Merge branch 'master' into cache-headers

isoos · web-flow · commit ae0128d87680 · 2025-10-23T09:59:47.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,8 +2,9 @@ Important changes to data models, configuration, and migrations between each
 AppEngine version, listed here to ease deployment and troubleshooting.
 
 ## Next Release (replace with git tag when deployed)
- * Bump runtimeVersion to `2025.10.21`.
+ * Bump runtimeVersion to `2025.10.22`.
  * Upgraded stable Flutter analysis SDK to `3.35.6`.
+ * Upgraded pana to `0.23.0`.
  * Added more explicitly public `cache-control` to content pages.
 
 ## `20251017t101000-all`
diff --git a/app/lib/fake/backend/fake_pana_runner.dart b/app/lib/fake/backend/fake_pana_runner.dart
@@ -99,7 +99,7 @@ Future<Summary> fakePanaSummary({
         .where((url) => fakeUrlCheck('funding', url) != null)
         .toList(),
     contributingUrl: contributingUrl,
-    licenses: [License(path: '', spdxIdentifier: licenseSpdx)],
+    licenses: [License(spdxIdentifier: licenseSpdx)],
   );
   return Summary(
     createdAt: clock.now().toUtc(),
@@ -156,7 +156,6 @@ Future<Summary> fakePanaSummary({
       ],
     ),
     result: result,
-    licenses: [],
     errorMessage: null,
     pubspec: null, // will be ignored
   );
diff --git a/app/lib/fake/backend/fake_pub_worker.dart b/app/lib/fake/backend/fake_pub_worker.dart
@@ -337,8 +337,6 @@ Summary _emptySummary(String package, String version) {
     tags: null,
     report: null,
     result: null,
-    licenseFile: null,
-    licenses: null,
     errorMessage: null,
     pubspec: null, // will be ignored
   );
diff --git a/app/lib/frontend/templates/views/pkg/info_box.dart b/app/lib/frontend/templates/views/pkg/info_box.dart
@@ -43,7 +43,7 @@ d.Node packageInfoBoxNode({
   if (data.versionInfo.hasLicense) {
     final licenses = data.scoreCard.panaReport?.licenses ?? <License>[];
     if (licenses.isEmpty) {
-      licenses.add(License(path: 'LICENSE', spdxIdentifier: 'unknown'));
+      licenses.add(License(spdxIdentifier: 'unknown'));
     }
     license = _licenseNode(
       licenses: licenses,
diff --git a/app/lib/scorecard/models.dart b/app/lib/scorecard/models.dart
@@ -140,7 +140,7 @@ class PanaReport {
       }.toList(),
       allDependencies: summary?.allDependencies,
       // ignore: deprecated_member_use
-      licenses: summary?.result?.licenses ?? summary?.licenses,
+      licenses: summary?.result?.licenses,
       report: summary?.report,
       result: summary?.result,
       urlProblems: summary?.urlProblems,
diff --git a/app/lib/shared/versions.dart b/app/lib/shared/versions.dart
@@ -24,7 +24,7 @@ final RegExp runtimeVersionPattern = RegExp(r'^\d{4}\.\d{2}\.\d{2}$');
 /// when the version switch happens.
 const _acceptedRuntimeVersions = <String>[
   // The current [runtimeVersion].
-  '2025.10.21',
+  '2025.10.22',
   // Fallback runtime versions.
   '2025.10.17',
   '2025.10.10',
diff --git a/app/lib/tool/test_profile/resolver.dart b/app/lib/tool/test_profile/resolver.dart
@@ -64,7 +64,11 @@ Future<List<ResolvedVersion>> resolveVersions(
           ),
         );
 
-        final pr = await toolEnv.runUpgrade(dummyDir.path, false);
+        final pr = await toolEnv.runPub(
+          dummyDir.path,
+          command: 'upgrade',
+          usesFlutter: false,
+        );
         if (pr.exitCode != 0) {
           throw Exception(
             'dart pub get on `${package.name} $version` exited with ${pr.exitCode}.\n${pr.stderr}',
diff --git a/app/pubspec.yaml b/app/pubspec.yaml
@@ -46,7 +46,7 @@ dependencies:
   watcher: ^1.0.0
   yaml: ^3.1.0
   # pana version to be pinned
-  pana: '0.22.24'
+  pana: '0.23.0'
   # 3rd-party packages with pinned versions
   mailer: '6.5.0'
   postgres: '3.5.8'
diff --git a/app/test/dartdoc/dartdoc_page_test.dart b/app/test/dartdoc/dartdoc_page_test.dart
@@ -70,7 +70,7 @@ void main() {
         dartdocVersion: dartdocVersion,
         pubCacheDir: pubCacheDir,
       );
-      await toolEnv.runUpgrade(pkgDir, false);
+      await toolEnv.runPub(pkgDir, command: 'get', usesFlutter: false);
     });
 
     tearDownAll(() async {
diff --git a/pkg/image_proxy/lib/image_proxy_service.dart b/pkg/image_proxy/lib/image_proxy_service.dart
@@ -23,6 +23,16 @@ Duration timeoutDelay = Duration(seconds: isTesting ? 1 : 8);
 /// The keys we currently allow the url to be signed with.
 Map<int, Uint8List> allowedKeys = {};
 
+// Inspired by https://github.com/atmos/camo/blob/master/server.coffee#L39.
+Map<String, String> securityHeaders = {
+  'X-Frame-Options': 'deny',
+  'X-XSS-Protection': '1; mode=block',
+  'X-Content-Type-Options': 'nosniff',
+  'Content-Security-Policy':
+      "default-src 'none'; img-src data:; style-src 'unsafe-inline'",
+  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+};
+
 /// Ensure that [allowedKeys] contains keys for today and the two surrounding
 /// days.
 Future<void> updateAllowedKeys() async {
@@ -104,13 +114,17 @@ final maxImageSize = 1024 * 1024 * 10; // At most 10 MB.
 Future<shelf.Response> handler(shelf.Request request) async {
   try {
     if (request.method != 'GET') {
-      return shelf.Response.notFound('Unsupported method');
+      return shelf.Response.notFound(
+        'Unsupported method',
+        headers: securityHeaders,
+      );
     }
     final segments = request.url.pathSegments;
     if (segments.length != 3) {
       return shelf.Response.badRequest(
         body:
             'malformed request, ${segments.length} should be of the form <base64(hmac(url,daily_secret))>/<date>/<urlencode(url)>',
+        headers: securityHeaders,
       );
     }
     final Uint8List signature;
@@ -119,22 +133,30 @@ Future<shelf.Response> handler(shelf.Request request) async {
     } on FormatException catch (_) {
       return shelf.Response.badRequest(
         body: 'malformed request, could not decode mac signature',
+        headers: securityHeaders,
       );
     }
     final date = int.tryParse(segments[1]);
     if (date == null) {
-      return shelf.Response.badRequest(body: 'malformed request, missing date');
+      return shelf.Response.badRequest(
+        body: 'malformed request, missing date',
+        headers: securityHeaders,
+      );
     }
     final secret = allowedKeys[date];
     if (secret == null) {
       return shelf.Response.badRequest(
         body: 'malformed request, proxy url expired',
+        headers: securityHeaders,
       );
     }
 
     final imageUrl = segments[2];
     if (imageUrl.length > 1024) {
-      return shelf.Response.badRequest(body: 'proxied url too long');
+      return shelf.Response.badRequest(
+        body: 'proxied url too long',
+        headers: securityHeaders,
+      );
     }
     final imageUrlBytes = utf8.encode(imageUrl);
 
@@ -143,16 +165,23 @@ Future<shelf.Response> handler(shelf.Request request) async {
       try {
         parsedImageUrl = Uri.parse(imageUrl);
       } on FormatException catch (e) {
-        return shelf.Response.badRequest(body: 'Malformed proxied url $e');
+        return shelf.Response.badRequest(
+          body: 'Malformed proxied url $e',
+          headers: securityHeaders,
+        );
       }
       if (!(parsedImageUrl.isScheme('http') ||
           parsedImageUrl.isScheme('https'))) {
         return shelf.Response.badRequest(
           body: 'Can only proxy http and https urls',
+          headers: securityHeaders,
         );
       }
       if (!parsedImageUrl.isAbsolute) {
-        return shelf.Response.badRequest(body: 'Can only proxy absolute urls');
+        return shelf.Response.badRequest(
+          body: 'Can only proxy absolute urls',
+          headers: securityHeaders,
+        );
       }
 
       int statusCode;
@@ -233,14 +262,24 @@ Future<shelf.Response> handler(shelf.Request request) async {
               e is ServerSideException,
         );
       } on TooLargeException {
-        return shelf.Response.badRequest(body: 'Image too large');
+        return shelf.Response.badRequest(
+          body: 'Image too large',
+          headers: securityHeaders,
+        );
       } on RedirectException catch (e) {
-        return shelf.Response.badRequest(body: e.message);
+        return shelf.Response.badRequest(
+          body: e.message,
+          headers: securityHeaders,
+        );
       } on RequestTimeoutException catch (e) {
-        return shelf.Response.badRequest(body: e.message);
+        return shelf.Response.badRequest(
+          body: e.message,
+          headers: securityHeaders,
+        );
       } on ServerSideException catch (e) {
         return shelf.Response.badRequest(
           body: 'Failed to retrieve image. Status code ${e.statusCode}',
+          headers: securityHeaders,
         );
       }
 
@@ -251,10 +290,11 @@ Future<shelf.Response> handler(shelf.Request request) async {
           'Cache-control': 'max-age=180, public',
           'content-type': ?contentType,
           'content-encoding': ?contentEncoding,
+          ...securityHeaders,
         },
       );
     } else {
-      return shelf.Response.unauthorized('Bad hmac');
+      return shelf.Response.unauthorized('Bad hmac', headers: securityHeaders);
     }
   } catch (e, st) {
     stderr.writeln('Uncaught error: $e $st');
diff --git a/pkg/image_proxy/test/image_proxy_test.dart b/pkg/image_proxy/test/image_proxy_test.dart
@@ -35,6 +35,12 @@ Stream<List<int>> infiniteStream() async* {
   }
 }
 
+void validateSecurityHeaders(HttpClientResponse response) {
+  for (final header in securityHeaders.entries) {
+    expect(response.headers[header.key], [header.value]);
+  }
+}
+
 Future<int> startImageServer() async {
   var i = 0;
   final server = await shelf_io.serve(
@@ -175,10 +181,10 @@ Future<void> main() async {
         imageProxyPort: imageProxyPort,
         imageServerPort: imageServerPort,
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 200);
       expect(response.headers['content-type']!.single, 'image/jpeg');
       expect(response.headers['cache-control']!.single, 'max-age=180, public');
-
       final hash = await sha256.bind(response).single;
       final expected = sha256.convert(File(jpgImagePath).readAsBytesSync());
       expect(hash, expected);
@@ -191,6 +197,7 @@ Future<void> main() async {
         imageServerPort: imageServerPort,
         pathToImage: 'path/to/image.png',
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 200);
       expect(response.headers['content-type']!.single, 'image/png');
       final hash = await sha256.bind(response).single;
@@ -205,6 +212,7 @@ Future<void> main() async {
         imageServerPort: imageServerPort,
         pathToImage: 'path/to/image.svg',
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 200);
       expect(response.headers['content-type']!.single, 'image/svg+xml');
       final hash = await sha256.bind(response).single;
@@ -220,6 +228,7 @@ Future<void> main() async {
         // Gives no content-length
         pathToImage: 'okstreaming',
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 200);
       expect(response.headers['content-type']!.single, 'image/jpeg');
       final jpgFile = File(jpgImagePath).readAsBytesSync();
@@ -239,6 +248,7 @@ Future<void> main() async {
         imageServerPort: imageServerPort,
         day: tomorrow.add(Duration(days: 1)),
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 400);
 
       expect(
@@ -258,6 +268,7 @@ Future<void> main() async {
         day: today,
         disturbSignature: true,
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 401);
 
       expect(await Utf8Codec().decodeStream(response), 'Bad hmac');
@@ -275,6 +286,7 @@ Future<void> main() async {
         disturbSignature: true,
         pathToImage: 'next/' * 1000 + 'image.jpg',
       );
+      validateSecurityHeaders(response);
       expect(response.statusCode, 400);
 
       expect(await Utf8Codec().decodeStream(response), 'proxied url too long');
@@ -291,6 +303,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'redirect',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 200);
       final hash = await sha256.bind(response).single;
@@ -309,6 +322,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'redirectForever',
       );
+      validateSecurityHeaders(response);
 
       expect(await Utf8Codec().decodeStream(response), 'Too many redirects.');
       expect(response.statusCode, 400);
@@ -325,6 +339,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'serverError',
       );
+      validateSecurityHeaders(response);
 
       expect(
         await Utf8Codec().decodeStream(response),
@@ -344,6 +359,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'doesntexist',
       );
+      validateSecurityHeaders(response);
 
       expect(await Utf8Codec().decodeStream(response), 'Not found');
       expect(response.statusCode, 404);
@@ -360,6 +376,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'worksSecondTime',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 200);
       final hash = await sha256.bind(response).single;
@@ -378,6 +395,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'canBeCachedLong',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 200);
       // The proxy doesn't cache as long time as the original.
@@ -398,6 +416,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'timeout',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 400);
       // The proxy doesn't cache as long time as the original.
@@ -410,6 +429,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'timeoutstreaming',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 400);
       // The proxy doesn't cache as long time as the original.
@@ -427,6 +447,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'toobig',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 400);
       // The proxy doesn't cache as long time as the original.
@@ -439,6 +460,7 @@ Future<void> main() async {
         day: today,
         pathToImage: 'toobigstreaming',
       );
+      validateSecurityHeaders(response);
 
       expect(response.statusCode, 400);
       // The proxy doesn't cache as long time as the original.
diff --git a/pkg/pub_worker/pubspec.yaml b/pkg/pub_worker/pubspec.yaml
@@ -10,7 +10,7 @@ dependencies:
   appengine: ^0.13.6
   json_annotation: ^4.3.0
   jsontool: ^2.0.0
-  pana: ^0.22.24
+  pana: ^0.23.0
   path: ^1.8.0
   lints: ^6.0.0 # required for pana
   meta: ^1.7.0
diff --git a/pubspec.lock b/pubspec.lock

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ d.Node packageInfoBoxNode({`
`43`	`43`	`if (data.versionInfo.hasLicense) {`
`44`	`44`	`final licenses = data.scoreCard.panaReport?.licenses ?? <License>[];`
`45`	`45`	`if (licenses.isEmpty) {`
`46`		`- licenses.add(License(path: 'LICENSE', spdxIdentifier: 'unknown'));`
	`46`	`+ licenses.add(License(spdxIdentifier: 'unknown'));`
`47`	`47`	`}`
`48`	`48`	`license = _licenseNode(`
`49`	`49`	`licenses: licenses,`