diff --git a/go.mod b/go.mod index 7aa92cbc5c..a0d0b32d9a 100644 --- a/go.mod +++ b/go.mod @@ -363,7 +363,7 @@ replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20 replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf -replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 +replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c // exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3 // see https://github.com/mattn/go-sqlite3/issues/965 for more details diff --git a/go.sum b/go.sum index f0046798f1..bdf73f6850 100644 --- a/go.sum +++ b/go.sum @@ -798,8 +798,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk= github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 h1:UTzaEnOUHXYhF4SFARPcEownvFw8Kgg+oJv3N0pRI2g= -github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= +github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c h1:ocsNvQ2tNHme4v/lTs17HROamc7mFzZfzWcg4m+UXN0= +github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/KimMachineGun/automemlimit v0.6.1 h1:ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8= github.com/KimMachineGun/automemlimit v0.6.1/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY= diff --git a/vendor/github.com/unrolled/secure/README.md b/vendor/github.com/unrolled/secure/README.md index 4ec82d5f96..720d531349 100644 --- a/vendor/github.com/unrolled/secure/README.md +++ b/vendor/github.com/unrolled/secure/README.md @@ -20,19 +20,21 @@ var myHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { func main() { secureMiddleware := secure.New(secure.Options{ - AllowedHosts: []string{"example\\.com", ".*\\.example\\.com"}, - AllowedHostsAreRegex: true, - HostsProxyHeaders: []string{"X-Forwarded-Host"}, - SSLRedirect: true, - SSLHost: "ssl.example.com", - SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, - STSSeconds: 31536000, - STSIncludeSubdomains: true, - STSPreload: true, - FrameDeny: true, - ContentTypeNosniff: true, - BrowserXssFilter: true, - ContentSecurityPolicy: "script-src $NONCE", + AllowedHosts: []string{"example\\.com", ".*\\.example\\.com"}, + AllowedHostsAreRegex: true, + HostsProxyHeaders: []string{"X-Forwarded-Host"}, + SSLRedirect: true, + SSLHost: "ssl.example.com", + SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, + STSSeconds: 31536000, + STSIncludeSubdomains: true, + STSPreload: true, + FrameDeny: true, + ContentTypeNosniff: true, + BrowserXssFilter: true, + ContentSecurityPolicy: "script-src $NONCE", + PermittedCrossDomainPolicies: "none", + RobotTag: "noindex", }) app := secureMiddleware.Handler(myHandler) @@ -42,7 +44,7 @@ func main() { Be sure to include the Secure middleware as close to the top (beginning) as possible (but after logging and recovery). It's best to do the allowed hosts and SSL check before anything else. -The above example will only allow requests with a host name of 'example.com', or 'ssl.example.com'. Also if the request is not HTTPS, it will be redirected to HTTPS with the host name of 'ssl.example.com'. +The above example will only allow requests with a host name of 'example.com', or 'ssl.example.com'. Also, if the request is not HTTPS, it will be redirected to HTTPS with the host name of 'ssl.example.com'. Once those requirements are satisfied, it will add the following headers: ~~~ go Strict-Transport-Security: 31536000; includeSubdomains; preload @@ -53,7 +55,7 @@ Content-Security-Policy: script-src 'nonce-a2ZobGFoZg==' ~~~ ### Set the `IsDevelopment` option to `true` when developing! -When `IsDevelopment` is true, the AllowedHosts, SSLRedirect, and STS header will not be in effect. This allows you to work in development/test mode and not have any annoying redirects to HTTPS (ie. development can happen on HTTP), or block `localhost` has a bad host. +When `IsDevelopment` is true, the AllowedHosts, SSLRedirect, and STS header will not be in effect. This allows you to work in development/test mode and not have any annoying redirects to HTTPS (i.e. development can happen on HTTP), or block `localhost` has a bad host. ### Available options Secure comes with a variety of configuration options (Note: these are not the default option values. See the defaults below.): @@ -137,7 +139,7 @@ http.Error(w, "Bad Request", http.StatusBadRequest) Call `secure.SetBadRequestHandler` to set your own custom handler. ### Allow Request Function -Secure allows you to set a custom function (`func(r *http.Request) bool`) for the `AllowRequestFunc` option. You can use this function as a custom filter to allow the request to continue or simply reject it. This can be handy if you need to do any dynamic filtering on any of the request properties. It should be noted that this function will be called on every request, so be sure to make your checks quick and not relying on time consuming external calls (or you will be slowing down all requests). See above on how to set a custom handler for the rejected requests. +Secure allows you to set a custom function (`func(r *http.Request) bool`) for the `AllowRequestFunc` option. You can use this function as a custom filter to allow the request to continue or simply reject it. This can be handy if you need to do any dynamic filtering on any of the request properties. It should be noted that this function will be called on every request, so be sure to make your checks quick and not relying on time-consuming external calls (or you will be slowing down all requests). See above on how to set a custom handler for the rejected requests. ### Redirecting HTTP to HTTPS If you want to redirect all HTTP requests to HTTPS, you can use the following example. diff --git a/vendor/github.com/unrolled/secure/cspbuilder/builder.go b/vendor/github.com/unrolled/secure/cspbuilder/builder.go index 595c0f0d26..904203f637 100644 --- a/vendor/github.com/unrolled/secure/cspbuilder/builder.go +++ b/vendor/github.com/unrolled/secure/cspbuilder/builder.go @@ -45,7 +45,7 @@ const ( ) type Builder struct { - Directives map[string]([]string) + Directives map[string][]string } // MustBuild is like Build but panics if an error occurs. @@ -61,12 +61,15 @@ func (builder *Builder) MustBuild() string { // Build creates a content security policy string from the specified directives. // If any directive contains invalid values, an error is returned instead. func (builder *Builder) Build() (string, error) { - var sb strings.Builder - var keys []string + keys := make([]string, 0, len(builder.Directives)) + for k := range builder.Directives { keys = append(keys, k) } + sort.Strings(keys) + + var sb strings.Builder for _, directive := range keys { if sb.Len() > 0 { sb.WriteString("; ") diff --git a/vendor/github.com/unrolled/secure/secure.go b/vendor/github.com/unrolled/secure/secure.go index 4122dabfdc..15218e3beb 100644 --- a/vendor/github.com/unrolled/secure/secure.go +++ b/vendor/github.com/unrolled/secure/secure.go @@ -2,6 +2,7 @@ package secure import ( "context" + "errors" "fmt" "net/http" "regexp" @@ -361,7 +362,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He http.Redirect(w, r, url.String(), status) - return nil, nil, fmt.Errorf("redirecting to HTTPS") + return nil, nil, errors.New("redirecting to HTTPS") } if s.opt.SSLForceHost { @@ -387,7 +388,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He http.Redirect(w, r, url.String(), status) - return nil, nil, fmt.Errorf("redirecting to HTTPS") + return nil, nil, errors.New("redirecting to HTTPS") } } @@ -395,7 +396,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He if s.opt.AllowRequestFunc != nil && !s.opt.AllowRequestFunc(r) { s.badRequestHandler.ServeHTTP(w, r) - return nil, nil, fmt.Errorf("request not allowed") + return nil, nil, errors.New("request not allowed") } // Create our header container. @@ -514,7 +515,7 @@ func (s *Secure) ModifyResponseHeaders(res *http.Response) error { location := res.Header.Get("Location") if s.isSSL(res.Request) && len(s.opt.SSLHost) > 0 && - (strings.HasPrefix(location, fmt.Sprintf("http://%s/", s.opt.SSLHost)) || location == fmt.Sprintf("http://%s", s.opt.SSLHost)) { + (strings.HasPrefix(location, fmt.Sprintf("http://%s/", s.opt.SSLHost)) || location == "http://"+s.opt.SSLHost) { location = strings.Replace(location, "http:", "https:", 1) res.Header.Set("Location", location) } diff --git a/vendor/modules.txt b/vendor/modules.txt index c1ca299102..5571e4c5bd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1882,7 +1882,7 @@ github.com/trustelem/zxcvbn/scoring # github.com/tus/tusd v1.13.0 ## explicit; go 1.16 github.com/tus/tusd/pkg/handler -# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 +# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c ## explicit; go 1.13 github.com/unrolled/secure github.com/unrolled/secure/cspbuilder @@ -2433,4 +2433,4 @@ stash.kopano.io/kgol/oidc-go stash.kopano.io/kgol/rndm # github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6 # github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf -# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 +# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c