From fe04c03acb889f3cc478c50e6c1e28cdb80c3d4f Mon Sep 17 00:00:00 2001 From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com> Date: Tue, 3 Feb 2026 02:11:39 +0800 Subject: [PATCH] Improve security on raw files endpoint (#613) --- internal/web/handlers/gist/download.go | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/internal/web/handlers/gist/download.go b/internal/web/handlers/gist/download.go index f61a3e6..59f765f 100644 --- a/internal/web/handlers/gist/download.go +++ b/internal/web/handlers/gist/download.go @@ -3,6 +3,7 @@ package gist import ( "archive/zip" "bytes" + "net/url" "strconv" "github.com/thomiceli/opengist/internal/db" @@ -19,8 +20,23 @@ func RawFile(ctx *context.Context) error { if file == nil { return ctx.NotFound("File not found") } - ctx.Response().Header().Set("Content-Type", file.MimeType.ContentType) - ctx.Response().Header().Set("Content-Disposition", "inline; filename=\""+file.Filename+"\"") + + if file.MimeType.IsSVG() { + ctx.Response().Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox") + } else if file.MimeType.IsPDF() { + ctx.Response().Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'") + } + + if file.MimeType.CanBeEmbedded() { + ctx.Response().Header().Set("Content-Type", file.MimeType.ContentType) + } else if file.MimeType.IsText() { + ctx.Response().Header().Set("Content-Type", "text/plain") + } else { + ctx.Response().Header().Set("Content-Type", "application/octet-stream") + } + + ctx.Response().Header().Set("Content-Disposition", "inline; filename=\""+url.PathEscape(file.Filename)+"\"") + ctx.Response().Header().Set("X-Content-Type-Options", "nosniff") return ctx.PlainText(200, file.Content) } @@ -36,8 +52,9 @@ func DownloadFile(ctx *context.Context) error { } ctx.Response().Header().Set("Content-Type", file.MimeType.ContentType) - ctx.Response().Header().Set("Content-Disposition", "attachment; filename="+file.Filename) + ctx.Response().Header().Set("Content-Disposition", "attachment; filename=\""+url.PathEscape(file.Filename)+"\"") ctx.Response().Header().Set("Content-Length", strconv.Itoa(len(file.Content))) + ctx.Response().Header().Set("X-Content-Type-Options", "nosniff") _, err = ctx.Response().Write([]byte(file.Content)) if err != nil { return ctx.ErrorRes(500, "Error downloading the file", err)