fix: bump upstream sec middleware

2026-05-07 07:33:13 -04:00 · 2024-06-10 17:20:38 +02:00
parent 817b6e3e96
commit ccb8228edd
5 changed files with 53 additions and 35 deletions
--- a/go.mod
+++ b/go.mod
@@ -363,7 +363,7 @@ replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20

 replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf

-replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb
+replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77

 // exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3
 // see https://github.com/mattn/go-sqlite3/issues/965 for more details
--- a/go.sum
+++ b/go.sum
@@ -798,8 +798,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk=
 github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb h1:Ugrv7ivJ035zunmhmGEBSXL76tyxRNH5XaBSQUTqf38=
-github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
+github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 h1:UTzaEnOUHXYhF4SFARPcEownvFw8Kgg+oJv3N0pRI2g=
+github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
 github.com/KimMachineGun/automemlimit v0.6.1 h1:ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8=
 github.com/KimMachineGun/automemlimit v0.6.1/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY=
@@ -1025,8 +1025,6 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 h1:DAmvibMtV7HxsQoG3jfwm78XftA/js0ECuv1pelSON8=
-github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI=
 github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace h1:zK+0QyrqRBwdRthUbXTyDhxZIMZlNJPzGr0+bmyU++0=
 github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
--- a/services/proxy/pkg/middleware/security.go
+++ b/services/proxy/pkg/middleware/security.go
@@ -1,13 +1,14 @@
 package middleware

 import (
+	"net/http"
+	"os"
+
 	gofig "github.com/gookit/config/v2"
 	"github.com/gookit/config/v2/yaml"
 	"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
 	"github.com/unrolled/secure"
 	"github.com/unrolled/secure/cspbuilder"
-	"net/http"
-	"os"
 )

 // LoadCSPConfig loads CSP header configuration from a yaml file.
@@ -54,14 +55,16 @@ func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler {
 	}

 	secureMiddleware := secure.New(secure.Options{
-		BrowserXssFilter:        true,
-		ContentSecurityPolicy:   cspBuilder.MustBuild(),
-		ContentTypeNosniff:      true,
-		CustomFrameOptionsValue: "SAMEORIGIN",
-		FrameDeny:               true,
-		ReferrerPolicy:          "strict-origin-when-cross-origin",
-		STSSeconds:              315360000,
-		STSPreload:              true,
+		BrowserXssFilter:             true,
+		ContentSecurityPolicy:        cspBuilder.MustBuild(),
+		ContentTypeNosniff:           true,
+		CustomFrameOptionsValue:      "SAMEORIGIN",
+		FrameDeny:                    true,
+		ReferrerPolicy:               "strict-origin-when-cross-origin",
+		STSSeconds:                   315360000,
+		STSPreload:                   true,
+		PermittedCrossDomainPolicies: "none",
+		RobotTag:                     "none",
 	})
 	return func(next http.Handler) http.Handler {
 		return secureMiddleware.Handler(next)
--- a/vendor/github.com/unrolled/secure/secure.go
+++ b/vendor/github.com/unrolled/secure/secure.go
@@ -11,22 +11,23 @@ import (
 type secureCtxKey string

 const (
-	stsHeader               = "Strict-Transport-Security"
-	stsSubdomainString      = "; includeSubDomains"
-	stsPreloadString        = "; preload"
-	frameOptionsHeader      = "X-Frame-Options"
-	frameOptionsValue       = "DENY"
-	contentTypeHeader       = "X-Content-Type-Options"
-	contentTypeValue        = "nosniff"
-	xssProtectionHeader     = "X-XSS-Protection"
-	xssProtectionValue      = "1; mode=block"
-	cspHeader               = "Content-Security-Policy"
-	cspReportOnlyHeader     = "Content-Security-Policy-Report-Only"
-	hpkpHeader              = "Public-Key-Pins"
-	referrerPolicyHeader    = "Referrer-Policy"
-	featurePolicyHeader     = "Feature-Policy"
-	permissionsPolicyHeader = "Permissions-Policy"
-	coopHeader              = "Cross-Origin-Opener-Policy"
+	stsHeader                          = "Strict-Transport-Security"
+	stsSubdomainString                 = "; includeSubDomains"
+	stsPreloadString                   = "; preload"
+	frameOptionsHeader                 = "X-Frame-Options"
+	frameOptionsValue                  = "DENY"
+	contentTypeHeader                  = "X-Content-Type-Options"
+	contentTypeValue                   = "nosniff"
+	xssProtectionHeader                = "X-XSS-Protection"
+	xssProtectionValue                 = "1; mode=block"
+	cspHeader                          = "Content-Security-Policy"
+	cspReportOnlyHeader                = "Content-Security-Policy-Report-Only"
+	referrerPolicyHeader               = "Referrer-Policy"
+	featurePolicyHeader                = "Feature-Policy"
+	permissionsPolicyHeader            = "Permissions-Policy"
+	coopHeader                         = "Cross-Origin-Opener-Policy"
+	robotTagHeader                     = "X-Robots-Tag"
+	permittedCrossDomainPoliciesHeader = "X-Permitted-Cross-Domain-Policies"

 	ctxDefaultSecureHeaderKey = secureCtxKey("SecureResponseHeader")
 	cspNonceSize              = 16
@@ -65,7 +66,7 @@ type Options struct {
 	SSLRedirect bool
 	// If SSLForceHost is true and SSLHost is set, requests will be forced to use SSLHost even the ones that are already using SSL. Default is false.
 	SSLForceHost bool
-	// If SSLTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301).
+	// If SSLTemporaryRedirect is true, a 302 will be used while redirecting. Default is false (301).
 	SSLTemporaryRedirect bool
 	// If STSIncludeSubdomains is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header. Default is false.
 	STSIncludeSubdomains bool
@@ -110,9 +111,15 @@ type Options struct {
 	STSSeconds int64
 	// SecureContextKey allows a custom key to be specified for context storage.
 	SecureContextKey string
+	// PermittedCrossDomainPolicies allows to set the X-Permitted-Cross-Domain-Policies header
+	// Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
+	PermittedCrossDomainPolicies string
+	// RobotTag allows to set the X-Robot-Tag header
+	// Reference https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag
+	RobotTag string
 }

-// Secure is a middleware that helps setup a few basic security features. A single secure.Options struct can be
+// Secure is a middleware that helps set up a few basic security features. A single secure.Options struct can be
 // provided to configure which features should be enabled, and the ability to override a few of the default values.
 type Secure struct {
 	// Customize Secure with an Options struct.
@@ -466,6 +473,16 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He
 		responseHeader.Set(coopHeader, s.opt.CrossOriginOpenerPolicy)
 	}

+	// X-Permitted-Cross-Domain-Policies
+	if len(s.opt.PermittedCrossDomainPolicies) > 0 {
+		responseHeader.Set(permittedCrossDomainPoliciesHeader, s.opt.PermittedCrossDomainPolicies)
+	}
+
+	// X-Robots-Tag
+	if len(s.opt.RobotTag) > 0 {
+		responseHeader.Set(robotTagHeader, s.opt.RobotTag)
+	}
+
 	return responseHeader, r, nil
 }

--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1882,7 +1882,7 @@ github.com/trustelem/zxcvbn/scoring
 # github.com/tus/tusd v1.13.0
 ## explicit; go 1.16
 github.com/tus/tusd/pkg/handler
-# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb
+# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77
 ## explicit; go 1.13
 github.com/unrolled/secure
 github.com/unrolled/secure/cspbuilder
@@ -2433,4 +2433,4 @@ stash.kopano.io/kgol/oidc-go
 stash.kopano.io/kgol/rndm
 # github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6
 # github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf
-# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb
+# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77