fix(media): use csp instead of modifying content-type

2024-06-03 21:35:20 +01:00 · 2024-06-03 21:35:20 +01:00 · 1dbb3433e0
commit 1dbb3433e0
parent 7b19618136
2 changed files with 24 additions and 24 deletions
--- a/src/api/client_server/media.rs
+++ b/src/api/client_server/media.rs
@ -22,14 +22,6 @@ pub async fn get_media_config_route(
    })
 }

-fn sanitize_content_type(content_type: String) -> String {
-    if content_type == "image/jpeg" || content_type == "image/png" {
-        content_type
-    } else {
-        "application/octet-stream".to_owned()
-    }
-}
-
 /// # `POST /_matrix/media/r0/upload`
 ///
 /// Permanently save media in the server.
@ -108,13 +100,13 @@ pub async fn get_content_route(

    if let Some(FileMeta {
        content_disposition,
+        content_type,
        file,
-        ..
    }) = services().media.get(mxc.clone()).await?
    {
        Ok(get_content::v3::Response {
            file,
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type,
            content_disposition,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -124,7 +116,7 @@ pub async fn get_content_route(

        Ok(get_content::v3::Response {
            content_disposition: remote_content_response.content_disposition,
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type: remote_content_response.content_type,
            file: remote_content_response.file,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -143,10 +135,13 @@ pub async fn get_content_as_filename_route(
 ) -> Result<get_content_as_filename::v3::Response> {
    let mxc = format!("mxc://{}/{}", body.server_name, body.media_id);

-    if let Some(FileMeta { file, .. }) = services().media.get(mxc.clone()).await? {
+    if let Some(FileMeta {
+        file, content_type, ..
+    }) = services().media.get(mxc.clone()).await?
+    {
        Ok(get_content_as_filename::v3::Response {
            file,
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type,
            content_disposition: Some(format!("inline; filename={}", body.filename)),
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -156,7 +151,7 @@ pub async fn get_content_as_filename_route(

        Ok(get_content_as_filename::v3::Response {
            content_disposition: Some(format!("inline: filename={}", body.filename)),
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type: remote_content_response.content_type,
            file: remote_content_response.file,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -192,11 +187,11 @@ pub async fn get_content_thumbnail_route(
    {
        Ok(get_content_thumbnail::v3::Response {
            file,
-            content_type: content_type.map(sanitize_content_type),
+            content_type,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
    } else if &*body.server_name != services().globals.server_name() && body.allow_remote {
-        let mut get_thumbnail_response = services()
+        let get_thumbnail_response = services()
            .sending
            .send_federation_request(
                &body.server_name,
@ -225,10 +220,6 @@ pub async fn get_content_thumbnail_route(
            )
            .await?;

-        get_thumbnail_response.content_type = get_thumbnail_response
-            .content_type
-            .map(sanitize_content_type);
-
        Ok(get_thumbnail_response)
    } else {
        Err(Error::BadRequest(ErrorKind::NotFound, "Media not found."))
--- a/src/main.rs
+++ b/src/main.rs
@ -2,7 +2,8 @@ use std::{future::Future, io, net::SocketAddr, sync::atomic, time::Duration};

 use axum::{
    extract::{DefaultBodyLimit, FromRequestParts, MatchedPath},
-    response::IntoResponse,
+    middleware::map_response,
+    response::{IntoResponse, Response},
    routing::{any, get, on, MethodFilter},
    Router,
 };
@ -13,7 +14,7 @@ use figment::{
    Figment,
 };
 use http::{
-    header::{self, HeaderName},
+    header::{self, HeaderName, CONTENT_SECURITY_POLICY},
    Method, StatusCode, Uri,
 };
 use ruma::api::{
@ -141,6 +142,13 @@ async fn main() {
    }
 }

+/// Adds additional headers to prevent any potential XSS attacks via the media repo
+async fn set_csp_header(response: Response) -> impl IntoResponse {
+    (
+        [(CONTENT_SECURITY_POLICY, "sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';")], response
+    )
+}
+
 async fn run_server() -> io::Result<()> {
    let config = &services().globals.config;
    let addr = SocketAddr::from((config.address, config.port));
@ -181,6 +189,7 @@ async fn run_server() -> io::Result<()> {
                ])
                .max_age(Duration::from_secs(86400)),
        )
+        .layer(map_response(set_csp_header))
        .layer(DefaultBodyLimit::max(
            config
                .max_request_size
@ -219,7 +228,7 @@ async fn run_server() -> io::Result<()> {
 async fn spawn_task<B: Send + 'static>(
    req: http::Request<B>,
    next: axum::middleware::Next<B>,
-) -> std::result::Result<axum::response::Response, StatusCode> {
+) -> std::result::Result<Response, StatusCode> {
    if services().globals.shutdown.load(atomic::Ordering::Relaxed) {
        return Err(StatusCode::SERVICE_UNAVAILABLE);
    }
@ -231,7 +240,7 @@ async fn spawn_task<B: Send + 'static>(
 async fn unrecognized_method<B: Send>(
    req: http::Request<B>,
    next: axum::middleware::Next<B>,
-) -> std::result::Result<axum::response::Response, StatusCode> {
+) -> std::result::Result<Response, StatusCode> {
    let method = req.method().clone();
    let uri = req.uri().clone();
    let inner = next.run(req).await;