claude-ceo-assistant
cbb5426fbc
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
E2E API Smoke Test / E2E API Smoke Test (pull_request) Blocked by required conditions
E2E Chat / E2E Chat (pull_request) Blocked by required conditions
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions
Harness Replays / Harness Replays (pull_request) Blocked by required conditions
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
CI / Python Lint & Test (pull_request) Successful in 6s
CI / Detect changes (pull_request) Successful in 8s
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 10s
E2E API Smoke Test / detect-changes (pull_request) Successful in 9s
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Has been skipped
E2E Chat / detect-changes (pull_request) Successful in 9s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 15s
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 40s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 12s
Harness Replays / detect-changes (pull_request) Successful in 14s
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
gate-check-v3 / gate-check (pull_request) Successful in 8s
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Successful in 1m39s
qa-review / approved (pull_request) Successful in 25s
security-review / approved (pull_request) Successful in 9s
sop-checklist / all-items-acked (pull_request) Successful in 9s
sop-checklist / review-refire (pull_request) Has been skipped
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 58s
sop-tier-check / tier-check (pull_request) Successful in 10s
audit-force-merge / audit (pull_request) Successful in 8s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Successful in 6m39s
CI / Platform (Go) (pull_request) Successful in 5m30s
CI / Shellcheck (E2E scripts) (pull_request) Has been cancelled
CI / Canvas (Next.js) (pull_request) Failing after 6m34s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Failing after 9m4s
105 lines
4.2 KiB
Go
105 lines
4.2 KiB
Go
package middleware
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// apiPrefixes lists the URL path prefixes that are served by Go platform
|
|
// handlers (JSON/binary responses). Canvas-proxied routes (Next.js HTML) are
|
|
// everything not in this list — they require 'unsafe-inline' for hydration.
|
|
//
|
|
// Keep this in sync with the routes registered in router/router.go. A path
|
|
// not on this list gets the permissive (canvas-compatible) CSP, which is
|
|
// acceptable: adding a new API prefix here is an opt-in tightening, never a
|
|
// silent breakage.
|
|
var apiPrefixes = []string{
|
|
"/workspaces",
|
|
"/registry",
|
|
"/health",
|
|
"/admin",
|
|
"/metrics",
|
|
"/settings",
|
|
"/bundles",
|
|
"/org",
|
|
"/orgs", // #610 — per-org plugin allowlist routes
|
|
"/templates",
|
|
"/plugins",
|
|
"/webhooks",
|
|
"/channels",
|
|
"/ws",
|
|
"/events",
|
|
"/approvals",
|
|
}
|
|
|
|
// isAPIPath reports whether a URL path belongs to a Go platform handler.
|
|
// Such paths return JSON and do not need 'unsafe-inline' in their CSP.
|
|
// Canvas-proxied paths (NoRoute → Next.js) are anything not matched here.
|
|
func isAPIPath(path string) bool {
|
|
for _, prefix := range apiPrefixes {
|
|
if path == prefix || strings.HasPrefix(path, prefix+"/") {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// SecurityHeaders returns a Gin middleware that sets standard HTTP security
|
|
// headers on every response to mitigate common web-application attacks:
|
|
//
|
|
// - X-Content-Type-Options: nosniff — prevents MIME-type sniffing
|
|
// - X-Frame-Options: DENY — blocks iframe embedding (clickjacking)
|
|
// - Content-Security-Policy — two tiers (see below)
|
|
// - Strict-Transport-Security: max-age=31536000; includeSubDomains — enforces HTTPS for 1 year
|
|
// - Referrer-Policy: strict-origin-when-cross-origin — avoids leaking full paths/queries in Referer
|
|
// - Permissions-Policy: camera=(), microphone=(), geolocation=() — denies sensor access for embedded content
|
|
//
|
|
// CSP tiers (fix for #450):
|
|
//
|
|
// 1. API routes (/workspaces, /registry, /health, …) — return JSON, not HTML.
|
|
// Strict "default-src 'self'" with no unsafe directives. XSS in a JSON
|
|
// response body is not executable without being reflected into an HTML
|
|
// page, so the permissive directives would only provide false assurance.
|
|
//
|
|
// 2. Canvas-proxied routes (NoRoute → Next.js) — serve HTML with inline
|
|
// scripts required for Next.js hydration. 'unsafe-inline' is kept here
|
|
// because removing it breaks the canvas. 'unsafe-eval' was dropped after
|
|
// confirming the production build renders without it.
|
|
func SecurityHeaders() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
c.Header("X-Content-Type-Options", "nosniff")
|
|
c.Header("X-Frame-Options", "DENY")
|
|
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
|
|
// #282: Referrer-Policy prevents browsers from leaking the full Referer
|
|
// URL to cross-origin resources (which can expose internal paths/queries).
|
|
// Permissions-Policy denies sensor access by default — especially relevant
|
|
// because the canvas embeds iframes for Langfuse traces.
|
|
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
|
|
c.Header("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
|
|
|
|
// #450: differentiate CSP by route type.
|
|
if isAPIPath(c.Request.URL.Path) {
|
|
// API routes return JSON — no inline scripts are ever needed.
|
|
// A strict CSP here is meaningful: it prevents a hypothetical
|
|
// reflected-XSS payload in an error message from executing if
|
|
// the JSON is ever mistakenly served with a text/html content-type.
|
|
c.Header("Content-Security-Policy", "default-src 'self'")
|
|
} else {
|
|
// Canvas routes (NoRoute → reverse-proxy to Next.js) serve HTML
|
|
// that requires inline script injection for React hydration.
|
|
// 'unsafe-eval' was deliberately removed — Next.js production
|
|
// builds do not require it; only the dev server does.
|
|
c.Header("Content-Security-Policy",
|
|
"default-src 'self'; "+
|
|
"script-src 'self' 'unsafe-inline'; "+
|
|
"style-src 'self' 'unsafe-inline'; "+
|
|
"img-src 'self' data: blob:; "+
|
|
"frame-src 'self' blob:; "+
|
|
"connect-src 'self' ws: wss:; "+
|
|
"font-src 'self' data:")
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|