PSW-28 Fix potential XSS exploit on WOPI API (#4925)

hpi-schul-cloud · Apr 15, 2024 · 9dfe1b4 · 9dfe1b4
1 parent 382839a
commit 9dfe1b4
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/services/wopi/hooks/index.js b/src/services/wopi/hooks/index.js
@@ -1,6 +1,7 @@
 /* eslint-disable no-multi-spaces */
 
 const { authenticate } = require('@feathersjs/authentication');
+const { isProvider, iff } = require('feathers-hooks-common');
 const { NotFound, BadRequest, Conflict } = require('../../../errors');
 const { FileModel } = require('../../fileStorage/model');
 const { mapPayload } = require('../../../hooks');
@@ -92,6 +93,14 @@ const setLockResponseHeader = (hook) => {
 	return hook;
 };
 
+const setContentDispositionHeader = (context) => {
+	// Setting this header should prevent HTML files from being openend in the browser, because that could be exploited by sending a direct link to a malicious file.
+	// Since this endpoint is not intended to be used by a browser, we can safely set the header for all responses.
+	context.http.headers = { 'Content-Disposition': 'attachment' };
+
+	return context;
+};
+
 exports.before = {
 	all: [wopiAuthentication, mapPayload],
 	find: [],
@@ -104,7 +113,7 @@ exports.before = {
 
 exports.after = {
 	all: [],
-	find: [],
+	find: [iff(isProvider('rest'), setContentDispositionHeader)],
 	get: [],
 	create: [setLockResponseHeader],
 	update: [],