fix(asset-server-plugin): Fix svg XSS vulnerability

It was discovered that a malicious SVG file containing javascript could be executed when opening the source file in a new tab. This is now mitigated by adding a Content Security Policy header to responses from the AssetServerPlugin.
vendure-ecommerce · Apr 14, 2022 · 69a4486 · 69a4486
1 parent 6050279
commit 69a4486
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/packages/asset-server-plugin/src/plugin.ts b/packages/asset-server-plugin/src/plugin.ts
@@ -212,6 +212,7 @@ export class AssetServerPlugin implements NestModule, OnApplicationBootstrap {
                     mimeType = (await fromBuffer(file))?.mime || 'application/octet-stream';
                 }
                 res.contentType(mimeType);
+                res.setHeader('content-security-policy', `default-src 'self'`);
                 res.send(file);
             } catch (e) {
                 const err = new Error('File not found');
@@ -251,6 +252,7 @@ export class AssetServerPlugin implements NestModule, OnApplicationBootstrap {
                             Logger.debug(`Saved cached asset: ${cachedFileName}`, loggerCtx);
                         }
                         res.set('Content-Type', `image/${(await image.metadata()).format}`);
+                        res.setHeader('content-security-policy', `default-src 'self'`);
                         res.send(imageBuffer);
                         return;
                     } catch (e) {