Skip to content

Commit 1ad150c

Browse files
committed
feat(security): update secured headers and sanitize team name
1 parent 594daf0 commit 1ad150c

File tree

3 files changed

+9
-4
lines changed

3 files changed

+9
-4
lines changed

Diff for: api/http/handler/file/handler.go

+4
Original file line numberDiff line numberDiff line change
@@ -33,5 +33,9 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
3333
} else {
3434
w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
3535
}
36+
37+
w.Header().Add("X-Frame-Options", "DENY")
38+
w.Header().Add("X-XSS-Protection", "1; mode=block")
39+
w.Header().Add("X-Content-Type-Options", "nosniff")
3640
handler.Handler.ServeHTTP(w, r)
3741
}

Diff for: api/http/security/bouncer.go

+2-1
Original file line numberDiff line numberDiff line change
@@ -114,8 +114,9 @@ func (bouncer *RequestBouncer) EndpointAccess(r *http.Request, endpoint *portain
114114
// mwSecureHeaders provides secure headers middleware for handlers.
115115
func mwSecureHeaders(next http.Handler) http.Handler {
116116
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
117-
w.Header().Add("X-Content-Type-Options", "nosniff")
118117
w.Header().Add("X-Frame-Options", "DENY")
118+
w.Header().Add("X-XSS-Protection", "1; mode=block")
119+
w.Header().Add("X-Content-Type-Options", "nosniff")
119120
next.ServeHTTP(w, r)
120121
})
121122
}

Diff for: app/portainer/views/teams/teamsController.js

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
angular.module('portainer.app')
2-
.controller('TeamsController', ['$q', '$scope', '$state', 'TeamService', 'UserService', 'ModalService', 'Notifications', 'Authentication',
3-
function ($q, $scope, $state, TeamService, UserService, ModalService, Notifications, Authentication) {
2+
.controller('TeamsController', ['$q', '$scope', '$state', '$sanitize', 'TeamService', 'UserService', 'ModalService', 'Notifications', 'Authentication',
3+
function ($q, $scope, $state, $sanitize, TeamService, UserService, ModalService, Notifications, Authentication) {
44
$scope.state = {
55
actionInProgress: false
66
};
@@ -22,7 +22,7 @@ function ($q, $scope, $state, TeamService, UserService, ModalService, Notificati
2222
};
2323

2424
$scope.addTeam = function() {
25-
var teamName = $scope.formValues.Name;
25+
var teamName = $sanitize($scope.formValues.Name);
2626
var leaderIds = [];
2727
angular.forEach($scope.formValues.Leaders, function(user) {
2828
leaderIds.push(user.Id);

0 commit comments

Comments
 (0)