From e97206077cad87a325ec724fff3a3596b7408649 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Fri, 4 Nov 2022 09:26:45 +0100 Subject: [PATCH] Add CSP Policy for pictures Signed-off-by: Thomas Citharel --- lib/service/pictures/provider.ex | 8 ++++++-- lib/service/pictures/unsplash.ex | 12 +++++++++++- lib/web/plugs/http_security_plug.ex | 9 ++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/lib/service/pictures/provider.ex b/lib/service/pictures/provider.ex index 87f24508..4ef022bd 100644 --- a/lib/service/pictures/provider.ex +++ b/lib/service/pictures/provider.ex @@ -29,8 +29,12 @@ defmodule Mobilizon.Service.Pictures.Provider do iex> search("London") %Information{url: "https://some_url_to.a/picture.jpeg", author: %{name: "An author", url: "https://url.to/profile"}, source: %{name: "The source name", url: "The source URL" }} """ - @callback search(location :: String.t(), options :: keyword) :: - [Information.t()] + @callback search(location :: String.t(), options :: keyword) :: Information.t() + + @doc """ + The CSP configuration to add for the service to work + """ + @callback csp() :: keyword() @spec endpoint(atom()) :: String.t() def endpoint(provider) do diff --git a/lib/service/pictures/unsplash.ex b/lib/service/pictures/unsplash.ex index 2a6b2f1b..307ef292 100644 --- a/lib/service/pictures/unsplash.ex +++ b/lib/service/pictures/unsplash.ex @@ -16,7 +16,7 @@ defmodule Mobilizon.Service.Pictures.Unsplash do @doc """ Unsplash implementation for `c:Mobilizon.Service.Geospatial.Provider.geocode/3`. """ - @spec search(String.t(), keyword()) :: list(Information.t()) + @spec search(String.t(), keyword()) :: Information.t() def search(location, _options \\ []) do url = "#{unsplash_endpoint()}#{@unsplash_api}?query=#{location}&orientation=landscape" @@ -42,6 +42,16 @@ defmodule Mobilizon.Service.Pictures.Unsplash do end end + @impl Provider + @doc """ + Returns the CSP configuration for this search provider to work + """ + def csp do + :mobilizon + |> Application.get_env(__MODULE__, []) + |> Keyword.get(:csp_policy, []) + end + defp unsplash_app_name do Application.get_env(:mobilizon, __MODULE__) |> get_in([:app_name]) end diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex index 082507a2..693b6422 100644 --- a/lib/web/plugs/http_security_plug.ex +++ b/lib/web/plugs/http_security_plug.ex @@ -9,8 +9,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do """ alias Mobilizon.Config - alias Mobilizon.Service.FrontEndAnalytics - alias Mobilizon.Service.GlobalSearch + alias Mobilizon.Service.{FrontEndAnalytics, GlobalSearch, Pictures} import Plug.Conn require Logger @@ -142,7 +141,11 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type])) front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])] global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])] + pictures_policy = [Keyword.get(Pictures.service().csp(), type, [])] - Enum.join(config_policy ++ front_end_analytics_policy ++ global_search_policy, " ") + Enum.join( + config_policy ++ front_end_analytics_policy ++ global_search_policy ++ pictures_policy, + " " + ) end end