From 1e2db7a32f72ee01497a08c67e6f7f507890ee71 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Sun, 20 Aug 2023 13:35:55 +0200 Subject: [feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs (#2134) * [feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs * env parsing tests, my coy mistress --- cmd/gotosocial/action/server/server.go | 23 +++++++++++++++++++++++ cmd/gotosocial/action/testrig/testrig.go | 30 ++++++++++++++++++++++++++++-- 2 files changed, 51 insertions(+), 2 deletions(-) (limited to 'cmd') diff --git a/cmd/gotosocial/action/server/server.go b/cmd/gotosocial/action/server/server.go index eb76b8f43..e966c46be 100644 --- a/cmd/gotosocial/action/server/server.go +++ b/cmd/gotosocial/action/server/server.go @@ -204,6 +204,29 @@ var Start action.GTSAction = func(ctx context.Context) error { middleware.ExtraHeaders(), }...) + // Instantiate Content-Security-Policy + // middleware, with extra URIs. + cspExtraURIs := make([]string, 0) + + // Probe storage to check if extra URI is needed in CSP. + // Error here means something is wrong with storage. + storageCSPUri, err := state.Storage.ProbeCSPUri(ctx) + if err != nil { + return fmt.Errorf("error deriving Content-Security-Policy uri from storage: %w", err) + } + + // storageCSPUri may be empty string if + // not S3-backed storage; check for this. + if storageCSPUri != "" { + cspExtraURIs = append(cspExtraURIs, storageCSPUri) + } + + // Add any extra CSP URIs from config. + cspExtraURIs = append(cspExtraURIs, config.GetAdvancedCSPExtraURIs()...) + + // Add CSP to middlewares. + middlewares = append(middlewares, middleware.ContentSecurityPolicy(cspExtraURIs...)) + // attach global middlewares which are used for every request router.AttachGlobalMiddleware(middlewares...) diff --git a/cmd/gotosocial/action/testrig/testrig.go b/cmd/gotosocial/action/testrig/testrig.go index 8f55c4b4a..ccf92a971 100644 --- a/cmd/gotosocial/action/testrig/testrig.go +++ b/cmd/gotosocial/action/testrig/testrig.go @@ -70,7 +70,11 @@ var Start action.GTSAction = func(ctx context.Context) error { testrig.StandardDBSetup(state.DB, nil) if os.Getenv("GTS_STORAGE_BACKEND") == "s3" { - state.Storage, _ = storage.NewS3Storage() + var err error + state.Storage, err = storage.NewS3Storage() + if err != nil { + return fmt.Errorf("error initializing storage: %w", err) + } } else { state.Storage = testrig.NewInMemoryStorage() } @@ -136,6 +140,29 @@ var Start action.GTSAction = func(ctx context.Context) error { middleware.ExtraHeaders(), }...) + // Instantiate Content-Security-Policy + // middleware, with extra URIs. + cspExtraURIs := make([]string, 0) + + // Probe storage to check if extra URI is needed in CSP. + // Error here means something is wrong with storage. + storageCSPUri, err := state.Storage.ProbeCSPUri(ctx) + if err != nil { + return fmt.Errorf("error deriving Content-Security-Policy uri from storage: %w", err) + } + + // storageCSPUri may be empty string if + // not S3-backed storage; check for this. + if storageCSPUri != "" { + cspExtraURIs = append(cspExtraURIs, storageCSPUri) + } + + // Add any extra CSP URIs from config. + cspExtraURIs = append(cspExtraURIs, config.GetAdvancedCSPExtraURIs()...) + + // Add CSP to middlewares. + middlewares = append(middlewares, middleware.ContentSecurityPolicy(cspExtraURIs...)) + // attach global middlewares which are used for every request router.AttachGlobalMiddleware(middlewares...) @@ -146,7 +173,6 @@ var Start action.GTSAction = func(ctx context.Context) error { // build router modules var idp oidc.IDP - var err error if config.GetOIDCEnabled() { idp, err = oidc.NewIDP(ctx) if err != nil { -- cgit v1.2.3