-
Notifications
You must be signed in to change notification settings - Fork 2k
/
noxssrw.go
227 lines (201 loc) · 7.53 KB
/
noxssrw.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
// Package noxssrw (No XSS ResponseWriter) behaves like the Go standard
// library's ResponseWriter by detecting the Content-Type of a response if it
// has not been explicitly set. However, unlike the standard library's
// implementation, this implementation will never return the "text/html"
// Content-Type and instead return "text/plain".
package noxssrw
import (
"net/http"
"strings"
)
var (
// DefaultUnsafeTypes are Content-Types that browsers will render as hypertext.
// Any Content-Types that allow Javascript or remote resource fetching must be
// converted to a Content-Type that prevents evaluation.
//
// Types are prefix matched to avoid comparing against specific
// character sets (eg "text/html; charset=utf-8") which may be user
// controlled.
DefaultUnsafeTypes = map[string]string{
"text/html": "text/plain",
"text/xhtml": "text/plain",
"text/xhtml+xml": "text/plain",
}
// DefaultHeaders contain CORS headers meant to prevent the execution
// of Javascript in compliant browsers.
DefaultHeaders = map[string]string{
"Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'; sandbox",
"X-Content-Type-Options": "nosniff",
"X-XSS-Protection": "1; mode=block",
}
)
// NoXSSResponseWriter implements http.ResponseWriter but prevents renderable
// Content-Types from being automatically detected. Create with
// NewResponseWriter.
type NoXSSResponseWriter struct {
// TypeMap maps types unsafe for untrusted content to their safe
// version; may be replaced but not mutated.
TypeMap map[string]string
// DefaultHeaders to set on first write if they are not already
// explicitly set.
DefaultHeaders map[string]string
// buffer up to 512 bytes before detecting Content-Type and writing
// response.
buf []byte
// subsequentWrite is true after the first Write is called
subsequentWrite bool
// flushed is true if Content-Type has been set and Writes may be
// passed through.
flushed bool
// original ResponseWriter being wrapped
orig http.ResponseWriter
}
// Header returns the header map that will be sent by
// WriteHeader. The Header map also is the mechanism with which
// Handlers can set HTTP trailers.
//
// Changing the header map after a call to WriteHeader (or
// Write) has no effect unless the modified headers are
// trailers.
//
// There are two ways to set Trailers. The preferred way is to
// predeclare in the headers which trailers you will later
// send by setting the "Trailer" header to the names of the
// trailer keys which will come later. In this case, those
// keys of the Header map are treated as if they were
// trailers. See the example. The second way, for trailer
// keys not known to the Handler until after the first Write,
// is to prefix the Header map keys with the TrailerPrefix
// constant value. See TrailerPrefix.
//
// To suppress automatic response headers (such as "Date"), set
// their value to nil.
func (w *NoXSSResponseWriter) Header() http.Header {
return w.orig.Header()
}
// Write writes the data to the connection as part of an HTTP reply.
//
// If WriteHeader has not yet been called, Write calls
// WriteHeader(http.StatusOK) before writing the data. If the Header
// does not contain a Content-Type line, Write adds a Content-Type set
// to the result of passing the initial 512 bytes of written data to
// DetectContentType. Additionally, if the total size of all written
// data is under a few KB and there are no Flush calls, the
// Content-Length header is added automatically.
//
// Depending on the HTTP protocol version and the client, calling
// Write or WriteHeader may prevent future reads on the
// Request.Body. For HTTP/1.x requests, handlers should read any
// needed request body data before writing the response. Once the
// headers have been flushed (due to either an explicit Flusher.Flush
// call or writing enough data to trigger a flush), the request body
// may be unavailable. For HTTP/2 requests, the Go HTTP server permits
// handlers to continue to read the request body while concurrently
// writing the response. However, such behavior may not be supported
// by all HTTP/2 clients. Handlers should read before writing if
// possible to maximize compatibility.
func (w *NoXSSResponseWriter) Write(p []byte) (int, error) {
headers := w.Header()
// If first write, set any unset default headers. Do this on first write
// to allow overriding the default set of headers.
if !w.subsequentWrite {
for k, v := range w.DefaultHeaders {
if headers.Get(k) == "" {
headers.Set(k, v)
}
}
w.subsequentWrite = true
}
// If already flushed, write-through and short-circuit
if w.flushed {
return w.orig.Write(p)
}
// < 512 bytes available, buffer and wait for closing or a subsequent
// request
if len(w.buf)+len(p) < 512 {
w.buf = append(w.buf, p...)
return len(p), nil
}
// >= 512 bytes available, set the Content-Type and flush.
all := append(w.buf, p...)
contentType := http.DetectContentType(all)
// Prefix match to exclude the character set which may be user
// controlled.
for prefix, safe := range w.TypeMap {
if strings.HasPrefix(contentType, prefix) {
contentType = safe
break
}
}
// Set the Content-Type iff it was not already explicitly set
if headers.Get("Content-Type") == "" {
headers.Set("Content-Type", contentType)
}
// Write the buffer
n, err := w.orig.Write(w.buf)
if err != nil {
// Throw away part of buffer written successfully and
// inform caller p was not written at all
w.buf = w.buf[:n]
return 0, err
}
// Headers and buffer were written, this writer has been
// flushed and can be a passthrough
w.flushed = true
// Write p
return w.orig.Write(p)
}
// Close and flush the writer. Necessary for responses that never reached 512
// bytes.
func (w *NoXSSResponseWriter) Close() (int, error) {
// If the buffer was already flushed this is a noop
if w.flushed {
return 0, nil
}
// Prefix match to exclude the character set which may be user
// controlled.
contentType := http.DetectContentType(w.buf)
for prefix, safe := range w.TypeMap {
if strings.HasPrefix(contentType, prefix) {
contentType = safe
break
}
}
// Set the Content-Type iff it was not already explicitly set
if headers := w.Header(); headers.Get("Content-Type") == "" {
headers.Set("Content-Type", contentType)
}
// Write the buffer
return w.orig.Write(w.buf)
}
// WriteHeader sends an HTTP response header with the provided
// status code.
//
// If WriteHeader is not called explicitly, the first call to Write
// will trigger an implicit WriteHeader(http.StatusOK).
// Thus explicit calls to WriteHeader are mainly used to
// send error codes.
//
// The provided code must be a valid HTTP 1xx-5xx status code.
// Only one header may be written. Go does not currently
// support sending user-defined 1xx informational headers,
// with the exception of 100-continue response header that the
// Server sends automatically when the Request.Body is read.
func (w *NoXSSResponseWriter) WriteHeader(statusCode int) {
w.orig.WriteHeader(statusCode)
}
// NewResponseWriter creates a new ResponseWriter and Close func which will
// prevent Go's http.ResponseWriter default behavior of detecting the
// Content-Type.
//
// The Close func must be called to ensure that responses < 512 bytes are
// flushed as up to 512 bytes are buffered without flushing.
func NewResponseWriter(orig http.ResponseWriter) (http.ResponseWriter, func() (int, error)) {
w := &NoXSSResponseWriter{
TypeMap: DefaultUnsafeTypes,
DefaultHeaders: DefaultHeaders,
buf: make([]byte, 0, 512),
orig: orig,
}
return w, w.Close
}