build: merge pr #438 from lukewhrit/develop

lukewhrit · web-flow · commit f10293cd7c38 · 2024-08-19T17:03:13.000-04:00
Release v1.0.3: Bug fixes
diff --git a/go.mod b/go.mod
@@ -15,7 +15,10 @@ require (
 	golang.org/x/exp v0.0.0-20230807204917-050eac23e9de
 )
 
-require github.com/dlclark/regexp2 v1.11.0 // indirect
+require (
+	github.com/dlclark/regexp2 v1.11.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+)
 
 require (
 	github.com/alecthomas/chroma/v2 v2.14.0
@@ -26,7 +29,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -60,12 +60,16 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/exp v0.0.0-20230807204917-050eac23e9de h1:l5Za6utMv/HsBWWqzt4S8X17j+kt1uVETUX5UFhn2rE=
 golang.org/x/exp v0.0.0-20230807204917-050eac23e9de/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -29,10 +29,11 @@ type Cfg struct {
 	ConnectionURI    string `env:"CONNECTION_URI" json:"-"`
 
 	// Web
-	Headless  bool   `env:"HEADLESS" envDefault:"false" json:"headless"` // Enable website
-	Analytics string `env:"ANALYTICS" envDefault:"" json:"analytics"`    // <script> tag for analytics (leave blank to disable)
-	Username  string `env:"USERNAME" envDefault:"" json:"username"`      // Basic Auth username. Required to enable Basic Auth
-	Password  string `env:"PASSWORD" envDefault:"" json:"password"`      // Basic Auth password. Required to enable Basic Auth
+	Headless              bool   `env:"HEADLESS" envDefault:"false" json:"headless"`                                                                                                                                       // Enable website
+	Analytics             string `env:"ANALYTICS" envDefault:"" json:"analytics"`                                                                                                                                          // <script> tag for analytics (leave blank to disable)
+	Username              string `env:"USERNAME" envDefault:"" json:"username"`                                                                                                                                            // Basic Auth username. Required to enable Basic Auth
+	Password              string `env:"PASSWORD" envDefault:"" json:"password"`                                                                                                                                            // Basic Auth password. Required to enable Basic Auth
+	ContentSecurityPolicy string `env:"CSP" envDefault:"default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" json:"csp"` // Content Security Policy. Must be changed if you are using analytics.
 
 	// Document
 	IDLength      int      `env:"ID_LENGTH" envDefault:"8" json:"id_length"`
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -31,15 +31,16 @@ func TestLoad(t *testing.T) {
 	}
 
 	require.EqualValues(t, Config, Cfg{
-		Host:             "0.0.0.0",
-		Port:             9000,
-		CompressionLevel: 1,
-		Ratelimiter:      "200x5",
-		IDLength:         8,
-		IDType:           "key",
-		MaxSize:          400_000,
-		Headless:         false,
-		ConnectionURI:    "host=localhost port=5432 user=spacebin database=spacebin sslmode=disable",
-		ExpirationAge:    720,
+		Host:                  "0.0.0.0",
+		Port:                  9000,
+		CompressionLevel:      1,
+		Ratelimiter:           "200x5",
+		IDLength:              8,
+		IDType:                "key",
+		MaxSize:               400_000,
+		Headless:              false,
+		ConnectionURI:         "host=localhost port=5432 user=spacebin database=spacebin sslmode=disable",
+		ContentSecurityPolicy: "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';",
+		ExpirationAge:         720,
 	})
 }
diff --git a/internal/server/config_test.go b/internal/server/config_test.go
@@ -35,15 +35,16 @@ type ConfigResponse struct {
 }
 
 var mockConfig = config.Cfg{
-	Host:             "0.0.0.0",
-	Port:             9000,
-	CompressionLevel: 1,
-	Ratelimiter:      "200x5",
-	IDLength:         8,
-	IDType:           "key",
-	MaxSize:          400_000,
-	ExpirationAge:    720,
-	Headless:         false,
+	Host:                  "0.0.0.0",
+	Port:                  9000,
+	CompressionLevel:      1,
+	Ratelimiter:           "200x5",
+	IDLength:              8,
+	IDType:                "key",
+	MaxSize:               400_000,
+	ExpirationAge:         720,
+	ContentSecurityPolicy: "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';",
+	Headless:              false,
 }
 
 // executeRequest, creates a new ResponseRecorder
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -124,7 +124,7 @@ func (s *Server) RegisterHeaders() {
 	s.Router.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))
 	s.Router.Use(middleware.SetHeader("Referrer-Policy", "no-referrer-when-downgrade"))
 	s.Router.Use(middleware.SetHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"))
-	s.Router.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"))
+	s.Router.Use(middleware.SetHeader("Content-Security-Policy", s.Config.ContentSecurityPolicy))
 }
 
 func (s *Server) MountStatic() {
diff --git a/internal/server/server_test.go b/internal/server/server_test.go
@@ -101,5 +101,5 @@ func TestRegisterHeaders(t *testing.T) {
 	require.Equal(t, "nosniff", res.Result().Header.Get("X-Content-Type-Options"))
 	require.Equal(t, "no-referrer-when-downgrade", res.Result().Header.Get("Referrer-Policy"))
 	require.Equal(t, "max-age=31536000; includeSubDomains; preload", res.Result().Header.Get("Strict-Transport-Security"))
-	require.Equal(t, "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';", res.Result().Header.Get("Content-Security-Policy"))
+	require.Equal(t, mockConfig.ContentSecurityPolicy, res.Result().Header.Get("Content-Security-Policy"))
 }

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ func (s *Server) RegisterHeaders() {`
`124`	`124`	`s.Router.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))`
`125`	`125`	`s.Router.Use(middleware.SetHeader("Referrer-Policy", "no-referrer-when-downgrade"))`
`126`	`126`	`s.Router.Use(middleware.SetHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"))`
`127`		`- s.Router.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"))`
	`127`	`+ s.Router.Use(middleware.SetHeader("Content-Security-Policy", s.Config.ContentSecurityPolicy))`
`128`	`128`	`}`
`129`	`129`
`130`	`130`	`func (s *Server) MountStatic() {`
Original file line number	Diff line number	Diff line change
`@@ -101,5 +101,5 @@ func TestRegisterHeaders(t *testing.T) {`
`101`	`101`	`require.Equal(t, "nosniff", res.Result().Header.Get("X-Content-Type-Options"))`
`102`	`102`	`require.Equal(t, "no-referrer-when-downgrade", res.Result().Header.Get("Referrer-Policy"))`
`103`	`103`	`require.Equal(t, "max-age=31536000; includeSubDomains; preload", res.Result().Header.Get("Strict-Transport-Security"))`
`104`		`- require.Equal(t, "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';", res.Result().Header.Get("Content-Security-Policy"))`
	`104`	`+ require.Equal(t, mockConfig.ContentSecurityPolicy, res.Result().Header.Get("Content-Security-Policy"))`
`105`	`105`	`}`