diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 6c61284..562a191 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -22,3 +22,7 @@ **Vulnerability:** Defense in Depth (CSP Missing) **Learning:** Even when inputs are properly escaped, statically generated HTML that displays file/directory structures should implement a Content Security Policy (CSP) to provide an extra layer of defense against potential XSS bypasses. **Prevention:** Include a strict CSP meta tag (e.g., `default-src 'none'; style-src 'unsafe-inline';`) in auto-generated HTML headers when external scripts or resources are not required. +## 2024-07-05 - Enhance Security Headers for Static HTML +**Vulnerability:** Insufficient HTTP response headers in statically generated HTML (missing Referrer-Policy and strict CSP directives), potentially exposing local environment details or allowing clickjacking/base injection. +**Learning:** Even statically generated offline HTML index pages require robust security headers (via meta tags) to implement defense-in-depth, as they might be viewed in various browser contexts. +**Prevention:** Consistently apply strict Content-Security-Policy (including base-uri, form-action, frame-ancestors) and Referrer-Policy meta tags in all generated HTML templates by default. diff --git a/src/main/kotlin/html4tree/main.kt b/src/main/kotlin/html4tree/main.kt index 2e2809f..70607a7 100644 --- a/src/main/kotlin/html4tree/main.kt +++ b/src/main/kotlin/html4tree/main.kt @@ -23,7 +23,7 @@ fun main(args: Array) = Html4tree().main(args) fun go(topDir: String, maxLevel: Int) { require(topDir.isNotBlank()) - val top_dir = File(topDir).canonicalFile + val top_dir = File(topDir).absoluteFile.toPath().normalize().toFile() require(Files.isDirectory(top_dir.toPath(), LinkOption.NOFOLLOW_LINKS)) { "Top directory must be an existing non-symlink directory" } val ll = LinkedList() @@ -158,8 +158,9 @@ fun process_dir(curr_dir: File){ - - + + + ${curr_dir.getName().escapeHtml()} ${css} diff --git a/src/test/kotlin/html4tree/MainTest.kt b/src/test/kotlin/html4tree/MainTest.kt index e8a3082..7ab841d 100644 --- a/src/test/kotlin/html4tree/MainTest.kt +++ b/src/test/kotlin/html4tree/MainTest.kt @@ -159,7 +159,8 @@ class MainTest { assertTrue(htmlContent.contains("📁")) assertFalse(htmlContent.contains("test.ignore")) assertTrue(htmlContent.contains("Content-Security-Policy")) - assertTrue(htmlContent.contains("default-src 'none'; style-src 'unsafe-inline';")) + assertTrue(htmlContent.contains("default-src 'none'; style-src 'unsafe-inline'; base-uri 'none'; form-action 'none'; frame-ancestors 'none';")) + assertTrue(htmlContent.contains("name=\"referrer\" content=\"no-referrer\"")) } @Test