6 files changed, 160 insertions, 1 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index 000c154a..28f4490c 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -13,6 +13,13 @@ module.exports = {
     includeSubdomains: true,
     preload: true
   },
+  csp: {
+    enable: true,
+    directives: {
+    },
+    addDefaults: true,
+    upgradeInsecureRequests: 'auto'
+  },
   protocolusessl: false,
   usecdn: true,
   allowanonymous: true,
@@ -55,6 +62,13 @@ module.exports = {
     secretAccessKey: undefined,
     region: undefined
   },
+  minio: {
+    accessKey: undefined,
+    secretKey: undefined,
+    endPoint: undefined,
+    secure: true,
+    port: 9000
+  },
   s3bucket: undefined,
   // authentication
   facebook: {
diff --git a/lib/config/environment.js b/lib/config/environment.js
index eedd4913..e2112b6a 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -14,6 +14,9 @@ module.exports = {
     includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS),
     preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
   },
+  csp: {
+    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+  },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
   alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
   usecdn: toBooleanConfig(process.env.HMD_USECDN),
@@ -31,6 +34,13 @@ module.exports = {
     secretAccessKey: process.env.HMD_S3_SECRET_ACCESS_KEY,
     region: process.env.HMD_S3_REGION
   },
+  minio: {
+    accessKey: process.env.HMD_MINIO_ACCESS_KEY,
+    secretKey: process.env.HMD_MINIO_SECRET_KEY,
+    endPoint: process.env.HMD_MINIO_ENDPOINT,
+    secure: toBooleanConfig(process.env.HMD_MINIO_SECURE),
+    port: process.env.HMD_MINIO_PORT
+  },
   s3bucket: process.env.HMD_S3_BUCKET,
   facebook: {
     clientID: process.env.HMD_FACEBOOK_CLIENTID,
diff --git a/lib/config/index.js b/lib/config/index.js
index 3d22c3c3..4f6b4b6a 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -97,6 +97,26 @@ config.isLDAPEnable = config.ldap.url
 config.isSAMLEnable = config.saml.idpSsoUrl
 config.isPDFExportEnable = config.allowpdfexport
 
+// figure out mime types for image uploads
+switch (config.imageUploadType) {
+  case 'imgur':
+    config.allowedUploadMimeTypes = [
+      'image/jpeg',
+      'image/png',
+      'image/jpg',
+      'image/gif'
+    ]
+    break
+  default:
+    config.allowedUploadMimeTypes = [
+      'image/jpeg',
+      'image/png',
+      'image/jpg',
+      'image/gif',
+      'image/svg+xml'
+    ]
+}
+
 // generate correct path
 config.sslcapath.forEach(function (capath, i, array) {
   array[i] = path.resolve(appRootPath, capath)
diff --git a/lib/csp.js b/lib/csp.js
new file mode 100644
index 00000000..509bc530
--- /dev/null
+++ b/lib/csp.js
@@ -0,0 +1,80 @@
+var config = require('./config')
+var uuid = require('uuid')
+
+var CspStrategy = {}
+
+var defaultDirectives = {
+  defaultSrc: ['\'self\''],
+  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''],
+  // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594
+  imgSrc: ['*'],
+  styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
+  fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
+  objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
+  childSrc: ['*'],
+  connectSrc: ['*']
+}
+
+var cdnDirectives = {
+  scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
+  styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
+  fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
+}
+
+CspStrategy.computeDirectives = function () {
+  var directives = {}
+  mergeDirectives(directives, config.csp.directives)
+  mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
+  mergeDirectivesIf(config.usecdn, directives, cdnDirectives)
+  if (!areAllInlineScriptsAllowed(directives)) {
+    addInlineScriptExceptions(directives)
+  }
+  addUpgradeUnsafeRequestsOptionTo(directives)
+  return directives
+}
+
+function mergeDirectives (existingDirectives, newDirectives) {
+  for (var propertyName in newDirectives) {
+    var newDirective = newDirectives[propertyName]
+    if (newDirective) {
+      var existingDirective = existingDirectives[propertyName] || []
+      existingDirectives[propertyName] = existingDirective.concat(newDirective)
+    }
+  }
+}
+
+function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
+  if (condition) {
+    mergeDirectives(existingDirectives, newDirectives)
+  }
+}
+
+function areAllInlineScriptsAllowed (directives) {
+  return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1
+}
+
+function addInlineScriptExceptions (directives) {
+  directives.scriptSrc.push(getCspNonce)
+  // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
+  // Any more clean solution appreciated.
+  directives.scriptSrc.push('\'sha256-EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=\'')
+}
+
+function getCspNonce (req, res) {
+  return "'nonce-" + res.locals.nonce + "'"
+}
+
+function addUpgradeUnsafeRequestsOptionTo (directives) {
+  if (config.csp.upgradeInsecureRequests === 'auto' && config.usessl) {
+    directives.upgradeInsecureRequests = true
+  } else if (config.csp.upgradeInsecureRequests === true) {
+    directives.upgradeInsecureRequests = true
+  }
+}
+
+CspStrategy.addNonceToLocals = function (req, res, next) {
+  res.locals.nonce = uuid.v4()
+  next()
+}
+
+module.exports = CspStrategy
diff --git a/lib/response.js b/lib/response.js
index 1c04f9f6..445aa0d7 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -598,7 +598,8 @@ function showPublishSlide (req, res, next) {
         lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
         robots: meta.robots || false, // default allow robots
         GA: meta.GA,
-        disqus: meta.disqus
+        disqus: meta.disqus,
+        cspNonce: res.locals.nonce
       }
       return renderPublishSlide(data, res)
     }).catch(function (err) {
diff --git a/lib/web/imageRouter.js b/lib/web/imageRouter.js
index bebab302..b17cccbd 100644
--- a/lib/web/imageRouter.js
+++ b/lib/web/imageRouter.js
@@ -73,6 +73,40 @@ imageRouter.post('/uploadimage', function (req, res) {
               })
             })
             break
+
+          case 'minio':
+            var utils = require('../utils')
+            var Minio = require('minio')
+            var minioClient = new Minio.Client({
+              endPoint: config.minio.endPoint,
+              port: config.minio.port,
+              secure: config.minio.secure,
+              accessKey: config.minio.accessKey,
+              secretKey: config.minio.secretKey
+            })
+            fs.readFile(files.image.path, function (err, buffer) {
+              if (err) {
+                logger.error(err)
+                res.status(500).end('upload image error')
+                return
+              }
+
+              var key = path.join('uploads', path.basename(files.image.path))
+              var protocol = config.minio.secure ? 'https' : 'http'
+
+              minioClient.putObject(config.s3bucket, key, buffer, buffer.size, utils.getImageMimeType(files.image.path), function (err, data) {
+                if (err) {
+                  logger.error(err)
+                  res.status(500).end('upload image error')
+                  return
+                }
+                res.send({
+                  link: `${protocol}://${config.minio.endPoint}:${config.minio.port}/${config.s3bucket}/${key}`
+                })
+              })
+            })
+            break
+
           case 'imgur':
           default:
             imgur.setClientId(config.imgur.clientID)