use csp headers for swagger resources

wireapp · Sep 19, 2022 · 9649314 · 9649314
1 parent 45e051e
commit 9649314
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/backend/src/main/java/com/wire/bots/roman/Application.java b/backend/src/main/java/com/wire/bots/roman/Application.java
@@ -19,11 +19,17 @@
 
 import com.wire.bots.roman.commands.UpdateCertCommand;
 import com.wire.bots.roman.filters.BackendAuthenticationFilter;
+import com.wire.bots.roman.filters.CspResponseFilter;
 import com.wire.bots.roman.filters.ProxyAuthenticationFilter;
 import com.wire.bots.roman.filters.ServiceAuthenticationFilter;
 import com.wire.bots.roman.filters.ServiceTokenAuthenticationFilter;
 import com.wire.bots.roman.model.Config;
-import com.wire.bots.roman.resources.*;
+import com.wire.bots.roman.resources.BroadcastResource;
+import com.wire.bots.roman.resources.ConversationResource;
+import com.wire.bots.roman.resources.MessagesResource;
+import com.wire.bots.roman.resources.ProviderResource;
+import com.wire.bots.roman.resources.ServiceResource;
+import com.wire.bots.roman.resources.UsersResource;
 import com.wire.lithium.ClientRepo;
 import com.wire.lithium.Server;
 import com.wire.xenon.MessageHandlerBase;
@@ -32,12 +38,12 @@
 import io.dropwizard.bundles.assets.ConfiguredAssetsBundle;
 import io.dropwizard.setup.Bootstrap;
 import io.dropwizard.setup.Environment;
-import io.dropwizard.util.Strings;
 import io.dropwizard.websockets.WebsocketBundle;
 import io.jsonwebtoken.security.Keys;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
 
-import javax.servlet.*;
+import javax.servlet.DispatcherType;
+import javax.servlet.FilterRegistration;
 import java.security.Key;
 import java.util.EnumSet;
 import java.util.concurrent.ExecutorService;
@@ -81,6 +87,7 @@ protected void registerFeatures() {
         environment.jersey().register(ServiceAuthenticationFilter.ServiceAuthenticationFeature.class);
         environment.jersey().register(ServiceTokenAuthenticationFilter.ServiceTokenAuthenticationFeature.class);
         environment.jersey().register(BackendAuthenticationFilter.BackendAuthenticationFeature.class);
+        environment.jersey().register(CspResponseFilter.class);
     }
 
     @Override

diff --git a/backend/src/main/java/com/wire/bots/roman/filters/CspResponseFilter.java b/backend/src/main/java/com/wire/bots/roman/filters/CspResponseFilter.java
@@ -0,0 +1,20 @@
+package com.wire.bots.roman.filters;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.container.ContainerResponseFilter;
+
+public class CspResponseFilter implements ContainerResponseFilter {
+
+    @Override
+    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
+        // this is going to be
+        // swagger.json, swagger-static, swagger-ui and all other assets
+        if (requestContext.getUriInfo().getPath().contains("swagger")) {
+            responseContext.getHeaders().add("Content-Security-Policy",
+                    "default-src 'self'; connect-src 'self'; media-src data:; img-src 'self' data:; " +
+                            "style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';");
+        }
+    }
+
+}