From 8ed83a73b8876d5f1acf0810aa683a1801f15ef6 Mon Sep 17 00:00:00 2001 From: Ilja Neumann Date: Wed, 19 Feb 2020 16:20:09 +0100 Subject: [PATCH] Set CSP-Nonce #17 As we overwrite kopano-index handler to serve index from vfs, we need to do this manually. --- go.mod | 3 ++- pkg/service/v0/service.go | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 6f99764..191868c 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,8 @@ require ( github.com/spf13/viper v1.6.1 go.opencensus.io v0.22.2 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa - stash.kopano.io/kc/konnect v0.28.0 + stash.kopano.io/kc/konnect v0.28.1 + stash.kopano.io/kgol/rndm v1.1.0 ) replace stash.kopano.io/kc/konnect => github.com/IljaN/konnect v0.29.0-alpha2 diff --git a/pkg/service/v0/service.go b/pkg/service/v0/service.go index ed3f8a8..e9c7b78 100644 --- a/pkg/service/v0/service.go +++ b/pkg/service/v0/service.go @@ -18,6 +18,7 @@ import ( "stash.kopano.io/kc/konnect/bootstrap" kcconfig "stash.kopano.io/kc/konnect/config" "stash.kopano.io/kc/konnect/server" + "stash.kopano.io/kgol/rndm" ) // Service defines the extension handlers. @@ -212,9 +213,11 @@ func (k Konnectd) Index() http.HandlerFunc { // TODO add environment variable to make the path prefix configurable pp := "/signin/v1" - indexHTML := bytes.Replace(template, []byte("__PATH_PREFIX__"), []byte(pp), 1) + nonce := rndm.GenerateRandomString(32) + indexHTML = bytes.Replace(indexHTML, []byte("__CSP_NONCE__"), []byte(nonce), 1) + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Write(indexHTML)