fix: set content-disposition and csp header on uploads

This is required since SVG files are able to contain
malicious code through JavaScript and remote embeddings.
When opened in a browser tab, this code would be
executed. However, with these headers in place, there's
no possibility of getting the files to run in the
browser.

Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>

app.js

@@ -147,10 +147,29 @@ app.use(i18n.init)
 
 // routes without sessions
 // static files
-app.use('/', express.static(path.join(__dirname, '/public'), { maxAge: config.staticCacheTime, index: false, redirect: false }))
-app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), { maxAge: config.staticCacheTime, redirect: false }))
-app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), { maxAge: config.staticCacheTime, redirect: false }))
-app.use('/default.md', express.static(path.resolve(__dirname, config.defaultNotePath), { maxAge: config.staticCacheTime }))
+app.use('/', express.static(path.join(__dirname, '/public'), {
+  maxAge: config.staticCacheTime,
+  index: false,
+  redirect: false
+}))
+app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), {
+  maxAge: config.staticCacheTime,
+  redirect: false
+}))
+// This is done by an additional middleware, instead of setHeaders of express.static, because for what ever reason
+// the latter did not work
+app.use('/uploads', (req, res, next) => {
+  res.set('Content-Disposition', 'attachment')
+  res.set('Content-Security-Policy', "default-src 'none'")
+  next()
+})
+app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), {
+  maxAge: config.staticCacheTime,
+  redirect: false
+}))
+app.use('/default.md', express.static(path.resolve(__dirname, config.defaultNotePath), {
+  maxAge: config.staticCacheTime
+}))
 
 // session
 app.use(useUnless(['/status', '/metrics', '/_health'], session({