From af6678decc6166f388d6e62edcb1407d2ce08f83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?William=20Herg=C3=A8s?= Date: Sun, 5 Oct 2025 14:31:20 +0200 Subject: feat(security): integrity on link and script --- backend/data.go | 50 ++++++++++++++++++++++++++++++++++++++++----- backend/router.go | 4 +++- backend/templates/base.html | 4 ++-- 3 files changed, 50 insertions(+), 8 deletions(-) (limited to 'backend') diff --git a/backend/data.go b/backend/data.go index 241f47a..a1b2dba 100644 --- a/backend/data.go +++ b/backend/data.go @@ -1,8 +1,14 @@ package backend import ( + "context" + "crypto/sha256" + "encoding/base64" "fmt" "html/template" + "io" + "io/fs" + "log/slog" "math/rand" "net/http" "regexp" @@ -75,11 +81,8 @@ func (d *data) handleGeneric(w http.ResponseWriter, r *http.Request, name string } return fmt.Sprintf("https://%s/static/%s", cfg.Domain, path) }, - "assets": func(path string) string { - if regexIsHttp.MatchString(path) { - return path - } - return fmt.Sprintf("/assets/%s", path) + "asset": func(path string) *assetData { + return getAsset(r.Context(), path) }, "next": func(i int) int { return i + 1 }, "before": func(i int) int { return i - 1 }, @@ -125,3 +128,40 @@ func getStatic(path string) string { } return fmt.Sprintf("/static/%s", path) } + +type assetData struct { + Src string + Checksum string +} + +func getAsset(ctx context.Context, path string) *assetData { + var asset assetData + var b []byte + var err error + if regexIsHttp.MatchString(path) { + asset.Src = path + resp, err := http.Get(path) + if err != nil { + slog.Warn("get remote asset", "error", err) + return &asset + } + defer resp.Body.Close() + b, err = io.ReadAll(resp.Body) + if err != nil { + slog.Warn("read remote asset", "error", err) + return &asset + } + } else { + asset.Src = fmt.Sprintf("/assets/%s", path) + aFS := ctx.Value(assetsFS).(fs.FS) + b, err = fs.ReadFile(aFS, path) + if err != nil { + slog.Warn("read asset", "error", err) + return &asset + } + } + sum := sha256.Sum256(b) + checksum := base64.StdEncoding.EncodeToString(sum[:]) + asset.Checksum = fmt.Sprintf("sha256-%s", checksum) + return &asset +} diff --git a/backend/router.go b/backend/router.go index 01b8a07..65514ea 100644 --- a/backend/router.go +++ b/backend/router.go @@ -19,6 +19,7 @@ const ( Version = "0.2.0" configKey = "config" isUpdateKey = "is_update" + assetsFS = "assets_fs" ) //go:embed templates @@ -43,7 +44,7 @@ func SetupLogger(debug bool) { slog.SetDefault(logger) } -func NewRouter(debug bool, cfg *Config) *chi.Mux { +func NewRouter(debug bool, cfg *Config, assets fs.FS) *chi.Mux { r := chi.NewRouter() logLevel := slog.LevelWarn @@ -67,6 +68,7 @@ func NewRouter(debug bool, cfg *Config) *chi.Mux { r.Use(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ctx := context.WithValue(r.Context(), configKey, cfg) + ctx = context.WithValue(ctx, assetsFS, assets) next.ServeHTTP(w, r.WithContext(ctx)) }) }) diff --git a/backend/templates/base.html b/backend/templates/base.html index e56341b..cf0d834 100644 --- a/backend/templates/base.html +++ b/backend/templates/base.html @@ -4,7 +4,7 @@ {{ .Title }} - + {{ $styles := asset "styles.css" }} @@ -37,6 +37,6 @@

« {{ .Quote }} »

Mentions légales, code source.

- +{{ $script := asset "index.js" }} -- cgit v1.2.3