Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-28 13:18:49 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix JVN#74210258: Stored XSS.

Browse source 
Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7 !
This commit is contained in:
Lauri Ojansivu 2025-10-10 23:06:06 +03:00
parent 2e91a359f5
commit e1fa607f87
4 changed files with 60 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

16
models/lib/httpStream.js
View file

@ -17,12 +17,26 @@ export const httpStreamOutput = function(readStream, name, http, downloadFlag, c
if (cacheControl) {
http.response.setHeader('Cache-Control', cacheControl);
}
// Set Content-Disposition header
http.response.setHeader('Content-Disposition', getContentDisposition(name, http?.params?.query?.download));
// Add security headers to prevent XSS attacks
const isSvgFile = name && name.toLowerCase().endsWith('.svg');
if (isSvgFile) {
// For SVG files, add strict CSP to prevent script execution
http.response.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'none'; object-src 'none';");
http.response.setHeader('X-Content-Type-Options', 'nosniff');
http.response.setHeader('X-Frame-Options', 'DENY');
}
};
/** will initiate download, if links are called with ?download="true" queryparam */
const getContentDisposition = (name, downloadFlag) => {
const dispositionType = downloadFlag === 'true' ? 'attachment;' : 'inline;';
// Force attachment disposition for SVG files to prevent XSS attacks
const isSvgFile = name && name.toLowerCase().endsWith('.svg');
const forceAttachment = isSvgFile || downloadFlag === 'true';
const dispositionType = forceAttachment ? 'attachment;' : 'inline;';
const encodedName = encodeURIComponent(name);
const dispositionName = `filename="${encodedName}"; filename=*UTF-8"${encodedName}";`;