Dekescordes/spacebar
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1205 from DEVTomatoCake/feat/dont-send-x-powered-by

Browse Source 
Stop sending X-Powered-By & use API CORS + BodyParser middlewares in CDN
This commit is contained in:
Puyodead1 2025-03-23 14:20:32 -04:00 committed by GitHub
commit 05520665dc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/api/Server.ts
View File

@ -1,17 +1,17 @@
/* /*
Spacebar: A FOSS re-implementation and extension of the Discord.com backend. Spacebar: A FOSS re-implementation and extension of the Discord.com backend.
Copyright (C) 2023 Spacebar and Spacebar Contributors Copyright (C) 2023 Spacebar and Spacebar Contributors
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details. GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
*/ */
@ -98,6 +98,7 @@ export class SpacebarServer extends Server {
} }
this.app.set("json replacer", JSONReplacer); this.app.set("json replacer", JSONReplacer);
this.app.disable("x-powered-by");
const trustedProxies = Config.get().security.trustedProxies; const trustedProxies = Config.get().security.trustedProxies;
if (trustedProxies) this.app.set("trust proxy", trustedProxies); if (trustedProxies) this.app.set("trust proxy", trustedProxies);

31
src/cdn/Server.ts
View File

@ -1,17 +1,17 @@
/* /*
Spacebar: A FOSS re-implementation and extension of the Discord.com backend. Spacebar: A FOSS re-implementation and extension of the Discord.com backend.
Copyright (C) 2023 Spacebar and Spacebar Contributors Copyright (C) 2023 Spacebar and Spacebar Contributors
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details. GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
*/ */
@ -22,7 +22,8 @@ import path from "path";
import avatarsRoute from "./routes/avatars"; import avatarsRoute from "./routes/avatars";
import guildProfilesRoute from "./routes/guild-profiles"; import guildProfilesRoute from "./routes/guild-profiles";
import iconsRoute from "./routes/role-icons"; import iconsRoute from "./routes/role-icons";
import bodyParser from "body-parser"; import { CORS } from "../api/middlewares/CORS";
import { BodyParser } from "../api/middlewares/BodyParser";
export type CDNServerOptions = ServerOptions; export type CDNServerOptions = ServerOptions;
@ -38,24 +39,10 @@ export class CDNServer extends Server {
await Config.init(); await Config.init();
await Sentry.init(this.app); await Sentry.init(this.app);
this.app.use((req, res, next) => { this.app.disable("x-powered-by");
res.set("Access-Control-Allow-Origin", "*");
// TODO: use better CSP policy this.app.use(CORS);
res.set( this.app.use(BodyParser({ inflate: true, limit: "10mb" }));
"Content-security-policy",
"default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';",
);
res.set(
"Access-Control-Allow-Headers",
req.header("Access-Control-Request-Headers") || "*",
);
res.set(
"Access-Control-Allow-Methods",
req.header("Access-Control-Request-Methods") || "*",
);
next();
});
this.app.use(bodyParser.json({ inflate: true, limit: "10mb" }));
await registerRoutes(this, path.join(__dirname, "routes/")); await registerRoutes(this, path.join(__dirname, "routes/"));