Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision

Target

Select target project
  • nimrod/nextcloud-notifier
1 result
Select Git revision
Show changes
Commits on Source (2)
  • nimrod's avatar
    Update the pycln pre-commit hook. · 20838065
    nimrod authored 
    The older version was failing.
    20838065
  • nimrod's avatar
    Improve security by restricting the usage of the response. · d9356ab8
    nimrod authored 
    The service replies with the message in the request. This can be used as
an attack vector as the reply is determined by the request and is coming
from a shore.co.il domain. So the following precautions are taken:

- Limit the request length to limit the usefulness of the response.
- Set the response MIME type to plain text and set the
  `X-Content-Type-Options` header to `nosniff` so the browser won't
  guess the content type.
- Set CORS headers.
    d9356ab8
Hide whitespace changes
Inline Side-by-side
.pre-commit-config.yaml
View file @ d9356ab8
...@@ -123,7 +123,7 @@ repos: ...@@ -123,7 +123,7 @@ repos:
- id: pyupgrade - id: pyupgrade
- repo: https://github.com/hadialqattan/pycln.git - repo: https://github.com/hadialqattan/pycln.git
rev: v2.0.2 rev: v2.1.2
hooks: hooks:
- id: pycln - id: pycln
......
app.py
View file @ d9356ab8
...@@ -5,25 +5,37 @@ import json ...@@ -5,25 +5,37 @@ import json
import os import os
import docker import docker
from flask import Flask, request from flask import Flask, Response, request
app = Flask(__name__) app = Flask(__name__)
app.config["MAX_CONTENT_LENGTH"] = 128
client = docker.from_env() client = docker.from_env()
NAME = os.getenv("NC_NAME", "Nimrod Adar") ALLOWED_ORIGIN = os.getent("ALLOWED_ORIGIN", "https://www.shore.co.il")
CONTAINER_NAME = os.getenv("NC_CONTAINER", "nextcloud-nextcloud-1") CONTAINER_NAME = os.getenv("NC_CONTAINER", "nextcloud-nextcloud-1")
NAME = os.getenv("NC_NAME", "Nimrod Adar")
HEADERS = {
"Access-Control-Allow-Credentials": False,
"Access-Control-Allow-Methods": "GET,POST",
"Access-Control-Allow-Origin": ALLOWED_ORIGIN,
"Cache-Control": "no-cache, no-store, max-age=0",
"X-Content-Type-Options": "nosniff",
}
@app.route("/ping") @app.route("/ping")
def ping(): def ping():
"""Healthcheck.""" """Healthcheck."""
return "pong" return Response("pong", mimetype="text/plain")
@app.route("/send", methods=["GET", "POST"]) @app.route("/send", methods=["GET", "POST"])
def send_message(): # noqa: MC0001 def send_message(): # noqa: MC0001
"""Send a notification.""" """Send a notification."""
if request.method == "OPTIONS": # A CORS pre-flight request.
return Response(headers=HEADERS)
if request.method == "POST": if request.method == "POST":
# Needs to be called before accessing other request parameters, # Needs to be called before accessing other request parameters,
# otherwise it will be empty. # otherwise it will be empty.
...@@ -69,4 +81,4 @@ def send_message(): # noqa: MC0001 ...@@ -69,4 +81,4 @@ def send_message(): # noqa: MC0001
if result.exit_code != 0: if result.exit_code != 0:
raise RuntimeError(result.output.decode()) raise RuntimeError(result.output.decode())
return message return Response(message, mimetype="text/plain", headers=HEADERS)