mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-03-13 11:42:12 +00:00
Added Types for csp.ts
Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com>
This commit is contained in:
Yannick Bungers
David Mehren
parent
9b323ba996
commit
6d256dd5b6
3 changed files with 74 additions and 61 deletions
127
lib/csp.ts
127
lib/csp.ts
|
|
@ -1,10 +1,11 @@
|
|||
import { config } from './config'
|
||||
import { IHelmetContentSecurityPolicyDirectives } from 'helmet'
|
||||
import uuid from 'uuid'
|
||||
import { NextFunction, Request, Response } from 'express'
|
||||
|
||||
var uuid = require('uuid')
|
||||
type CSPDirectives = IHelmetContentSecurityPolicyDirectives
|
||||
|
||||
var CspStrategy: any = {}
|
||||
|
||||
var defaultDirectives = {
|
||||
const defaultDirectives = {
|
||||
defaultSrc: ['\'self\''],
|
||||
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
|
||||
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
|
||||
|
|
@ -17,24 +18,80 @@ var defaultDirectives = {
|
|||
connectSrc: ['*']
|
||||
}
|
||||
|
||||
var cdnDirectives = {
|
||||
const cdnDirectives = {
|
||||
scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
|
||||
styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
|
||||
fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
|
||||
}
|
||||
|
||||
var disqusDirectives = {
|
||||
const disqusDirectives = {
|
||||
scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
|
||||
styleSrc: ['https://*.disquscdn.com'],
|
||||
fontSrc: ['https://*.disquscdn.com']
|
||||
}
|
||||
|
||||
var googleAnalyticsDirectives = {
|
||||
const googleAnalyticsDirectives = {
|
||||
scriptSrc: ['https://www.google-analytics.com']
|
||||
}
|
||||
|
||||
CspStrategy.computeDirectives = function () {
|
||||
var directives = {}
|
||||
function mergeDirectives (existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {
|
||||
for (const propertyName in newDirectives) {
|
||||
const newDirective = newDirectives[propertyName]
|
||||
if (newDirective) {
|
||||
const existingDirective = existingDirectives[propertyName] || []
|
||||
existingDirectives[propertyName] = existingDirective.concat(newDirective)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function mergeDirectivesIf (condition: boolean, existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {
|
||||
if (condition) {
|
||||
mergeDirectives(existingDirectives, newDirectives)
|
||||
}
|
||||
}
|
||||
|
||||
function areAllInlineScriptsAllowed (directives: CSPDirectives): boolean {
|
||||
if (directives.scriptSrc) {
|
||||
return directives.scriptSrc.includes('\'unsafe-inline\'')
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
function getCspNonce (req: Request, res: Response): string {
|
||||
return "'nonce-" + res.locals.nonce + "'"
|
||||
}
|
||||
|
||||
function addInlineScriptExceptions (directives: CSPDirectives): void {
|
||||
if (!directives.scriptSrc) {
|
||||
directives.scriptSrc = []
|
||||
}
|
||||
directives.scriptSrc.push(getCspNonce)
|
||||
// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
|
||||
// Any more clean solution appreciated.
|
||||
directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
|
||||
}
|
||||
|
||||
function addUpgradeUnsafeRequestsOptionTo (directives: CSPDirectives): void {
|
||||
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
|
||||
directives.upgradeInsecureRequests = true
|
||||
} else if (config.csp.upgradeInsecureRequests === true) {
|
||||
directives.upgradeInsecureRequests = true
|
||||
}
|
||||
}
|
||||
|
||||
function addReportURI (directives): void {
|
||||
if (config.csp.reportURI) {
|
||||
directives.reportUri = config.csp.reportURI
|
||||
}
|
||||
}
|
||||
|
||||
export function addNonceToLocals (req: Request, res: Response, next: NextFunction): void {
|
||||
res.locals.nonce = uuid.v4()
|
||||
next()
|
||||
}
|
||||
|
||||
export function computeDirectives (): CSPDirectives {
|
||||
const directives: CSPDirectives = {}
|
||||
mergeDirectives(directives, config.csp.directives)
|
||||
mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
|
||||
mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
|
||||
|
|
@ -47,55 +104,3 @@ CspStrategy.computeDirectives = function () {
|
|||
addReportURI(directives)
|
||||
return directives
|
||||
}
|
||||
|
||||
function mergeDirectives (existingDirectives, newDirectives) {
|
||||
for (var propertyName in newDirectives) {
|
||||
var newDirective = newDirectives[propertyName]
|
||||
if (newDirective) {
|
||||
var existingDirective = existingDirectives[propertyName] || []
|
||||
existingDirectives[propertyName] = existingDirective.concat(newDirective)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
|
||||
if (condition) {
|
||||
mergeDirectives(existingDirectives, newDirectives)
|
||||
}
|
||||
}
|
||||
|
||||
function areAllInlineScriptsAllowed (directives) {
|
||||
return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1
|
||||
}
|
||||
|
||||
function addInlineScriptExceptions (directives) {
|
||||
directives.scriptSrc.push(getCspNonce)
|
||||
// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
|
||||
// Any more clean solution appreciated.
|
||||
directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
|
||||
}
|
||||
|
||||
function getCspNonce (req, res) {
|
||||
return "'nonce-" + res.locals.nonce + "'"
|
||||
}
|
||||
|
||||
function addUpgradeUnsafeRequestsOptionTo (directives) {
|
||||
if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
|
||||
directives.upgradeInsecureRequests = true
|
||||
} else if (config.csp.upgradeInsecureRequests === true) {
|
||||
directives.upgradeInsecureRequests = true
|
||||
}
|
||||
}
|
||||
|
||||
function addReportURI (directives) {
|
||||
if (config.csp.reportURI) {
|
||||
directives.reportUri = config.csp.reportURI
|
||||
}
|
||||
}
|
||||
|
||||
CspStrategy.addNonceToLocals = function (req, res, next) {
|
||||
res.locals.nonce = uuid.v4()
|
||||
next()
|
||||
}
|
||||
|
||||
module.exports = CspStrategy
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
},
|
||||
"dependencies": {
|
||||
"@passport-next/passport-openid": "^1.0.0",
|
||||
"@types/helmet": "^0.0.45",
|
||||
"@types/randomcolor": "^0.5.4",
|
||||
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
|
||||
"archiver": "^2.1.1",
|
||||
|
|
|
|||
|
|
@ -136,6 +136,13 @@
|
|||
resolved "https://registry.yarnpkg.com/@types/geojson/-/geojson-7946.0.7.tgz#c8fa532b60a0042219cdf173ca21a975ef0666ad"
|
||||
integrity sha512-wE2v81i4C4Ol09RtsWFAqg3BUitWbHSpSlIo+bNdsCJijO9sjme+zm+73ZMCa/qMC8UEERxzGbvmr1cffo2SiQ==
|
||||
|
||||
"@types/helmet@^0.0.45":
|
||||
version "0.0.45"
|
||||
resolved "https://registry.yarnpkg.com/@types/helmet/-/helmet-0.0.45.tgz#3eab6550a4e19acf86012596a7f1981529480fd5"
|
||||
integrity sha512-PsLZI1NqKpXvsMZxh66xAZtpKiTeW+swY8a8LnCNSBbM/mvwU41P3BYoEqkJM9RbITPsq4uhIH0NkIsL9fzPbg==
|
||||
dependencies:
|
||||
"@types/express" "*"
|
||||
|
||||
"@types/json-schema@^7.0.3":
|
||||
version "7.0.4"
|
||||
resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.4.tgz#38fd73ddfd9b55abb1e1b2ed578cb55bd7b7d339"
|
||||
|
|
|
|||
Loading…
Reference in a new issue