9 месяцев назад · e436483040
--- a/apps/app/src/server/crowi/express-init.js
+++ b/apps/app/src/server/crowi/express-init.js
@@ -3,6 +3,7 @@ import csrf from 'csurf';
 
				 import qs from 'qs';
			
 
				 
			
 
				 import { PLUGIN_EXPRESS_STATIC_DIR, PLUGIN_STORING_PATH } from '~/features/growi-plugin/server/consts';
			
 
				+import registerCertifyOrigin from '~/server/middlewares/certify-origin';
			
 
				 import loggerFactory from '~/utils/logger';
			
 
				 import { resolveFromRoot } from '~/utils/project-dir-utils';
			
 
				 
			
@@ -26,7 +27,7 @@ module.exports = function(crowi, app) {
 
				   const registerSafeRedirect = registerSafeRedirectFactory();
			
 
				   const injectCurrentuserToLocalvars = require('../middlewares/inject-currentuser-to-localvars')();
			
 
				   const autoReconnectToS2sMsgServer = require('../middlewares/auto-reconnect-to-s2s-msg-server')(crowi);
			
 
				-
			
 
				+  const certifyOrigin = registerCertifyOrigin(crowi);
			
 
				   const avoidSessionRoutes = require('../routes/avoid-session-routes');
			
 
				 
			
 
				   const env = crowi.node_env;
			
@@ -123,6 +124,8 @@ module.exports = function(crowi, app) {
 
				   // default methods + PUT. See: https://expressjs.com/en/resources/middleware/csurf.html#ignoremethods
			
 
				   app.use(csrf({ ignoreMethods: ['GET', 'HEAD', 'OPTIONS', 'PUT', 'POST', 'DELETE'], cookie: false }));
			
 
				 
			
 
				+  app.use(certifyOrigin);
			
 
				+
			
 
				   // passport
			
 
				   logger.debug('initialize Passport');
			
 
				   app.use(passport.initialize());
			
--- a/apps/app/src/server/middlewares/access-token-parser/interfaces.ts
+++ b/apps/app/src/server/middlewares/access-token-parser/interfaces.ts
@@ -11,4 +11,5 @@ type ReqBody = {
 
				 
			
 
				 export interface AccessTokenParserReq extends Request<undefined, undefined, ReqBody, ReqQuery> {
			
 
				   user?: IUserSerializedSecurely<IUserHasId>,
			
 
				+  isSameOriginReq: boolean,
			
 
				 }
			
--- a/apps/app/src/server/middlewares/certify-origin.ts
+++ b/apps/app/src/server/middlewares/certify-origin.ts
@@ -0,0 +1,37 @@
 
				+import { ErrorV3 } from '@growi/core/dist/models';
			
 
				+import type { NextFunction, Response } from 'express';
			
 
				+
			
 
				+import type Crowi from '~/server/crowi';
			
 
				+import type { AccessTokenParserReq } from '~/server/middlewares/access-token-parser/interfaces';
			
 
				+import isSimpleRequest from '~/server/util/is-simple-request';
			
 
				+import loggerFactory from '~/utils/logger';
			
 
				+
			
 
				+const logger = loggerFactory('growi:middleware:certify-origin');
			
 
				+
			
 
				+type Apiv3ErrFunction = (error: ErrorV3) => void;
			
 
				+
			
 
				+const certifyOrigin = (crowi: Crowi): ((req: AccessTokenParserReq, res: Response & { apiv3Err: Apiv3ErrFunction }, next: NextFunction) => void) => {
			
 
				+
			
 
				+  const appSiteUrl = crowi.configManager?.getConfig('crowi', 'app:siteUrl');
			
 
				+  return (req: AccessTokenParserReq, res: Response & { apiv3Err }, next: NextFunction): void => {
			
 
				+
			
 
				+    const isSameOriginReq = req.headers.origin == null || req.headers.origin === appSiteUrl;
			
 
				+    req.isSameOriginReq = isSameOriginReq;
			
 
				+    const accessToken = req.query.access_token ?? req.body.access_token;
			
 
				+
			
 
				+    if (!isSameOriginReq && req.headers.origin != null && isSimpleRequest(req)) {
			
 
				+      const message = 'Invalid request (origin check failed but simple request)';
			
 
				+      logger.error(message);
			
 
				+      return res.apiv3Err(new ErrorV3(message));
			
 
				+    }
			
 
				+
			
 
				+    if (!isSameOriginReq && accessToken == null && !isSimpleRequest(req)) {
			
 
				+      const message = 'Invalid request (origin check failed and no access token)';
			
 
				+      logger.error(message);
			
 
				+      return res.apiv3Err(new ErrorV3(message));
			
 
				+    }
			
 
				+
			
 
				+    next();
			
 
				+  };
			
 
				+};
			
 
				+export default certifyOrigin;
			
--- a/apps/app/src/server/util/is-simple-request.ts
+++ b/apps/app/src/server/util/is-simple-request.ts
@@ -0,0 +1,50 @@
 
				+import type { Request } from 'express';
			
 
				+
			
 
				+import type { AccessTokenParserReq } from '~/server/middlewares/access-token-parser/interfaces';
			
 
				+
			
 
				+const isSimpleRequest = (req: Request | AccessTokenParserReq): boolean => {
			
 
				+  // 1. Check if the request method is allowed
			
 
				+  const allowedMethods = ['GET', 'HEAD', 'POST'];
			
 
				+  if (!allowedMethods.includes(req.method)) {
			
 
				+    return false;
			
 
				+  }
			
 
				+
			
 
				+  // 2. Check if the request headers are safe
			
 
				+  const safeRequestHeaders = [
			
 
				+    'accept',
			
 
				+    'accept-language',
			
 
				+    'content-language',
			
 
				+    'content-type',
			
 
				+    'range',
			
 
				+    'referer',
			
 
				+    'dpr',
			
 
				+    'downlink',
			
 
				+    'save-Data',
			
 
				+    'viewport-Width',
			
 
				+    'width',
			
 
				+  ];
			
 
				+  const nonSafeHeaders = Object.keys(req.headers).filter((header) => {
			
 
				+    const headerLower = header.toLowerCase();
			
 
				+    return !safeRequestHeaders.includes(headerLower);
			
 
				+  });
			
 
				+
			
 
				+  if (nonSafeHeaders.length > 0) {
			
 
				+    return false;
			
 
				+  }
			
 
				+
			
 
				+  // 3. Content-Type is
			
 
				+  const allowedContentTypes = [
			
 
				+    'application/x-www-form-urlencoded',
			
 
				+    'multipart/form-data',
			
 
				+    'text/plain',
			
 
				+  ];
			
 
				+  const contentType = req.headers['content-type'];
			
 
				+
			
 
				+  if (contentType != null && !allowedContentTypes.includes(contentType.toLowerCase())) {
			
 
				+    return false;
			
 
				+  }
			
 
				+  // Return true if all conditions are met
			
 
				+  return true;
			
 
				+};
			
 
				+
			
 
				+export default isSimpleRequest;