nodejs/hookshot
nodejs/hookshot
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-hookshot.git synced 2025-03-10 21:19:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Apply CSPs to generic hook responses. (#926)

Browse Source 
* Add CSPs to generic hook response.

* changelog

* Apply suggestions from code review

Co-authored-by: davidegirardi <16451191+davidegirardi@users.noreply.github.com>
Signed-off-by: Will Hunt <github@half-shot.uk>

---------

Signed-off-by: Will Hunt <github@half-shot.uk>
Co-authored-by: davidegirardi <16451191+davidegirardi@users.noreply.github.com>
This commit is contained in:
Will Hunt 2024-04-16 22:06:33 +01:00 committed by GitHub
parent ff200114a6
commit 45060f2b58
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/926.bugfix Normal file
View File

@ -0,0 +1 @@
Ensure generic webhooks have appropriate Content-Security-Policy headers.

1
package.json
View File

@ -55,6 +55,7 @@
"cors": "^2.8.5", "cors": "^2.8.5",
"express": "^4.18.2", "express": "^4.18.2",
"figma-js": "^1.14.0", "figma-js": "^1.14.0",
"helmet": "^7.1.0",
"http-status-codes": "^2.2.0", "http-status-codes": "^2.2.0",
"ioredis": "^5.2.3", "ioredis": "^5.2.3",
"jira-client": "^8.2.2", "jira-client": "^8.2.2",

12
src/generic/Router.ts
View File

@ -4,6 +4,7 @@ import { Logger } from "matrix-appservice-bridge";
import { ApiError, ErrCode } from "../api"; import { ApiError, ErrCode } from "../api";
import { GenericWebhookEvent, GenericWebhookEventResult } from "./types"; import { GenericWebhookEvent, GenericWebhookEventResult } from "./types";
import * as xml from "xml2js"; import * as xml from "xml2js";
import helmet, { crossOriginOpenerPolicy } from "helmet";
const WEBHOOK_RESPONSE_TIMEOUT = 5000; const WEBHOOK_RESPONSE_TIMEOUT = 5000;
@ -83,6 +84,17 @@ export class GenericWebhooksRouter {
const router = Router(); const router = Router();
router.all( router.all(
'/:hookId', '/:hookId',
helmet({
contentSecurityPolicy: {
useDefaults: true,
directives: {
defaultSrc: "'self'",
sandbox: ''
}
},
xFrameOptions: { action: 'deny'},
crossOriginResourcePolicy: { policy: 'same-site'} ,
}),
GenericWebhooksRouter.xmlHandler, GenericWebhooksRouter.xmlHandler,
express.urlencoded({ extended: false }), express.urlencoded({ extended: false }),
express.json(), express.json(),

5
yarn.lock
View File

@ -4490,6 +4490,11 @@ he@1.2.0, he@^1.2.0:
resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f" resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw== integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==
helmet@^7.1.0:
version "7.1.0"
resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
homerunner-client@^1.0.0: homerunner-client@^1.0.0:
version "1.0.0" version "1.0.0"
resolved "https://registry.yarnpkg.com/homerunner-client/-/homerunner-client-1.0.0.tgz#fa535d7aa5d84ff5b1c0e9b116bd3a6bc12bf4df" resolved "https://registry.yarnpkg.com/homerunner-client/-/homerunner-client-1.0.0.tgz#fa535d7aa5d84ff5b1c0e9b116bd3a6bc12bf4df"