diff --git a/packages/app/package.json b/packages/app/package.json index 74625ea5641..f07d31cdaef 100644 --- a/packages/app/package.json +++ b/packages/app/package.json @@ -96,7 +96,8 @@ "express-webpack-assets": "^0.1.0", "graceful-fs": "^4.1.11", "growi-commons": "^5.0.4", - "helmet": "^3.13.0", + "helmet": "^4.6.0", + "nocache": "^3.0.1", "http-errors": "~1.6.2", "i18next": "^20.3.2", "i18next-express-middleware": "^2.0.0", diff --git a/packages/app/src/server/crowi/express-init.js b/packages/app/src/server/crowi/express-init.js index 218850ae66b..f4f5b9efc5b 100644 --- a/packages/app/src/server/crowi/express-init.js +++ b/packages/app/src/server/crowi/express-init.js @@ -53,7 +53,12 @@ module.exports = function(crowi, app) { nsSeparator: '::', }); - app.use(helmet()); + app.use(helmet({ + contentSecurityPolicy: false, + expectCt: false, + referrerPolicy: false, + permittedCrossDomainPolicies: false, + })); app.use((req, res, next) => { const now = new Date(); diff --git a/packages/app/src/server/routes/apiv3/healthcheck.js b/packages/app/src/server/routes/apiv3/healthcheck.js index 338a32276f8..60e2936e292 100644 --- a/packages/app/src/server/routes/apiv3/healthcheck.js +++ b/packages/app/src/server/routes/apiv3/healthcheck.js @@ -6,7 +6,7 @@ const express = require('express'); const router = express.Router(); -const helmet = require('helmet'); +const noCache = require('nocache'); const ErrorV3 = require('../../models/vo/error-apiv3'); /** @@ -122,7 +122,7 @@ module.exports = (crowi) => { * info: * $ref: '#/components/schemas/HealthcheckInfo' */ - router.get('/', helmet.noCache(), async(req, res) => { + router.get('/', noCache(), async(req, res) => { let checkServices = req.query.checkServices || []; let isStrictly = req.query.strictly != null; diff --git a/packages/app/src/server/routes/apiv3/search.js b/packages/app/src/server/routes/apiv3/search.js index 4e632de750c..e1bf1956fa3 100644 --- a/packages/app/src/server/routes/apiv3/search.js +++ b/packages/app/src/server/routes/apiv3/search.js @@ -7,7 +7,7 @@ const { body } = require('express-validator'); const router = express.Router(); -const helmet = require('helmet'); +const noCache = require('nocache'); const ErrorV3 = require('../../models/vo/error-apiv3'); @@ -41,7 +41,7 @@ module.exports = (crowi) => { * info: * type: object */ - router.get('/indices', helmet.noCache(), accessTokenParser, loginRequired, adminRequired, async(req, res) => { + router.get('/indices', noCache(), accessTokenParser, loginRequired, adminRequired, async(req, res) => { const { searchService } = crowi; if (!searchService.isConfigured) { diff --git a/packages/app/src/server/routes/apiv3/statistics.js b/packages/app/src/server/routes/apiv3/statistics.js index 4532e29d376..13fd06d5a9a 100644 --- a/packages/app/src/server/routes/apiv3/statistics.js +++ b/packages/app/src/server/routes/apiv3/statistics.js @@ -6,7 +6,7 @@ const express = require('express'); const router = express.Router(); -const helmet = require('helmet'); +const noCache = require('nocache'); const USER_STATUS_MASTER = { 1: 'registered', @@ -97,7 +97,7 @@ module.exports = (crowi) => { * type: object * description: Statistics for all user */ - router.get('/user', helmet.noCache(), async(req, res) => { + router.get('/user', noCache(), async(req, res) => { const data = req.user == null ? await getUserStatisticsForNotLoggedIn() : await getUserStatistics(); res.status(200).send({ data }); }); diff --git a/packages/slackbot-proxy/src/Server.ts b/packages/slackbot-proxy/src/Server.ts index c2b4ab7b0b9..8fa682f644d 100644 --- a/packages/slackbot-proxy/src/Server.ts +++ b/packages/slackbot-proxy/src/Server.ts @@ -42,7 +42,12 @@ const connectionOptions: ConnectionOptions = { } as ConnectionOptions; const swaggerSettings = isProduction ? swaggerSettingsForProd : swaggerSettingsForDev; -const helmetOptions = isProduction ? {} : { +const helmetOptions = isProduction ? { + contentSecurityPolicy: false, + expectCt: false, + referrerPolicy: false, + permittedCrossDomainPolicies: false, +} : { contentSecurityPolicy: { directives: { defaultSrc: ['\'self\''], @@ -51,6 +56,9 @@ const helmetOptions = isProduction ? {} : { scriptSrc: ['\'self\'', 'https: \'unsafe-inline\''], }, }, + expectCt: false, + referrerPolicy: false, + permittedCrossDomainPolicies: false, }; @Configuration({ diff --git a/yarn.lock b/yarn.lock index 1c88bf70ec2..acff79e3582 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4970,7 +4970,7 @@ camelcase@^6.2.0: resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-6.2.0.tgz#924af881c9d525ac9d87f40d964e5cea982a1809" integrity sha512-c7wVvbw3f37nuobQNtgsgG9POC9qMbNuMQmTCqZv23b6MIz0fcYpBiOlv9gEN/hdLdnZTDQhg6e9Dq5M1vKvfg== -camelize@1.0.0, camelize@^1.0.0: +camelize@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/camelize/-/camelize-1.0.0.tgz#164a5483e630fa4321e5af07020e531831b2609b" @@ -5835,10 +5835,6 @@ content-disposition@0.5.3: dependencies: safe-buffer "5.1.2" -content-security-policy-builder@2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/content-security-policy-builder/-/content-security-policy-builder-2.0.0.tgz#8749a1d542fcbe82237281ea9f716ce68b394dd2" - content-type@~1.0.4: version "1.0.4" resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b" @@ -6475,10 +6471,6 @@ dashdash@^1.12.0, dashdash@^1.14.0: dependencies: assert-plus "^1.0.0" -dasherize@2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/dasherize/-/dasherize-2.0.0.tgz#6d809c9cd0cf7bb8952d80fc84fa13d47ddb1308" - data-urls@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/data-urls/-/data-urls-2.0.0.tgz#156485a72963a970f5d5821aaf642bef2bf2db9b" @@ -6825,10 +6817,6 @@ dir-glob@^3.0.1: dependencies: path-type "^4.0.0" -dns-prefetch-control@0.1.0: - version "0.1.0" - resolved "https://registry.yarnpkg.com/dns-prefetch-control/-/dns-prefetch-control-0.1.0.tgz#60ddb457774e178f1f9415f0cabb0e85b0b300b2" - doctrine@3.0.0, doctrine@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/doctrine/-/doctrine-3.0.0.tgz#addebead72a6574db783639dc87a121773973961" @@ -6905,10 +6893,6 @@ domutils@^1.5.1: dom-serializer "0" domelementtype "1" -dont-sniff-mimetype@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/dont-sniff-mimetype/-/dont-sniff-mimetype-1.0.0.tgz#5932890dc9f4e2f19e5eb02a20026e5e5efc8f58" - dot-case@^3.0.4: version "3.0.4" resolved "https://registry.yarnpkg.com/dot-case/-/dot-case-3.0.4.tgz#9b2b670d00a431667a8a75ba29cd1b98809ce751" @@ -7947,10 +7931,6 @@ expand-tilde@^2.0.0, expand-tilde@^2.0.2: dependencies: homedir-polyfill "^1.0.1" -expect-ct@0.1.1: - version "0.1.1" - resolved "https://registry.yarnpkg.com/expect-ct/-/expect-ct-0.1.1.tgz#de84476a2dbcb85000d5903737e9bc8a5ba7b897" - expect@^27.0.6: version "27.0.6" resolved "https://registry.yarnpkg.com/expect/-/expect-27.0.6.tgz#a4d74fbe27222c718fff68ef49d78e26a8fd4c05" @@ -8649,10 +8629,6 @@ fragment-cache@^0.2.1: dependencies: map-cache "^0.2.2" -frameguard@3.0.0: - version "3.0.0" - resolved "https://registry.yarnpkg.com/frameguard/-/frameguard-3.0.0.tgz#7bcad469ee7b96e91d12ceb3959c78235a9272e9" - fresh@0.5.2, fresh@^0.5.2: version "0.5.2" resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.5.2.tgz#3d8cadd90d976569fa835ab1f8e4b23a105605a7" @@ -9580,37 +9556,6 @@ header-case@^2.0.4: capital-case "^1.0.4" tslib "^2.0.3" -helmet-crossdomain@0.3.0: - version "0.3.0" - resolved "https://registry.yarnpkg.com/helmet-crossdomain/-/helmet-crossdomain-0.3.0.tgz#707e2df930f13ad61f76ed08e1bb51ab2b2e85fa" - -helmet-csp@2.7.1: - version "2.7.1" - resolved "https://registry.yarnpkg.com/helmet-csp/-/helmet-csp-2.7.1.tgz#e8e0b5186ffd4db625cfcce523758adbfadb9dca" - dependencies: - camelize "1.0.0" - content-security-policy-builder "2.0.0" - dasherize "2.0.0" - platform "1.3.5" - -helmet@^3.13.0: - version "3.13.0" - resolved "https://registry.yarnpkg.com/helmet/-/helmet-3.13.0.tgz#d6d46763538f77b437be77f06d0af42078b2c656" - dependencies: - dns-prefetch-control "0.1.0" - dont-sniff-mimetype "1.0.0" - expect-ct "0.1.1" - frameguard "3.0.0" - helmet-crossdomain "0.3.0" - helmet-csp "2.7.1" - hide-powered-by "1.0.0" - hpkp "2.0.0" - hsts "2.1.0" - ienoopen "1.0.0" - nocache "2.0.0" - referrer-policy "1.1.0" - x-xss-protection "1.1.0" - helmet@^4.6.0: version "4.6.0" resolved "https://registry.yarnpkg.com/helmet/-/helmet-4.6.0.tgz#579971196ba93c5978eb019e4e8ec0e50076b4df" @@ -9620,10 +9565,6 @@ hex-color-regex@^1.1.0: version "1.1.0" resolved "https://registry.yarnpkg.com/hex-color-regex/-/hex-color-regex-1.1.0.tgz#4c06fccb4602fe2602b3c93df82d7e7dbf1a8a8e" -hide-powered-by@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/hide-powered-by/-/hide-powered-by-1.0.0.tgz#4a85ad65881f62857fc70af7174a1184dccce32b" - highlight.js@9.18.1: version "9.18.1" resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.1.tgz#ed21aa001fe6252bb10a3d76d47573c6539fe13c" @@ -9679,10 +9620,6 @@ hosted-git-info@^4.0.1: dependencies: lru-cache "^6.0.0" -hpkp@2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/hpkp/-/hpkp-2.0.0.tgz#10e142264e76215a5d30c44ec43de64dee6d1672" - hsl-regex@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/hsl-regex/-/hsl-regex-1.0.0.tgz#d49330c789ed819e276a4c0d272dffa30b18fe6e" @@ -9691,10 +9628,6 @@ hsla-regex@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/hsla-regex/-/hsla-regex-1.0.0.tgz#c1ce7a3168c8c6614033a4b5f7877f3b225f9c38" -hsts@2.1.0: - version "2.1.0" - resolved "https://registry.yarnpkg.com/hsts/-/hsts-2.1.0.tgz#cbd6c918a2385fee1dd5680bfb2b3a194c0121cc" - html-comment-regex@^1.1.0: version "1.1.1" resolved "https://registry.yarnpkg.com/html-comment-regex/-/html-comment-regex-1.1.1.tgz#668b93776eaae55ebde8f3ad464b307a4963625e" @@ -9929,10 +9862,6 @@ ieee754@^1.1.4: version "1.1.8" resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.1.8.tgz#be33d40ac10ef1926701f6f08a2d86fbfd1ad3e4" -ienoopen@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/ienoopen/-/ienoopen-1.0.0.tgz#346a428f474aac8f50cf3784ea2d0f16f62bda6b" - iferr@^0.1.5: version "0.1.5" resolved "https://registry.yarnpkg.com/iferr/-/iferr-0.1.5.tgz#c60eed69e6d8fdb6b3104a1fcbca1c192dc5b501" @@ -13292,9 +13221,10 @@ no-case@^3.0.4: lower-case "^2.0.2" tslib "^2.0.3" -nocache@2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/nocache/-/nocache-2.0.0.tgz#202b48021a0c4cbde2df80de15a17443c8b43980" +nocache@^3.0.1: + version "3.0.1" + resolved "https://registry.yarnpkg.com/nocache/-/nocache-3.0.1.tgz#54d8b53a7e0a0aa1a288cfceab8a3cefbcde67d4" + integrity sha512-Gh39xwJwBKy0OvFmWfBs/vDO4Nl7JhnJtkqNP76OUinQz7BiMoszHYrIDHHAaqVl/QKVxCEy4ZxC/XZninu7nQ== node-dev@^4.0.0: version "4.0.0" @@ -14908,10 +14838,6 @@ plantuml-encoder@^1.2.5: pako "1.0.3" utf8-bytes "0.0.1" -platform@1.3.5: - version "1.3.5" - resolved "https://registry.yarnpkg.com/platform/-/platform-1.3.5.tgz#fb6958c696e07e2918d2eeda0f0bc9448d733444" - pluralize@^8.0.0: version "8.0.0" resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-8.0.0.tgz#1a6fa16a38d12a1901e0320fa017051c539ce3b1" @@ -16592,10 +16518,6 @@ redux@^4.0.4: loose-envify "^1.4.0" symbol-observable "^1.2.0" -referrer-policy@1.1.0: - version "1.1.0" - resolved "https://registry.yarnpkg.com/referrer-policy/-/referrer-policy-1.1.0.tgz#35774eb735bf50fb6c078e83334b472350207d79" - reflect-metadata@^0.1.13: version "0.1.13" resolved "https://registry.yarnpkg.com/reflect-metadata/-/reflect-metadata-0.1.13.tgz#67ae3ca57c972a2aa1642b10fe363fe32d49dc08" @@ -20633,10 +20555,6 @@ x-is-string@^0.1.0: resolved "https://registry.yarnpkg.com/x-is-string/-/x-is-string-0.1.0.tgz#474b50865af3a49a9c4657f05acd145458f77d82" integrity sha1-R0tQhlrzpJqcRlfwWs0UVFj3fYI= -x-xss-protection@1.1.0: - version "1.1.0" - resolved "https://registry.yarnpkg.com/x-xss-protection/-/x-xss-protection-1.1.0.tgz#4f1898c332deb1e7f2be1280efb3e2c53d69c1a7" - xdg-basedir@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-3.0.0.tgz#496b2cc109eca8dbacfe2dc72b603c17c5870ad4"