Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,7 @@
**Vulnerability:** Defense in Depth (CSP Missing)
**Learning:** Even when inputs are properly escaped, statically generated HTML that displays file/directory structures should implement a Content Security Policy (CSP) to provide an extra layer of defense against potential XSS bypasses.
**Prevention:** Include a strict CSP meta tag (e.g., `default-src 'none'; style-src 'unsafe-inline';`) in auto-generated HTML headers when external scripts or resources are not required.
## 2024-07-05 - Enhance Security Headers for Static HTML
**Vulnerability:** Insufficient HTTP response headers in statically generated HTML (missing Referrer-Policy and strict CSP directives), potentially exposing local environment details or allowing clickjacking/base injection.
**Learning:** Even statically generated offline HTML index pages require robust security headers (via meta tags) to implement defense-in-depth, as they might be viewed in various browser contexts.
**Prevention:** Consistently apply strict Content-Security-Policy (including base-uri, form-action, frame-ancestors) and Referrer-Policy meta tags in all generated HTML templates by default.
7 changes: 4 additions & 3 deletions src/main/kotlin/html4tree/main.kt
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ fun main(args: Array<String>) = Html4tree().main(args)

fun go(topDir: String, maxLevel: Int) {
require(topDir.isNotBlank())
val top_dir = File(topDir).canonicalFile
val top_dir = File(topDir).absoluteFile.toPath().normalize().toFile()
require(Files.isDirectory(top_dir.toPath(), LinkOption.NOFOLLOW_LINKS)) { "Top directory must be an existing non-symlink directory" }

val ll = LinkedList()
Expand Down Expand Up @@ -158,8 +158,9 @@ fun process_dir(curr_dir: File){
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- ๋ณด์•ˆ ํ–ฅ์ƒ: ์ธ๋ผ์ธ ์Šคํฌ๋ฆฝํŠธ ์‹คํ–‰ ๋ฐฉ์ง€ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline';">
<!-- ๋ณด์•ˆ ํ–ฅ์ƒ: ์ธ๋ผ์ธ ์Šคํฌ๋ฆฝํŠธ ์‹คํ–‰ ๋ฐฉ์ง€ ๋ฐ ๊ธฐํƒ€ ์ทจ์•ฝ์  ์™„ํ™” -->
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; base-uri 'none'; form-action 'none'; frame-ancestors 'none';">
<meta name="referrer" content="no-referrer">
<title>${curr_dir.getName().escapeHtml()}</title>
${css}
</head>
Expand Down
3 changes: 2 additions & 1 deletion src/test/kotlin/html4tree/MainTest.kt
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,8 @@ class MainTest {
assertTrue(htmlContent.contains("&#128193;"))
assertFalse(htmlContent.contains("test.ignore"))
assertTrue(htmlContent.contains("Content-Security-Policy"))
assertTrue(htmlContent.contains("default-src 'none'; style-src 'unsafe-inline';"))
assertTrue(htmlContent.contains("default-src 'none'; style-src 'unsafe-inline'; base-uri 'none'; form-action 'none'; frame-ancestors 'none';"))
assertTrue(htmlContent.contains("name=\"referrer\" content=\"no-referrer\""))
}

@Test
Expand Down
Loading