chore: add skipper for secure (#913)

2025-06-05 22:09:59 +02:00 · 2023-01-07 10:51:34 +08:00
parent 96798e10b4
commit 46c13a4b7f
8 changed files with 74 additions and 6 deletions
--- a/server/common.go
+++ b/server/common.go
@ -1,6 +1,8 @@
 package server

 import (
+	"net/http"
+
 	"github.com/labstack/echo/v4"
 	"github.com/usememos/memos/api"
 	"github.com/usememos/memos/common"
@ -16,6 +18,10 @@ func composeResponse(data interface{}) response {
 	}
 }

+func DefaultGetRequestSkipper(c echo.Context) bool {
+	return c.Request().Method == http.MethodGet
+}
+
 func (server *Server) DefaultAuthSkipper(c echo.Context) bool {
 	ctx := c.Request().Context()
 	path := c.Path()
--- a/server/resource.go
+++ b/server/resource.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/pkg/errors"
@ -266,7 +267,11 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
 		}

-		c.Response().Writer.Header().Set("Content-Type", resource.Type)
+		if strings.HasPrefix(resource.Type, "text") || strings.HasPrefix(resource.Type, "application") {
+			c.Response().Writer.Header().Set("Content-Type", echo.MIMETextPlain)
+		} else {
+			c.Response().Writer.Header().Set("Content-Type", resource.Type)
+		}
 		c.Response().Writer.WriteHeader(http.StatusOK)
 		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
 		c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
--- a/server/server.go
+++ b/server/server.go
@ -64,7 +64,13 @@ func NewServer(ctx context.Context, profile *profile.Profile) (*Server, error) {

 	e.Use(middleware.CORS())

-	e.Use(middleware.Secure())
+	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
+		Skipper:            DefaultGetRequestSkipper,
+		XSSProtection:      "1; mode=block",
+		ContentTypeNosniff: "nosniff",
+		XFrameOptions:      "SAMEORIGIN",
+		HSTSPreloadEnabled: false,
+	}))

 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{
 		Skipper:      middleware.DefaultSkipper,
--- a/server/version/version.go
+++ b/server/version/version.go
@ -7,10 +7,10 @@ import (

 // Version is the service current released version.
 // Semantic versioning: https://semver.org/
-var Version = "0.9.1"
+var Version = "0.10.0"

 // DevVersion is the service current development version.
-var DevVersion = "0.9.1"
+var DevVersion = "0.10.0"

 func GetCurrentVersion(mode string) string {
 	if mode == "dev" {
@ -29,7 +29,6 @@ func GetMinorVersion(version string) string {

 func GetSchemaVersion(version string) string {
 	minorVersion := GetMinorVersion(version)
-
 	return minorVersion + ".0"
 }

--- a/server/version/version_test.go
+++ b/server/version/version_test.go
@ -0,0 +1,33 @@
+package version
+
+import "testing"
+
+func TestIsVersionGreaterOrEqualThan(t *testing.T) {
+	tests := []struct {
+		version string
+		target  string
+		want    bool
+	}{
+		{
+			version: "0.9.1",
+			target:  "0.9.1",
+			want:    true,
+		},
+		{
+			version: "0.10.0",
+			target:  "0.9.1",
+			want:    true,
+		},
+		{
+			version: "0.9.0",
+			target:  "0.9.1",
+			want:    false,
+		},
+	}
+	for _, test := range tests {
+		result := IsVersionGreaterOrEqualThan(test.version, test.target)
+		if result != test.want {
+			t.Errorf("got result %v, want %v.", result, test.want)
+		}
+	}
+}