From 780a59c908819b53b33dce66f35526944ace3ec4 Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 09:58:42 +0100 Subject: [PATCH] internal: add CSP header to files in `/media` (cherry-pick #12092) (#12108) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit internal: add CSP header to files in `/media` (#12092) add CSP header to files in `/media` This fixes a security issue of stored cross-site scripting via embedding JavaScript in SVG files by a malicious user with `can_save_media` capability. This can be exploited if: - the uploaded file is served from the same origin as authentik, and - the user opens the uploaded file directly in their browser Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens L. --- internal/web/static.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/web/static.go b/internal/web/static.go index 617c94578f..650e38b058 100644 --- a/internal/web/static.go +++ b/internal/web/static.go @@ -42,8 +42,11 @@ func (ws *WebServer) configureStatic() { // Media files, if backend is file if config.Get().Storage.Media.Backend == "file" { - fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)) - staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia)) + fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))) + staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox") + fsMedia.ServeHTTP(w, r) + }) } staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))