Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): explicitly declare cache-control header instead of using middleware

Browse Source 
This commit reverts 1f6f389ff2
This commit is contained in:
Julian Lam
2022-03-18 11:56:16 -04:00
parent 2f2ed6c3ad
commit 38ca73c493
8 changed files with 9 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/controllers/404.js
View File

@@ -55,7 +55,6 @@ exports.send404 = async function (req, res) {
}); });
} }
await middleware.inhibitCacheAsync(req, res);
await middleware.buildHeaderAsync(req, res); await middleware.buildHeaderAsync(req, res);
await res.render('404', { await res.render('404', {
path: validator.escape(path), path: validator.escape(path),

4
src/controllers/helpers.js
View File

@@ -420,6 +420,10 @@ helpers.formatApiResponse = async (statusCode, res, payload) => {
} }
if (String(statusCode).startsWith('2')) { if (String(statusCode).startsWith('2')) {
if (res.req.loggedIn) {
res.set('cache-control', 'private');
}
res.status(statusCode).json({ res.status(statusCode).json({
status: { status: {
code: 'ok', code: 'ok',

1
src/middleware/admin.js
View File

@@ -26,7 +26,6 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
await require('./index').applyCSRFasync(req, res); await require('./index').applyCSRFasync(req, res);
} }
res.set('cache-control', 'private');
res.locals.config = await controllers.api.loadConfig(req); res.locals.config = await controllers.api.loadConfig(req);
next(); next();
}); });

4
src/middleware/header.js
View File

@@ -45,10 +45,6 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
return res.redirect('/'); return res.redirect('/');
} }
if (req.loggedIn) {
res.set('cache-control', 'private');
}
res.locals.config = config; res.locals.config = config;
next(); next();
}); });

10
src/middleware/headers.js
View File

@@ -3,7 +3,6 @@
const os = require('os'); const os = require('os');
const winston = require('winston'); const winston = require('winston');
const _ = require('lodash'); const _ = require('lodash');
const util = require('util');
const meta = require('../meta'); const meta = require('../meta');
const languages = require('../languages'); const languages = require('../languages');
@@ -109,13 +108,4 @@ module.exports = function (middleware) {
return [defaultLang]; return [defaultLang];
} }
} }
middleware.inhibitCache = (req, res, next) => {
if (req.loggedIn) {
res.set('cache-control', 'private');
}
next();
};
middleware.inhibitCacheAsync = util.promisify(middleware.inhibitCache);
}; };

4
src/middleware/render.js
View File

@@ -34,6 +34,10 @@ module.exports = function (middleware) {
options.url = (req.baseUrl + req.path.replace(/^\/api/, '')); options.url = (req.baseUrl + req.path.replace(/^\/api/, ''));
options.bodyClass = helpers.buildBodyClass(req, res, options); options.bodyClass = helpers.buildBodyClass(req, res, options);
if (req.loggedIn) {
res.set('cache-control', 'private');
}
const buildResult = await plugins.hooks.fire(`filter:${template}.build`, { req: req, res: res, templateData: options }); const buildResult = await plugins.hooks.fire(`filter:${template}.build`, { req: req, res: res, templateData: options });
if (res.headersSent) { if (res.headersSent) {
return; return;

1
src/routes/helpers.js
View File

@@ -18,7 +18,6 @@ function _handleArgs(middleware, middlewares, controller) {
middleware.authenticateRequest, middleware.authenticateRequest,
middleware.maintenanceMode, middleware.maintenanceMode,
middleware.registrationComplete, middleware.registrationComplete,
middleware.inhibitCache,
middleware.pluginHooks, middleware.pluginHooks,
...middlewares, ...middlewares,
]; ];

2
test/middleware.js
View File

@@ -100,7 +100,7 @@ describe('Middlewares', () => {
}); });
}); });
describe('.inhibitCache (cache-control header)', () => { describe('cache-control header', () => {
let uid; let uid;
let jar; let jar;