Update to helmet 5 (github#28488)

* Update to helmet 5

* Disable cross-origin-embedder-policy

* Update helmet.js

* Update helmet.js

* Add CORS on get / options

* Update helmet.js

* Update helmet.js

* Update helmet.js

* Update helmet.js

* Revert "Update helmet.js"

This reverts commit 61ad2fb641ca16a31bf148164c395f2ba91e1734.

* Open up github domains

* Include self

* Update helmet.js

* Update helmet.js

Author: heiskr

middleware/cors.js

@@ -0,0 +1,91 @@
+import helmet from 'helmet'
+import { cloneDeep } from 'lodash-es'
+import isArchivedVersion from '../lib/is-archived-version.js'
+import versionSatisfiesRange from '../lib/version-satisfies-range.js'
+
+const isDev = process.env.NODE_ENV === 'development'
+const AZURE_STORAGE_URL = 'githubdocs.azureedge.net'
+const GITHUB_DOMAINS = [
+  "'self'",
+  'github.com',
+  '*.github.com',
+  '*.githubusercontent.com',
+  '*.githubassets.com',
+]
+
+const DEFAULT_OPTIONS = {
+  crossOriginResourcePolicy: true,
+  crossOriginEmbedderPolicy: false, // doesn't work with youtube
+  referrerPolicy: {
+    policy: 'strict-origin-when-cross-origin',
+  },
+  // This module defines a Content Security Policy (CSP) to disallow
+  // inline scripts and content from untrusted sources.
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'none'"],
+      prefetchSrc: ["'self'"],
+      // When doing local dev, especially in Safari, you need to add `ws:`
+      // which NextJS uses for the hot module reloading.
+      connectSrc: ["'self'", isDev && 'ws:'].filter(Boolean),
+      fontSrc: ["'self'", 'data:', AZURE_STORAGE_URL],
+      imgSrc: [...GITHUB_DOMAINS, 'data:', AZURE_STORAGE_URL, 'placehold.it'],
+      objectSrc: ["'self'"],
+      // For use during development only!
+      // `unsafe-eval` allows us to use a performant webpack devtool setting (eval)
+      // https://webpack.js.org/configuration/devtool/#devtool
+      scriptSrc: ["'self'", isDev && "'unsafe-eval'"].filter(Boolean),
+      frameSrc: [
+        ...GITHUB_DOMAINS,
+        isDev && 'http://localhost:3000',
+        'https://www.youtube-nocookie.com',
+      ].filter(Boolean),
+      frameAncestors: [...GITHUB_DOMAINS],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      childSrc: ["'self'"], // exception for search in deprecated GHE versions
+    },
+  },
+}
+
+const NODE_DEPRECATED_OPTIONS = cloneDeep(DEFAULT_OPTIONS)
+const { directives: ndDirs } = NODE_DEPRECATED_OPTIONS.contentSecurityPolicy
+ndDirs.scriptSrc.push(
+  "'unsafe-eval'",
+  "'unsafe-inline'",
+  'http://www.google-analytics.com',
+  'https://ssl.google-analytics.com'
+)
+ndDirs.connectSrc.push('https://www.google-analytics.com')
+ndDirs.imgSrc.push('http://www.google-analytics.com', 'https://ssl.google-analytics.com')
+
+const STATIC_DEPRECATED_OPTIONS = cloneDeep(DEFAULT_OPTIONS)
+STATIC_DEPRECATED_OPTIONS.contentSecurityPolicy.directives.scriptSrc.push("'unsafe-inline'")
+
+const defaultHelmet = helmet(DEFAULT_OPTIONS)
+const nodeDeprecatedHelmet = helmet(NODE_DEPRECATED_OPTIONS)
+const staticDeprecatedHelmet = helmet(STATIC_DEPRECATED_OPTIONS)
+
+export default function helmetMiddleware(req, res, next) {
+  // Enable CORS
+  if (['GET', 'OPTIONS'].includes(req.method)) {
+    res.set('access-control-allow-origin', '*')
+  }
+
+  // Determine version for exceptions
+  const { requestedVersion } = isArchivedVersion(req)
+
+  // Exception for deprecated Enterprise docs (Node.js era)
+  if (
+    versionSatisfiesRange(requestedVersion, '<=2.19') &&
+    versionSatisfiesRange(requestedVersion, '>2.12')
+  ) {
+    return nodeDeprecatedHelmet(req, res, next)
+  }
+
+  // Exception for search in deprecated Enterprise docs <=2.12 (static site era)
+  if (versionSatisfiesRange(requestedVersion, '<=2.12')) {
+    return staticDeprecatedHelmet(req, res, next)
+  }
+
+  return defaultHelmet(req, res, next)
+}

middleware/csp.js

@@ -9,9 +9,7 @@ import abort from './abort.js'
 import timeout from './timeout.js'
 import morgan from 'morgan'
 import datadog from './connect-datadog.js'
-import cors from './cors.js'
-import helmet from 'helmet'
-import csp from './csp.js'
+import helmet from './helmet.js'
 import cookieParser from './cookie-parser.js'
 import csrf from './csrf.js'
 import handleCsrfErrors from './handle-csrf-errors.js'
@@ -208,17 +206,7 @@ export default function (app) {
   app.use(instrument(handleNextDataPath, './handle-next-data-path'))
 
   // *** Security ***
-  app.use(cors)
-  app.use(
-    helmet({
-      // Override referrerPolicy to match the browser's default: "strict-origin-when-cross-origin".
-      // Helmet now defaults to "no-referrer", which is a problem for our archived assets proxying.
-      referrerPolicy: {
-        policy: 'strict-origin-when-cross-origin',
-      },
-    })
-  )
-  app.use(csp) // Must come after helmet
+  app.use(helmet)
   app.use(cookieParser) // Must come before csrf
   app.use(express.json()) // Must come before csrf
 

middleware/helmet.js

@@ -37,7 +37,7 @@
     "hast-util-select": "^5.0.1",
     "hast-util-to-string": "^2.0.0",
     "hastscript": "^7.0.2",
-    "helmet": "^4.6.0",
+    "helmet": "^5.1.0",
     "highlight.js": "11.4.0",
     "highlightjs-curl": "^1.3.0",
     "highlightjs-graphql": "^1.0.2",