all_headers)

reports/trivy.txt

@@ -1,16 +1,20 @@
 
-gramener/gramex:1.93.1 (alpine 3.17.5)
+gramener/gramex:1.93.2 (alpine 3.17.5)
 ======================================
 Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 
 Python (python-pkg)
 ===================
-Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 
-┌─────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
-│         Library         │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
-├─────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
-│ cryptography (METADATA) │ GHSA-v8gr-m533-ghj9 │ LOW      │ fixed  │ 41.0.3            │ 41.0.4        │ Vulnerable OpenSSL included in cryptography wheels │
-│                         │                     │          │        │                   │               │ https://github.com/advisories/GHSA-v8gr-m533-ghj9  │
-└─────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘
+┌─────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────┐
+│         Library         │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version  │                        Title                        │
+├─────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────┤
+│ cryptography (METADATA) │ GHSA-v8gr-m533-ghj9 │ LOW      │ fixed  │ 41.0.3            │ 41.0.4         │ Vulnerable OpenSSL included in cryptography wheels  │
+│                         │                     │          │        │                   │                │ https://github.com/advisories/GHSA-v8gr-m533-ghj9   │
+├─────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────┤
+│ urllib3 (METADATA)      │ CVE-2023-43804      │ MEDIUM   │        │ 1.26.16           │ 2.0.6, 1.26.17 │ `Cookie` HTTP header isn't stripped on cross-origin │
+│                         │                     │          │        │                   │                │ redirects                                           │
+│                         │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-43804          │
+└─────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────┘