[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103)

* [bugfix] Add s3 endpoint as image-src and media-src for CSP

* use https if secure

* reorder comment
This commit is contained in:
tobi 2023-08-11 17:49:17 +02:00 committed by GitHub
parent a1768a83e0
commit b7274545e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 156 additions and 6 deletions

View file

@ -20,17 +20,17 @@
import ( import (
"codeberg.org/gruf/go-debug" "codeberg.org/gruf/go-debug"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/config"
) )
// ExtraHeaders returns a new gin middleware which adds various extra headers to the response. // ExtraHeaders returns a new gin middleware which adds various extra headers to the response.
func ExtraHeaders() gin.HandlerFunc { func ExtraHeaders() gin.HandlerFunc {
policy := "default-src 'self'" csp := BuildContentSecurityPolicy()
if debug.DEBUG {
policy += " localhost:*"
}
return func(c *gin.Context) { return func(c *gin.Context) {
// Inform all callers which server implementation this is. // Inform all callers which server implementation this is.
c.Header("Server", "gotosocial") c.Header("Server", "gotosocial")
// Prevent google chrome cohort tracking. Originally this was referred // Prevent google chrome cohort tracking. Originally this was referred
// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says // to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
// that interest-cohort will also block Topics (as of 2022-Nov). // that interest-cohort will also block Topics (as of 2022-Nov).
@ -39,7 +39,55 @@ func ExtraHeaders() gin.HandlerFunc {
// //
// See: https://github.com/patcg-individual-drafts/topics // See: https://github.com/patcg-individual-drafts/topics
c.Header("Permissions-Policy", "browsing-topics=()") c.Header("Permissions-Policy", "browsing-topics=()")
// Inform the browser we only load CSS/JS/media from the same domain
c.Header("Content-Security-Policy", policy) // Inform the browser we only load
// CSS/JS/media using the given policy.
c.Header("Content-Security-Policy", csp)
} }
} }
func BuildContentSecurityPolicy() string {
// Start with restrictive policy.
policy := "default-src 'self'"
if debug.DEBUG {
// Debug is enabled, allow
// serving things from localhost
// as well (regardless of port).
policy += " localhost:*"
}
s3Endpoint := config.GetStorageS3Endpoint()
if s3Endpoint == "" {
// S3 not configured,
// default policy is OK.
return policy
}
if config.GetStorageS3Proxy() {
// S3 is configured in proxy
// mode, default policy is OK.
return policy
}
// S3 is on and in non-proxy mode, so we need to add the S3 host to
// the policy to allow images and video to be pulled from there too.
// If secure is false,
// use 'http' scheme.
scheme := "https"
if !config.GetStorageS3UseSSL() {
scheme = "http"
}
// Construct endpoint URL.
s3EndpointURLStr := scheme + "://" + s3Endpoint
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
policy += "; image-src " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
policy += "; media-src " + s3EndpointURLStr
return policy
}

View file

@ -0,0 +1,102 @@
// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package middleware_test
import (
"testing"
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/middleware"
)
func TestBuildContentSecurityPolicy(t *testing.T) {
type cspTest struct {
s3Endpoint string
s3Proxy bool
s3Secure bool
expected string
actual string
}
for _, test := range []cspTest{
{
s3Endpoint: "",
s3Proxy: false,
s3Secure: false,
expected: "default-src 'self'",
},
{
s3Endpoint: "some-bucket-provider.com",
s3Proxy: false,
s3Secure: true,
expected: "default-src 'self'; image-src https://some-bucket-provider.com; media-src https://some-bucket-provider.com",
},
{
s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: false,
s3Secure: true,
expected: "default-src 'self'; image-src https://some-bucket-provider.com:6969; media-src https://some-bucket-provider.com:6969",
},
{
s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: false,
s3Secure: false,
expected: "default-src 'self'; image-src http://some-bucket-provider.com:6969; media-src http://some-bucket-provider.com:6969",
},
{
s3Endpoint: "s3.nl-ams.scw.cloud",
s3Proxy: false,
s3Secure: true,
expected: "default-src 'self'; image-src https://s3.nl-ams.scw.cloud; media-src https://s3.nl-ams.scw.cloud",
},
{
s3Endpoint: "some-bucket-provider.com",
s3Proxy: true,
s3Secure: true,
expected: "default-src 'self'",
},
{
s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: true,
s3Secure: true,
expected: "default-src 'self'",
},
{
s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: true,
s3Secure: true,
expected: "default-src 'self'",
},
{
s3Endpoint: "s3.nl-ams.scw.cloud",
s3Proxy: true,
s3Secure: true,
expected: "default-src 'self'",
},
} {
config.SetStorageS3Endpoint(test.s3Endpoint)
config.SetStorageS3Proxy(test.s3Proxy)
config.SetStorageS3UseSSL(test.s3Secure)
csp := middleware.BuildContentSecurityPolicy()
if csp != test.expected {
t.Logf("expected '%s', got '%s'", test.expected, csp)
t.Fail()
}
}
}