mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-21 18:55:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Added Types for csp.ts

Browse source 
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <dmehren1@gmail.com>
This commit is contained in:
Yannick Bungers 2020-04-12 19:07:26 +02:00 committed by David Mehren
parent 9b323ba996
commit 6d256dd5b6
No known key found for this signature in database
GPG key ID: 6017AF117F9756CB
3 changed files with 74 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

127
lib/csp.ts
View file

@ -1,10 +1,11 @@
import { config } from './config' import { config } from './config'
import { IHelmetContentSecurityPolicyDirectives } from 'helmet'
import uuid from 'uuid'
import { NextFunction, Request, Response } from 'express'
var uuid = require('uuid') type CSPDirectives = IHelmetContentSecurityPolicyDirectives
var CspStrategy: any = {} const defaultDirectives = {
var defaultDirectives = {
defaultSrc: ['\'self\''], defaultSrc: ['\'self\''],
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''], scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594 // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
@ -17,24 +18,80 @@ var defaultDirectives = {
connectSrc: ['*'] connectSrc: ['*']
} }
var cdnDirectives = { const cdnDirectives = {
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'], scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'], styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com'] fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
} }
var disqusDirectives = { const disqusDirectives = {
scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'], scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
styleSrc: ['https://*.disquscdn.com'], styleSrc: ['https://*.disquscdn.com'],
fontSrc: ['https://*.disquscdn.com'] fontSrc: ['https://*.disquscdn.com']
} }
var googleAnalyticsDirectives = { const googleAnalyticsDirectives = {
scriptSrc: ['https://www.google-analytics.com'] scriptSrc: ['https://www.google-analytics.com']
} }
CspStrategy.computeDirectives = function () { function mergeDirectives (existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {
var directives = {} for (const propertyName in newDirectives) {
const newDirective = newDirectives[propertyName]
if (newDirective) {
const existingDirective = existingDirectives[propertyName] || []
existingDirectives[propertyName] = existingDirective.concat(newDirective)
}
}
}
function mergeDirectivesIf (condition: boolean, existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {
if (condition) {
mergeDirectives(existingDirectives, newDirectives)
}
}
function areAllInlineScriptsAllowed (directives: CSPDirectives): boolean {
if (directives.scriptSrc) {
return directives.scriptSrc.includes('\'unsafe-inline\'')
}
return false
}
function getCspNonce (req: Request, res: Response): string {
return "'nonce-" + res.locals.nonce + "'"
}
function addInlineScriptExceptions (directives: CSPDirectives): void {
if (!directives.scriptSrc) {
directives.scriptSrc = []
}
directives.scriptSrc.push(getCspNonce)
// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
// Any more clean solution appreciated.
directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
}
function addUpgradeUnsafeRequestsOptionTo (directives: CSPDirectives): void {
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
directives.upgradeInsecureRequests = true
} else if (config.csp.upgradeInsecureRequests === true) {
directives.upgradeInsecureRequests = true
}
}
function addReportURI (directives): void {
if (config.csp.reportURI) {
directives.reportUri = config.csp.reportURI
}
}
export function addNonceToLocals (req: Request, res: Response, next: NextFunction): void {
res.locals.nonce = uuid.v4()
next()
}
export function computeDirectives (): CSPDirectives {
const directives: CSPDirectives = {}
mergeDirectives(directives, config.csp.directives) mergeDirectives(directives, config.csp.directives)
mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives) mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
mergeDirectivesIf(config.useCDN, directives, cdnDirectives) mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
@ -47,55 +104,3 @@ CspStrategy.computeDirectives = function () {
addReportURI(directives) addReportURI(directives)
return directives return directives
} }
function mergeDirectives (existingDirectives, newDirectives) {
for (var propertyName in newDirectives) {
var newDirective = newDirectives[propertyName]
if (newDirective) {
var existingDirective = existingDirectives[propertyName] || []
existingDirectives[propertyName] = existingDirective.concat(newDirective)
}
}
}
function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
if (condition) {
mergeDirectives(existingDirectives, newDirectives)
}
}
function areAllInlineScriptsAllowed (directives) {
return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1
}
function addInlineScriptExceptions (directives) {
directives.scriptSrc.push(getCspNonce)
// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
// Any more clean solution appreciated.
directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
}
function getCspNonce (req, res) {
return "'nonce-" + res.locals.nonce + "'"
}
function addUpgradeUnsafeRequestsOptionTo (directives) {
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
directives.upgradeInsecureRequests = true
} else if (config.csp.upgradeInsecureRequests === true) {
directives.upgradeInsecureRequests = true
}
}
function addReportURI (directives) {
if (config.csp.reportURI) {
directives.reportUri = config.csp.reportURI
}
}
CspStrategy.addNonceToLocals = function (req, res, next) {
res.locals.nonce = uuid.v4()
next()
}
module.exports = CspStrategy

1
package.json
View file

@ -17,6 +17,7 @@
}, },
"dependencies": { "dependencies": {
"@passport-next/passport-openid": "^1.0.0", "@passport-next/passport-openid": "^1.0.0",
"@types/helmet": "^0.0.45",
"@types/randomcolor": "^0.5.4", "@types/randomcolor": "^0.5.4",
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js", "Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
"archiver": "^2.1.1", "archiver": "^2.1.1",

7
yarn.lock
View file

@ -136,6 +136,13 @@
resolved "https://registry.yarnpkg.com/@types/geojson/-/geojson-7946.0.7.tgz#c8fa532b60a0042219cdf173ca21a975ef0666ad" resolved "https://registry.yarnpkg.com/@types/geojson/-/geojson-7946.0.7.tgz#c8fa532b60a0042219cdf173ca21a975ef0666ad"
integrity sha512-wE2v81i4C4Ol09RtsWFAqg3BUitWbHSpSlIo+bNdsCJijO9sjme+zm+73ZMCa/qMC8UEERxzGbvmr1cffo2SiQ== integrity sha512-wE2v81i4C4Ol09RtsWFAqg3BUitWbHSpSlIo+bNdsCJijO9sjme+zm+73ZMCa/qMC8UEERxzGbvmr1cffo2SiQ==
"@types/helmet@^0.0.45":
version "0.0.45"
resolved "https://registry.yarnpkg.com/@types/helmet/-/helmet-0.0.45.tgz#3eab6550a4e19acf86012596a7f1981529480fd5"
integrity sha512-PsLZI1NqKpXvsMZxh66xAZtpKiTeW+swY8a8LnCNSBbM/mvwU41P3BYoEqkJM9RbITPsq4uhIH0NkIsL9fzPbg==
dependencies:
"@types/express" "*"
"@types/json-schema@^7.0.3": "@types/json-schema@^7.0.3":
version "7.0.4" version "7.0.4"
resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.4.tgz#38fd73ddfd9b55abb1e1b2ed578cb55bd7b7d339" resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.4.tgz#38fd73ddfd9b55abb1e1b2ed578cb55bd7b7d339"