From 4fdb7d8c4d304b902e896df2e29c88f0ce15dea9 Mon Sep 17 00:00:00 2001
From: Erik Michelson <github@erik.michelson.eu>
Date: Mon, 7 Apr 2025 23:18:16 +0200
Subject: [PATCH] fix: set content-disposition and csp header on uploads

This is required since SVG files are able to contain
malicious code through JavaScript and remote embeddings.
When opened in a browser tab, this code would be
executed. However, with these headers in place, there's
no possibility of getting the files to run in the
browser.

Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
---
 app.js | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/app.js b/app.js
index 530d42e1f..23b63404a 100644
--- a/app.js
+++ b/app.js
@@ -147,10 +147,29 @@ app.use(i18n.init)
 
 // routes without sessions
 // static files
-app.use('/', express.static(path.join(__dirname, '/public'), { maxAge: config.staticCacheTime, index: false, redirect: false }))
-app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), { maxAge: config.staticCacheTime, redirect: false }))
-app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), { maxAge: config.staticCacheTime, redirect: false }))
-app.use('/default.md', express.static(path.resolve(__dirname, config.defaultNotePath), { maxAge: config.staticCacheTime }))
+app.use('/', express.static(path.join(__dirname, '/public'), {
+  maxAge: config.staticCacheTime,
+  index: false,
+  redirect: false
+}))
+app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), {
+  maxAge: config.staticCacheTime,
+  redirect: false
+}))
+// This is done by an additional middleware, instead of setHeaders of express.static, because for what ever reason
+// the latter did not work
+app.use('/uploads', (req, res, next) => {
+  res.set('Content-Disposition', 'attachment')
+  res.set('Content-Security-Policy', "default-src 'none'")
+  next()
+})
+app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), {
+  maxAge: config.staticCacheTime,
+  redirect: false
+}))
+app.use('/default.md', express.static(path.resolve(__dirname, config.defaultNotePath), {
+  maxAge: config.staticCacheTime
+}))
 
 // session
 app.use(useUnless(['/status', '/metrics', '/_health'], session({