chore: add skipper for secure (#913)

2024-12-26 23:22:47 +08:00 · 2023-01-07 10:51:34 +08:00 · 2023-01-07 10:51:34 +08:00 · 46c13a4b7f
commit 46c13a4b7f
parent 96798e10b4
8 changed files with 74 additions and 6 deletions
--- a/server/common.go
+++ b/server/common.go
@ -1,6 +1,8 @@
 package server

 import (
+	"net/http"
+
 	"github.com/labstack/echo/v4"
 	"github.com/usememos/memos/api"
 	"github.com/usememos/memos/common"
@ -16,6 +18,10 @@ func composeResponse(data interface{}) response {
 	}
 }

+func DefaultGetRequestSkipper(c echo.Context) bool {
+	return c.Request().Method == http.MethodGet
+}
+
 func (server *Server) DefaultAuthSkipper(c echo.Context) bool {
 	ctx := c.Request().Context()
 	path := c.Path()
--- a/server/resource.go
+++ b/server/resource.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/pkg/errors"
@ -266,7 +267,11 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
 		}

-		c.Response().Writer.Header().Set("Content-Type", resource.Type)
+		if strings.HasPrefix(resource.Type, "text") || strings.HasPrefix(resource.Type, "application") {
+			c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain)
+		} else {
+			c.Response().Writer.Header().Set("Content-Type", resource.Type)
+		}
 		c.Response().Writer.WriteHeader(http.StatusOK)
 		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
 		c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
--- a/server/server.go
+++ b/server/server.go
@ -64,7 +64,13 @@ func NewServer(ctx context.Context, profile *profile.Profile) (*Server, error) {

 	e.Use(middleware.CORS())

-	e.Use(middleware.Secure())
+	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
+		Skipper:            DefaultGetRequestSkipper,
+		XSSProtection:      "1; mode=block",
+		ContentTypeNosniff: "nosniff",
+		XFrameOptions:      "SAMEORIGIN",
+		HSTSPreloadEnabled: false,
+	}))

 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{
 		Skipper:      middleware.DefaultSkipper,
--- a/server/version/version.go
+++ b/server/version/version.go
@ -7,10 +7,10 @@ import (

 // Version is the service current released version.
 // Semantic versioning: https://semver.org/
-var Version = "0.9.1"
+var Version = "0.10.0"

 // DevVersion is the service current development version.
-var DevVersion = "0.9.1"
+var DevVersion = "0.10.0"

 func GetCurrentVersion(mode string) string {
 	if mode == "dev" {
@ -29,7 +29,6 @@ func GetMinorVersion(version string) string {

 func GetSchemaVersion(version string) string {
 	minorVersion := GetMinorVersion(version)
-
 	return minorVersion + ".0"
 }

--- a/server/version/version_test.go
+++ b/server/version/version_test.go
@ -0,0 +1,33 @@
+package version
+
+import "testing"
+
+func TestIsVersionGreaterOrEqualThan(t *testing.T) {
+	tests := []struct {
+		version string
+		target  string
+		want    bool
+	}{
+		{
+			version: "0.9.1",
+			target:  "0.9.1",
+			want:    true,
+		},
+		{
+			version: "0.10.0",
+			target:  "0.9.1",
+			want:    true,
+		},
+		{
+			version: "0.9.0",
+			target:  "0.9.1",
+			want:    false,
+		},
+	}
+	for _, test := range tests {
+		result := IsVersionGreaterOrEqualThan(test.version, test.target)
+		if result != test.want {
+			t.Errorf("got result %v, want %v.", result, test.want)
+		}
+	}
+}
--- a/store/db/migration/prod/0.10/00__activity.sql
+++ b/store/db/migration/prod/0.10/00__activity.sql
@ -0,0 +1,9 @@
+-- activity
+CREATE TABLE activity (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  creator_id INTEGER NOT NULL,
+  created_ts BIGINT NOT NULL DEFAULT (strftime('%s', 'now')),
+  type TEXT NOT NULL DEFAULT '',
+  level TEXT NOT NULL CHECK (level IN ('INFO', 'WARN', 'ERROR')) DEFAULT 'INFO',
+  payload TEXT NOT NULL DEFAULT '{}'
+);
--- a/store/db/migration/prod/LATEST__SCHEMA.sql
+++ b/store/db/migration/prod/LATEST__SCHEMA.sql
@ -93,3 +93,13 @@ CREATE TABLE tag (
  creator_id INTEGER NOT NULL,
  UNIQUE(name, creator_id)
 );
+
+-- activity
+CREATE TABLE activity (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  creator_id INTEGER NOT NULL,
+  created_ts BIGINT NOT NULL DEFAULT (strftime('%s', 'now')),
+  type TEXT NOT NULL DEFAULT '',
+  level TEXT NOT NULL CHECK (level IN ('INFO', 'WARN', 'ERROR')) DEFAULT 'INFO',
+  payload TEXT NOT NULL DEFAULT '{}'
+);
--- a/web/src/components/EmbedMemoDialog.tsx
+++ b/web/src/components/EmbedMemoDialog.tsx
@ -34,7 +34,7 @@ const EmbedMemoDialog: React.FC<Props> = (props: Props) => {
          <code className="w-full break-all whitespace-pre-wrap">{memoEmbeddedCode()}</code>
        </pre>
        <p className="w-full text-sm leading-6 flex flex-row justify-between items-center mt-2">
-          * Only the public memo supports.
+          <span className="italic opacity-80">* Only the public memo supports.</span>
          <span className="btn-primary" onClick={handleCopyCode}>
            Copy
          </span>