Merge pull request #35 from Rob--W/security-and-reliability

Some security and reliability improvements

Author: suan

README.md

@@ -14,3 +14,18 @@ REST API
 | Close Webpage    | DELETE      | http://localhost:\<port\> | |
 
 By default, `<port>` is 8090
+
+Environment variables
+---------------------
+
+* `INSTANT_MARKDOWN_OPEN_TO_THE_WORLD=1` - by default, the server only listens
+  on localhost. To make the server available to others in your network, set this
+  environment variable to a non-empty value. Only use this setting on trusted
+  networks!
+
+* `INSTANT_MARKDOWN_ALLOW_UNSAFE_CONTENT=1` - by default, scripts are blocked.
+  Use this preference to allow scripts.
+
+* `INSTANT_MARKDOWN_BLOCK_EXTERNAL=1` - by default, external resources such as
+  images, stylesheets, frames and plugins are *allowed*. Use this setting to
+  *block* such external content.

index.html

@@ -13,11 +13,20 @@
       margin: 0 auto;
       padding: 30px;
     }
+    #con-error {
+      position: fixed;
+      top: 0px;
+      right: 0px;
+      padding: 5px;
+      background: white;
+      color: red;
+    }
   </style>
   <script src="/socket.io/socket.io.js"></script>
   <script>
     var socket = io.connect('http://'+ window.location.host +'/');
     socket.on('connect', function () {
+      setDisconnected(false);
       socket.on('newContent', function(newHTML) {
         document.querySelector(".markdown-body").innerHTML = newHTML;
       });
@@ -32,6 +41,25 @@
         document.body.innerHTML = firefoxWarning;
       });
     });
+    socket.on('disconnect', function() {
+      setDisconnected(true);
+    });
+
+    try {
+      eval('// If CSP is active, then this is blocked');
+    } catch (e) {
+      // Detected that the CSP was active (by the user's preference).
+      // Drop capabilities to prevent rendered markdown from executing scripts.
+      var meta = document.createElement('meta');
+      meta.setAttribute('http-equiv', 'Content-Security-Policy');
+      meta.setAttribute('content', "script-src 'none';");
+      document.head.appendChild(meta);
+    }
+
+    function setDisconnected(isDisconnected) {
+      document.getElementById('con-error').style.display =
+        isDisconnected ? 'block' : 'none';
+    }
   </script>
 </head>
 <body>
@@ -46,5 +74,6 @@
       </div>
     </div>
   </div>
+  <div id="con-error" style="display:none">Live preview is unavailable</div>
 </body>
 </html>

instant-markdown-d

@@ -6,11 +6,18 @@ var hljs = require('highlight.js');
 var server = require('http').createServer(httpHandler),
     exec = require('child_process').exec,
     io = require('socket.io').listen(server),
-    send = require('send'),
-    server,
-    socket;
+    send = require('send');
 
-server.listen(8090);
+// WARNING: By setting this environment variable, anyone on your network may
+// run arbitrary code in your browser and read arbitrary files in the working
+// directory of the open file!
+if (process.env.INSTANT_MARKDOWN_OPEN_TO_THE_WORLD) {
+  // Listen on any interface.
+  server.listen(8090, onListening).once('error', onServerError);
+} else {
+  // Listen locally.
+  server.listen(8090, '127.0.0.1', onListening).once('error', onServerError);
+}
 
 var md = new MarkdownIt({
   html: true,
@@ -28,7 +35,13 @@ var md = new MarkdownIt({
   }
 });
 
-function writeMarkdown(input, output) {
+var lastWrittenMarkdown = '';
+function writeMarkdown(body) {
+  lastWrittenMarkdown = md.render(body);
+  io.sockets.emit('newContent', lastWrittenMarkdown);
+}
+
+function readAllInput(input, callback) {
   var body = '';
   input.on('data', function(data) {
     body += data;
@@ -37,24 +50,59 @@ function writeMarkdown(input, output) {
     }
   });
   input.on('end', function() {
-    output.emit('newContent', md.render(body));
+    callback(body);
   });
 }
 
+function addSecurityHeaders(req, res, isIndexFile) {
+  var csp = [];
+
+  // Cannot use 'self' because Chrome does not treat 'self' as http://host
+  // when the sandbox directive is set.
+  var HTTP_HOST = req.headers.host || 'localhost:8090';
+  var CSP_SELF = 'http://' + HTTP_HOST;
+
+  if (!process.env.INSTANT_MARKDOWN_ALLOW_UNSAFE_CONTENT) {
+    if (isIndexFile) {
+      // index.html will drop the scripting capabilities upon load.
+      csp.push('script-src ' + CSP_SELF + " 'unsafe-inline'");
+      csp.push('sandbox allow-scripts allow-modals allow-forms');
+    } else {
+      csp.push('script-src ');
+    }
+  }
+  if (process.env.INSTANT_MARKDOWN_BLOCK_EXTERNAL) {
+    csp.push('default-src data: ' + CSP_SELF);
+    csp.push("style-src data: 'unsafe-inline' " + CSP_SELF);
+    csp.push('connect-src ' + CSP_SELF + ' ws://' + HTTP_HOST);
+  }
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('Content-Security-Policy', csp.join('; '));
+  if (isIndexFile) {
+    // Never cache the index file, to make sure that changes to the CSP are
+    // picked up across soft reloads.
+    res.setHeader('Cache-Control', 'no-store');
+  }
+}
+
 function httpHandler(req, res) {
   switch(req.method)
   {
     case 'GET':
       // Example: /my-repo/raw/master/sub-dir/some.png
       var githubUrl = req.url.match(/\/[^\/]+\/raw\/[^\/]+\/(.+)/);
       if (githubUrl) {
+        addSecurityHeaders(req, res, false);
          // Serve the file out of the current working directory
         send(req, githubUrl[1])
          .root(process.cwd())
          .pipe(res);
         return;
       }
 
+      var isIndexFile = /^\/(index\.html)?(\?|$)/.test(req.url);
+      addSecurityHeaders(req, res, isIndexFile);
+
       // Otherwise serve the file from the directory this module is in
       send(req, req.url)
         .root(__dirname)
@@ -70,12 +118,12 @@ function httpHandler(req, res) {
       // break;
 
     case 'DELETE':
-      socket.emit('die');
+      io.sockets.emit('die');
       process.exit();
       break;
 
     case 'PUT':
-      writeMarkdown(req, socket);
+      readAllInput(req, writeMarkdown);
       res.writeHead(200);
       res.end();
       break;
@@ -84,18 +132,42 @@ function httpHandler(req, res) {
   }
 }
 
-io.set('log level', 1);
 io.sockets.on('connection', function(sock){
-  socket = sock;
   process.stdout.write('connection established!');
-  writeMarkdown(process.stdin, socket);
-  process.stdin.resume();
+  if (lastWrittenMarkdown) {
+    sock.emit('newContent', lastWrittenMarkdown);
+  }
 });
 
 
-if (process.platform.toLowerCase().indexOf('darwin') >= 0){
-  exec('open -g http://localhost:8090', function(error, stdout, stderr){});
+function onListening() {
+  if (process.platform.toLowerCase().indexOf('darwin') >= 0){
+    exec('open -g http://localhost:8090');
+  }
+  else {  // assume unix/linux
+    exec('xdg-open http://localhost:8090');
+  }
+  readAllInput(process.stdin, function(body) {
+    writeMarkdown(body);
+  });
+  process.stdin.resume();
 }
-else {  // assume unix/linux
-  exec('xdg-open http://localhost:8090', function(error, stdout, stderr){});
+
+function onServerError(e) {
+  if (e.code === 'EADDRINUSE') {
+    readAllInput(process.stdin, function(body) {
+      // Forward to existing instant-markdown-d server.
+      require('http').request({
+        hostname: 'localhost',
+        port: 8090,
+        path: '/',
+        method: 'PUT',
+      }).end(body);
+    });
+    process.stdin.resume();
+    return;
+  }
+
+  // Another unexpected error. Raise it again.
+  throw e;
 }

package.json

@@ -13,6 +13,6 @@
     "highlight.js": "^8.4.0",
     "markdown-it": "^3.0.3",
     "send": "~0.1.0",
-    "socket.io": ""
+    "socket.io": "^1.4.5"
   }
 }