Commit 00b764d8 authored by nimrod's avatar nimrod
Browse files

Improve security by restricting the usage of the response.

The service replies with the message in the request. This can be used as
an attack vector as the reply is determined by the request and is coming
from a shore.co.il domain. So the following precautions are taken:

- Limit the request length to limit the usefulness of the response.
- Set the response MIME type to plain text and set the
  `X-Content-Type-Options` header to `nosniff` so the browser won't
  guess the content type.
- Set the `X-Frame-Options` header to `DENY` so it won't be used as an
  iframe.
- Set CORS headers.
parent 0d5acb2b
Loading
Loading
Loading
Loading
Loading
+17 −4
Original line number Diff line number Diff line
@@ -5,25 +5,38 @@ import json
import os

import docker
from flask import Flask, request
from flask import Flask, Response, request

app = Flask(__name__)
app.config["MAX_CONTENT_LENGTH"] = 128
client = docker.from_env()


NAME = os.getenv("NC_NAME", "Nimrod Adar")
ALLOWED_ORIGIN = os.getent("ALLOWED_ORIGIN", "https://www.shore.co.il")
CONTAINER_NAME = os.getenv("NC_CONTAINER", "nextcloud-nextcloud-1")
NAME = os.getenv("NC_NAME", "Nimrod Adar")

HEADERS = {
    "Access-Control-Allow-Credentials": False,
    "Access-Control-Allow-Methods": "GET,POST",
    "Access-Control-Allow-Origin": ALLOWED_ORIGIN,
    "Cache-Control": "no-cache, no-store, max-age=0",
    "X-Content-Type-Options": "nosniff",
    "X-Frame-Options": "DENY",
}


@app.route("/ping")
def ping():
    """Healthcheck."""
    return "pong"
    return Response("pong", mimetype="text/plain")


@app.route("/send", methods=["GET", "POST"])
def send_message():  # noqa: MC0001
    """Send a notification."""
    if request.method == "OPTIONS":  # A CORS pre-flight request.
        return Response(headers=HEADERS)
    if request.method == "POST":
        # Needs to be called before accessing other request parameters,
        # otherwise it will be empty.
@@ -69,4 +82,4 @@ def send_message(): # noqa: MC0001
    if result.exit_code != 0:
        raise RuntimeError(result.output.decode())

    return message
    return Response(message, mimetype="text/plain", headers=HEADERS)