Permalink
Browse files

Implement whitelist

Only PDF, video, audio, image and text files can be accessed
directly.

Changes on splitter.js are because Standard.
  • Loading branch information...
qgustavor committed Jun 4, 2018
1 parent a737c33 commit 42dca81916effce9f3e808e8d224951dcdc56ad5
Showing with 19 additions and 8 deletions.
  1. +2 −0 generate-mime-types.js
  2. +7 −7 src/splitter.js
  3. +10 −1 src/sw.js
View
@@ -3,6 +3,8 @@ const fs = require('fs')
const minifiedMimes = Object.entries(mime).reduce((result, [mime, entry]) => {
if (!entry.extensions) return result
if (!mime.match(/application\/pdf|^(video|audio|image|text)\//)) return result
if (mime === 'text/html') return result
for (let extension of entry.extensions) result[extension] = mime
return result
}, {})
View
@@ -45,7 +45,7 @@ function handleSubmit (evt) {
output.appendChild(list)
return
}
if (!result.parts) {
output.innerHTML = `This file is smaller than the part size. You can download it by this URL:<br>
<a href="${result.base}">${result.base}</a>`
@@ -124,15 +124,15 @@ function createFileList (topFile, basename) {
const filePath = basename ? basename + '/' + filename : filename
return file.directory
? createFileList(file, filePath)
: {file, filePath}
? createFileList(file, filePath)
: {file, filePath}
})
.reduce((all, sub) => all.concat(sub), [])
.sort((fileA, fileB) => fileA.filePath.localeCompare(fileB.filePath))
.reduce((all, sub) => all.concat(sub), [])
.sort((fileA, fileB) => fileA.filePath.localeCompare(fileB.filePath))
}
function handleFileClick (evt) {
location.hash = evt.target.hash
form.elements.url.value = location.hash.substr(1)
window.location.hash = evt.target.hash
form.elements.url.value = window.location.hash.substr(1)
handleSubmit(evt)
}
View
@@ -199,7 +199,16 @@ ${generateFileList(file, baseURL)}`
const fileName = extraArguments.name || file.name
const extension = fileName && fileName.toLowerCase().split('.').pop()
const contentType = mimeTypes[extension] || 'application/octet-stream'
const contentType = mimeTypes[extension]
// If the content type is not known then the file is blacklisted: redirect to MEGA
// (PDFs are only allowed to be viewed, not downloaded, as browsers PDF reader
// usually have less vulnerabilities than others PDF readers)
if (!contentType || (contentType === 'application/pdf' && !isView)) {
resolve(self.Response.redirect('https://mega.nz/#' + identifier, 302))
return
}
if (isView) {
if (!CSP_WHITELIST.find(type => contentType.startsWith(type))) {
headers['Content-Security-Policy'] = 'default-src none ' + requestURL + '; sandbox'

0 comments on commit 42dca81

Please sign in to comment.