From d9356ab8d783a0f1911b89427cc3cf1a953ded3a Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 3 Dec 2022 13:04:22 +0200
Subject: [PATCH] Improve security by restricting the usage of the response.

The service replies with the message in the request. This can be used as
an attack vector as the reply is determined by the request and is coming
from a shore.co.il domain. So the following precautions are taken:

- Limit the request length to limit the usefulness of the response.
- Set the response MIME type to plain text and set the
  `X-Content-Type-Options` header to `nosniff` so the browser won't
  guess the content type.
- Set CORS headers.
---
 app.py | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/app.py b/app.py
index a9b6501..c212fe6 100644
--- a/app.py
+++ b/app.py
@@ -5,25 +5,37 @@ import json
 import os
 
 import docker
-from flask import Flask, request
+from flask import Flask, Response, request
 
 app = Flask(__name__)
+app.config["MAX_CONTENT_LENGTH"] = 128
 client = docker.from_env()
 
 
-NAME = os.getenv("NC_NAME", "Nimrod Adar")
+ALLOWED_ORIGIN = os.getent("ALLOWED_ORIGIN", "https://www.shore.co.il")
 CONTAINER_NAME = os.getenv("NC_CONTAINER", "nextcloud-nextcloud-1")
+NAME = os.getenv("NC_NAME", "Nimrod Adar")
+
+HEADERS = {
+    "Access-Control-Allow-Credentials": False,
+    "Access-Control-Allow-Methods": "GET,POST",
+    "Access-Control-Allow-Origin": ALLOWED_ORIGIN,
+    "Cache-Control": "no-cache, no-store, max-age=0",
+    "X-Content-Type-Options": "nosniff",
+}
 
 
 @app.route("/ping")
 def ping():
     """Healthcheck."""
-    return "pong"
+    return Response("pong", mimetype="text/plain")
 
 
 @app.route("/send", methods=["GET", "POST"])
 def send_message():  # noqa: MC0001
     """Send a notification."""
+    if request.method == "OPTIONS":  # A CORS pre-flight request.
+        return Response(headers=HEADERS)
     if request.method == "POST":
         # Needs to be called before accessing other request parameters,
         # otherwise it will be empty.
@@ -69,4 +81,4 @@ def send_message():  # noqa: MC0001
     if result.exit_code != 0:
         raise RuntimeError(result.output.decode())
 
-    return message
+    return Response(message, mimetype="text/plain", headers=HEADERS)
-- 
GitLab