From d7986b192049fbb8c12f77c5e9ab6bb825f6eb56 Mon Sep 17 00:00:00 2001 From: Tilman Vatteroth Date: Tue, 14 Sep 2021 21:09:32 +0200 Subject: [PATCH] Refactor existing code to add the configured domain to connect-src Signed-off-by: Tilman Vatteroth --- lib/config/buildDomainOriginWithProtocol.js | 19 ++++++++++++++++++ lib/config/index.js | 22 +++------------------ lib/csp.js | 3 ++- public/docs/release-notes.md | 5 +++++ 4 files changed, 29 insertions(+), 20 deletions(-) create mode 100644 lib/config/buildDomainOriginWithProtocol.js diff --git a/lib/config/buildDomainOriginWithProtocol.js b/lib/config/buildDomainOriginWithProtocol.js new file mode 100644 index 000000000..0a0ed8445 --- /dev/null +++ b/lib/config/buildDomainOriginWithProtocol.js @@ -0,0 +1,19 @@ +module.exports = { + buildDomainOriginWithProtocol: function (config, baseProtocol) { + const isStandardHTTPsPort = config.protocolUseSSL && config.port === 443 + const isStandardHTTPPort = !config.protocolUseSSL && config.port === 80 + + if (!config.domain) { + return '' + } + let origin = '' + const protocol = baseProtocol + (config.protocolUseSSL ? 's' : '') + '://' + origin = protocol + config.domain + if (config.urlAddPort) { + if (!isStandardHTTPPort || !isStandardHTTPsPort) { + origin += ':' + config.port + } + } + return origin + } +} diff --git a/lib/config/index.js b/lib/config/index.js index bdbdfea98..29cd84135 100644 --- a/lib/config/index.js +++ b/lib/config/index.js @@ -8,6 +8,7 @@ const deepFreeze = require('deep-freeze') const { Environment, Permission } = require('./enum') const logger = require('../logger') const { getGitCommit, getGitHubURL } = require('./utils') +const { buildDomainOriginWithProtocol } = require('./buildDomainOriginWithProtocol') const appRootPath = path.resolve(__dirname, '../../') const env = process.env.NODE_ENV || Environment.development @@ -79,14 +80,6 @@ if (!(config.defaultPermission in config.permission)) { config.defaultPermission = config.permission.editable } -// cache result, cannot change config in runtime!!! -config.isStandardHTTPsPort = (function isStandardHTTPsPort () { - return config.useSSL && config.port === 443 -})() -config.isStandardHTTPPort = (function isStandardHTTPPort () { - return !config.useSSL && config.port === 80 -})() - // Use HTTPS protocol if the internal TLS server is enabled if (config.useSSL === true) { if (config.protocolUseSSL === false) { @@ -96,17 +89,8 @@ if (config.useSSL === true) { } // cache serverURL -config.serverURL = (function getserverurl () { - let url = '' - if (config.domain) { - const protocol = config.protocolUseSSL ? 'https://' : 'http://' - url = protocol + config.domain - if (config.urlAddPort) { - if (!config.isStandardHTTPPort || !config.isStandardHTTPsPort) { - url += ':' + config.port - } - } - } +config.serverURL = (function () { + let url = buildDomainOriginWithProtocol(config, 'http') if (config.urlPath) { url += '/' + config.urlPath } diff --git a/lib/csp.js b/lib/csp.js index 00a9a5a7f..82573beaf 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -1,12 +1,13 @@ const config = require('./config') const { v4: uuidv4 } = require('uuid') +const { buildDomainOriginWithProtocol } = require('./config/buildDomainOriginWithProtocol') const CspStrategy = {} const defaultDirectives = { defaultSrc: ['\'none\''], baseUri: ['\'self\''], - connectSrc: ['\'self\''], + connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')], fontSrc: ['\'self\''], manifestSrc: ['\'self\''], frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'], diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md index b97d757c7..d1e8bf4a7 100644 --- a/public/docs/release-notes.md +++ b/public/docs/release-notes.md @@ -1,4 +1,9 @@ # Release Notes + +## Unreleased +### Bugfixes +- Add workaround for incorrect CSP handling in Safari + ## 1.9.0 2021-09-13 ### Security Fixes - [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)