test/html is cause of xss

2025-11-08 14:35:52 +01:00 · 2015-01-30 15:32:53 +09:00
parent da55bf6af3
commit 9ba564c864
5 changed files with 16 additions and 8 deletions
--- a/src/main/scala/app/AccountController.scala
+++ b/src/main/scala/app/AccountController.scala
@@ -135,8 +135,9 @@ trait AccountControllerBase extends AccountManagementControllerBase {
  get("/:userName/_avatar"){
    val userName = params("userName")
    getAccountByUserName(userName).flatMap(_.image).map { image =>
-      contentType = FileUtil.getMimeType(image)
-      new java.io.File(getUserUploadDir(userName), image)
+      outputUploadedRawData(
+        FileUtil.getMimeType(image),
+        new java.io.File(getUserUploadDir(userName), image))
    } getOrElse {
      contentType = "image/png"
      Thread.currentThread.getContextClassLoader.getResourceAsStream("noimage.png")
--- a/src/main/scala/app/ControllerBase.scala
+++ b/src/main/scala/app/ControllerBase.scala
@@ -134,6 +134,16 @@ abstract class ControllerBase extends ScalatraFilter
    if (path.startsWith("http")) path
    else baseUrl + super.url(path, params, false, false, false)

+  /** against XSS */
+  def outputUploadedRawData[DATATYPE](contentType: String, rawData: DATATYPE): DATATYPE = {
+    if(contentType.split(";").head.trim.toLowerCase.startsWith("text/html")){
+      this.contentType = "text/plain"
+    } else {
+      this.contentType = contentType
+    }
+    response.addHeader("X-Content-Type-Options", "nosniff")
+    rawData
+  }
 }

 /**
--- a/src/main/scala/app/IssuesController.scala
+++ b/src/main/scala/app/IssuesController.scala
@@ -292,8 +292,7 @@ trait IssuesControllerBase extends ControllerBase {
    (Directory.getAttachedDir(repository.owner, repository.name) match {
      case dir if(dir.exists && dir.isDirectory) =>
        dir.listFiles.find(_.getName.startsWith(params("file") + ".")).map { file =>
-          contentType = FileUtil.getMimeType(file.getName)
-          file
+          outputUploadedRawData(FileUtil.getMimeType(file.getName), file)
        }
      case _ => None
    }) getOrElse NotFound
--- a/src/main/scala/app/RepositoryViewerController.scala
+++ b/src/main/scala/app/RepositoryViewerController.scala
@@ -214,8 +214,7 @@ trait RepositoryViewerControllerBase extends ControllerBase {
        if(raw){
          // Download
          defining(JGitUtil.getContentFromId(git, objectId, false).get){ bytes =>
-            contentType = FileUtil.getContentType(path, bytes)
-            bytes
+            outputUploadedRawData(FileUtil.getContentType(path, bytes), bytes)
          }
        } else {
          repo.html.blob(id, repository, path.split("/").toList, JGitUtil.getContentInfo(git, path, objectId),
--- a/src/main/scala/app/WikiController.scala
+++ b/src/main/scala/app/WikiController.scala
@@ -164,8 +164,7 @@ trait WikiControllerBase extends ControllerBase {
    val path = multiParams("splat").head

    getFileContent(repository.owner, repository.name, path).map { bytes =>
-      contentType = FileUtil.getContentType(path, bytes)
-      bytes
+      outputUploadedRawData(FileUtil.getContentType(path, bytes), bytes)
    } getOrElse NotFound
  })