Files
windwiderstand/src/lib/cms-source.server.ts
T
Peter Meier a2ca0db9ca
Deploy / verify (push) Successful in 56s
Deploy / deploy (push) Successful in 1m17s
feat(security+obs): SSRF allowlist, HTML sanitization, timing-safe tokens, fetch timeouts, structured logger
Security:
  - cms-images / cms-files now share resolveCmsSource (cms-source.server.ts)
    which enforces an allowlist: asset filename, absolute path on the CMS
    host, or full URL exact-matching the configured CMS host+protocol.
    Foreign hosts, protocol-relative URLs and path traversal return 400.
  - markdown-safe.ts is the single configured marked entrypoint; it
    disables raw HTML rendering globally (renderer.html() returns ''),
    removing the inline script/iframe injection vector via markdown.
    All 8 marked imports across components and loaders now go through it.
  - sanitize-blocks.server.ts walks resolved page/post content and runs
    HtmlBlock html fields through sanitize-html with a tight allowlist
    (no script/style/on*, only youtube/vimeo/spotify iframes, mailto/tel
    plus http(s) schemes, target=_blank gets rel=noopener).
  - Webhook tokens (revalidate, cache/clear) compared via
    crypto.timingSafeEqual through auth-token.server.ts.
  - cms.ts wraps every fetch in cmsFetch(): 5 s default timeout via
    AbortSignal.timeout, override per call or globally via
    PUBLIC_CMS_FETCH_TIMEOUT_MS. Stops slow CMS responses from pinning
    SSR workers indefinitely.

Observability:
  - log.server.ts gives logWarn / logError / logInfo with scope + context;
    swallowed catch {} blocks in hooks, layout.server, +page.server,
    [...slug]/+page.server and sitemap now log instead of going silent.

Routing:
  - Legacy /blog, /blog/page/:n, /blog/tag/:t and /p/:slug stub routes
    deleted; their 301 redirects moved into hooks.server.ts so the
    request never enters the SvelteKit page pipeline.

Tests (vitest, server-side):
  - auth-token.server.test.ts (6 cases for constant-time compare)
  - cms-source.server.test.ts  (8 cases for SSRF allowlist)
  - sanitize-blocks.server.test.ts (9 cases for sanitizer + walker)
  All 23 green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 16:09:25 +02:00

46 lines
1.5 KiB
TypeScript

/**
* Allowlist-Resolver für `?src=...`-Query-Parameter in den Image- und File-Proxy-
* Routen. Verhindert SSRF: Angreifer könnten sonst beliebige URLs an die
* CMS-API durchreichen lassen (interne Hosts, Cloud-Metadata-Endpunkte,
* Cache-Pollution).
*
* Erlaubt:
* - Asset-Dateiname ("foo.jpg") → {CMS}/api/assets/foo.jpg
* - Absoluter Pfad ("/api/assets/...") → {CMS}/api/assets/...
* - Vollständige URL exakt unter CMS-Host → unverändert
*
* Abgelehnt:
* - Fremde Hosts, andere Schemata
* - Protokoll-relative URLs ("//host/...")
* - Pfad-Traversal ("..", führender Punkt)
*/
import { env } from '$env/dynamic/public';
export function getCmsBaseUrl(): string {
return (
env.PUBLIC_CMS_URL ||
import.meta.env.PUBLIC_CMS_URL ||
'http://localhost:3000'
).replace(/\/$/, '');
}
export function resolveCmsSource(src: string): string | null {
if (src.startsWith('//')) return null;
if (src.startsWith('/')) return `${getCmsBaseUrl()}${src}`;
if (src.startsWith('http://') || src.startsWith('https://')) {
let candidate: URL;
let cmsHost: URL;
try {
candidate = new URL(src);
cmsHost = new URL(getCmsBaseUrl());
} catch {
return null;
}
if (candidate.host !== cmsHost.host) return null;
if (candidate.protocol !== cmsHost.protocol) return null;
return src;
}
if (src.includes('://') || src.includes('..') || src.startsWith('.')) return null;
return `${getCmsBaseUrl()}/api/assets/${encodeURIComponent(src)}`;
}