CVE-2023-0112: chore: add skipper for secure (#913) · usememos/memos@46c13a4

@@ -1,6 +1,8 @@

package server

import (

“net/http”

“github.com/labstack/echo/v4”

“github.com/usememos/memos/api”

“github.com/usememos/memos/common”

@@ -16,6 +18,10 @@ func composeResponse(data interface{}) response {

}

}

func DefaultGetRequestSkipper(c echo.Context) bool {

return c.Request().Method == http.MethodGet

}

func (server *Server) DefaultAuthSkipper(c echo.Context) bool {

ctx := c.Request().Context()

path := c.Path()

@@ -7,6 +7,7 @@ import (

“net/http”

“net/url”

“strconv”

“strings”

“time”

“github.com/pkg/errors”

@@ -266,7 +267,11 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {

return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)

}

c.Response().Writer.Header().Set("Content-Type", resource.Type)

if strings.HasPrefix(resource.Type, “text”) || strings.HasPrefix(resource.Type, “application”) {

c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain)

} else {

c.Response().Writer.Header().Set("Content-Type", resource.Type)

}

c.Response().Writer.WriteHeader(http.StatusOK)

c.Response().Writer.Header().Set(echo.HeaderCacheControl, “max-age=31536000, immutable”)

c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, “default-src 'self’”)

@@ -64,7 +64,13 @@ func NewServer(ctx context.Context, profile *profile.Profile) (*Server, error) {

e.Use(middleware.CORS())

e.Use(middleware.Secure())

e.Use(middleware.SecureWithConfig(middleware.SecureConfig{

Skipper: DefaultGetRequestSkipper,

XSSProtection: "1; mode=block",

ContentTypeNosniff: "nosniff",

XFrameOptions: "SAMEORIGIN",

HSTSPreloadEnabled: false,

}))

e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{

Skipper: middleware.DefaultSkipper,

@@ -7,10 +7,10 @@ import (

// Version is the service current released version.

// Semantic versioning: https://semver.org/

var Version = “0.9.1”

var Version = “0.10.0”

// DevVersion is the service current development version.

var DevVersion = “0.9.1”

var DevVersion = “0.10.0”

func GetCurrentVersion(mode string) string {

if mode == “dev” {

@@ -29,7 +29,6 @@ func GetMinorVersion(version string) string {

func GetSchemaVersion(version string) string {

minorVersion := GetMinorVersion(version)

return minorVersion + “.0”

}

@@ -0,0 +1,33 @@

package version

import “testing”

func TestIsVersionGreaterOrEqualThan(t *testing.T) {

tests := []struct {

version string

target string

want bool

}{

{

version: "0.9.1",

target: "0.9.1",

want: true,

},

{

version: "0.10.0",

target: "0.9.1",

want: true,

},

{

version: "0.9.0",

target: "0.9.1",

want: false,

},

}

for _, test := range tests {

result := IsVersionGreaterOrEqualThan(test.version, test.target)

if result != test.want {

t.Errorf("got result %v, want %v.", result, test.want)

}

}

}

@@ -0,0 +1,9 @@

– activity

CREATE TABLE activity (

id INTEGER PRIMARY KEY AUTOINCREMENT,

creator_id INTEGER NOT NULL,

created_ts BIGINT NOT NULL DEFAULT (strftime('%s’, ‘now’)),

type TEXT NOT NULL DEFAULT '’,

level TEXT NOT NULL CHECK (level IN ('INFO’, 'WARN’, ‘ERROR’)) DEFAULT 'INFO’,

payload TEXT NOT NULL DEFAULT ‘{}’

);

@@ -93,3 +93,13 @@ CREATE TABLE tag (

creator_id INTEGER NOT NULL,

UNIQUE(name, creator_id)

);

– activity

CREATE TABLE activity (

id INTEGER PRIMARY KEY AUTOINCREMENT,

creator_id INTEGER NOT NULL,

created_ts BIGINT NOT NULL DEFAULT (strftime('%s’, ‘now’)),

type TEXT NOT NULL DEFAULT '’,

level TEXT NOT NULL CHECK (level IN ('INFO’, 'WARN’, ‘ERROR’)) DEFAULT 'INFO’,

payload TEXT NOT NULL DEFAULT ‘{}’

);

@@ -34,7 +34,7 @@ const EmbedMemoDialog: React.FC<Props> = (props: Props) => {

<code className="w-full break-all whitespace-pre-wrap">{memoEmbeddedCode()}</code>

</pre>

<p className="w-full text-sm leading-6 flex flex-row justify-between items-center mt-2">

* Only the public memo supports.

<span className="italic opacity-80">* Only the public memo supports.</span>

<span className="btn-primary" onClick={handleCopyCode}>

Copy

</span>

0 comments on commit 46c13a4

Please sign in to comment.