miniflux/ui/proxy.go

// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

package ui // import "miniflux.app/ui"

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/base64"
	"errors"
	"net/http"
	"time"

	"miniflux.app/config"
	"miniflux.app/crypto"
	"miniflux.app/http/request"
	"miniflux.app/http/response"
	"miniflux.app/http/response/html"
	"miniflux.app/logger"
)

func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) {
	// If we receive a "If-None-Match" header, we assume the media is already stored in browser cache.
	if r.Header.Get("If-None-Match") != "" {
		w.WriteHeader(http.StatusNotModified)
		return
	}

	encodedDigest := request.RouteStringParam(r, "encodedDigest")
	encodedURL := request.RouteStringParam(r, "encodedURL")
	if encodedURL == "" {
		html.BadRequest(w, r, errors.New("No URL provided"))
		return
	}

	decodedDigest, err := base64.URLEncoding.DecodeString(encodedDigest)
	if err != nil {
		html.BadRequest(w, r, errors.New("Unable to decode this Digest"))
		return
	}

	decodedURL, err := base64.URLEncoding.DecodeString(encodedURL)
	if err != nil {
		html.BadRequest(w, r, errors.New("Unable to decode this URL"))
		return
	}

	mac := hmac.New(sha256.New, config.Opts.ProxyPrivateKey())
	mac.Write(decodedURL)
	expectedMAC := mac.Sum(nil)

	if !hmac.Equal(decodedDigest, expectedMAC) {
		html.Forbidden(w, r)
		return
	}

	mediaURL := string(decodedURL)
	logger.Debug(`[Proxy] Fetching %q`, mediaURL)

	req, err := http.NewRequest("GET", mediaURL, nil)
	if err != nil {
		html.ServerError(w, r, err)
		return
	}

	// Note: User-Agent HTTP header is omitted to avoid being blocked by bot protection mechanisms.
	req.Header.Add("Connection", "close")

	forwardedRequestHeader := []string{"Range", "Accept", "Accept-Encoding"}
	for _, requestHeaderName := range forwardedRequestHeader {
		if r.Header.Get(requestHeaderName) != "" {
			req.Header.Add(requestHeaderName, r.Header.Get(requestHeaderName))
		}
	}

	clt := &http.Client{
		Transport: &http.Transport{
			IdleConnTimeout: time.Duration(config.Opts.ProxyHTTPClientTimeout()) * time.Second,
		},
		Timeout: time.Duration(config.Opts.ProxyHTTPClientTimeout()) * time.Second,
	}

	resp, err := clt.Do(req)
	if err != nil {
		logger.Error(`[Proxy] Unable to initialize HTTP client: %v`, err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}
	defer resp.Body.Close()

	if resp.StatusCode == http.StatusRequestedRangeNotSatisfiable {
		logger.Error(`[Proxy] Status Code is %d for URL %q`, resp.StatusCode, mediaURL)
		html.RequestedRangeNotSatisfiable(w, r, resp.Header.Get("Content-Range"))
		return
	}
	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusPartialContent {
		logger.Error(`[Proxy] Status Code is %d for URL %q`, resp.StatusCode, mediaURL)
		html.NotFound(w, r)
		return
	}

	etag := crypto.HashFromBytes(decodedURL)

	response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
		b.WithStatus(resp.StatusCode)
		b.WithHeader("Content-Security-Policy", `default-src 'self'`)
		b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
		forwardedResponseHeader := []string{"Content-Encoding", "Content-Type", "Content-Length", "Accept-Ranges", "Content-Range"}
		for _, responseHeaderName := range forwardedResponseHeader {
			if resp.Header.Get(responseHeaderName) != "" {
				b.WithHeader(responseHeaderName, resp.Header.Get(responseHeaderName))
			}
		}
		b.WithBody(resp.Body)
		b.WithoutCompression()
		b.Write()
	})
}
Replace copyright header with SPDX identifier 2023-06-19 17:42:47 -04:00			`// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
First commit 2017-11-20 00:10:04 -05:00
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`package ui // import "miniflux.app/ui"`
First commit 2017-11-20 00:10:04 -05:00
			`import (`
Proxify images in API responses 2022-10-15 02:17:17 -04:00			`"crypto/hmac"`
			`"crypto/sha256"`
First commit 2017-11-20 00:10:04 -05:00			`"encoding/base64"`
			`"errors"`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`"net/http"`
First commit 2017-11-20 00:10:04 -05:00			`"time"`
Improve image proxy 2017-11-22 02:09:01 -05:00
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`"miniflux.app/config"`
Use canonical imports 2018-08-25 00:51:50 -04:00			`"miniflux.app/crypto"`
			`"miniflux.app/http/request"`
			`"miniflux.app/http/response"`
			`"miniflux.app/http/response/html"`
Log image proxy URL in debug mode 2019-09-22 14:17:15 -04:00			`"miniflux.app/logger"`
First commit 2017-11-20 00:10:04 -05:00			`)`

Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`func (h handler) mediaProxy(w http.ResponseWriter, r http.Request) {`
			`// If we receive a "If-None-Match" header, we assume the media is already stored in browser cache.`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`if r.Header.Get("If-None-Match") != "" {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`w.WriteHeader(http.StatusNotModified)`
Improve image proxy 2017-11-22 02:09:01 -05:00			`return`
			`}`

Proxify images in API responses 2022-10-15 02:17:17 -04:00			`encodedDigest := request.RouteStringParam(r, "encodedDigest")`
Improve request package and add more unit tests 2018-09-24 00:02:26 -04:00			`encodedURL := request.RouteStringParam(r, "encodedURL")`
First commit 2017-11-20 00:10:04 -05:00			`if encodedURL == "" {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`html.BadRequest(w, r, errors.New("No URL provided"))`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Proxify images in API responses 2022-10-15 02:17:17 -04:00			`decodedDigest, err := base64.URLEncoding.DecodeString(encodedDigest)`
			`if err != nil {`
			`html.BadRequest(w, r, errors.New("Unable to decode this Digest"))`
			`return`
			`}`

Use base64 URL encoding instead of standard encoding 2017-12-18 21:06:53 -05:00			`decodedURL, err := base64.URLEncoding.DecodeString(encodedURL)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`html.BadRequest(w, r, errors.New("Unable to decode this URL"))`
First commit 2017-11-20 00:10:04 -05:00			`return`
Proxify images in API responses 2022-10-15 02:17:17 -04:00			`}`

			`mac := hmac.New(sha256.New, config.Opts.ProxyPrivateKey())`
			`mac.Write(decodedURL)`
			`expectedMAC := mac.Sum(nil)`

			`if !hmac.Equal(decodedDigest, expectedMAC) {`
			`html.Forbidden(w, r)`
			`return`
First commit 2017-11-20 00:10:04 -05:00			`}`

Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`mediaURL := string(decodedURL)`
			logger.Debug(`[Proxy] Fetching %q`, mediaURL)
Log image proxy URL in debug mode 2019-09-22 14:17:15 -04:00
Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`req, err := http.NewRequest("GET", mediaURL, nil)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`html.ServerError(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`
Omit User-Agent header in image proxy to avoid being blocked 2022-01-09 23:18:08 -05:00
			`// Note: User-Agent HTTP header is omitted to avoid being blocked by bot protection mechanisms.`
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`req.Header.Add("Connection", "close")`
First commit 2017-11-20 00:10:04 -05:00
Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`forwardedRequestHeader := []string{"Range", "Accept", "Accept-Encoding"}`
			`for _, requestHeaderName := range forwardedRequestHeader {`
			`if r.Header.Get(requestHeaderName) != "" {`
			`req.Header.Add(requestHeaderName, r.Header.Get(requestHeaderName))`
			`}`
			`}`

Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`clt := &http.Client{`
Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`Transport: &http.Transport{`
			`IdleConnTimeout: time.Duration(config.Opts.ProxyHTTPClientTimeout()) * time.Second,`
			`},`
			`Timeout: time.Duration(config.Opts.ProxyHTTPClientTimeout()) * time.Second,`
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`}`

			`resp, err := clt.Do(req)`
			`if err != nil {`
Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler Creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced to open the broken image. 2023-03-13 01:15:43 -04:00			logger.Error(`[Proxy] Unable to initialize HTTP client: %v`, err)
			`http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)`
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`return`
			`}`
			`defer resp.Body.Close()`

Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`if resp.StatusCode == http.StatusRequestedRangeNotSatisfiable {`
			logger.Error(`[Proxy] Status Code is %d for URL %q`, resp.StatusCode, mediaURL)
			`html.RequestedRangeNotSatisfiable(w, r, resp.Header.Get("Content-Range"))`
			`return`
			`}`
			`if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusPartialContent {`
			logger.Error(`[Proxy] Status Code is %d for URL %q`, resp.StatusCode, mediaURL)
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`html.NotFound(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`etag := crypto.HashFromBytes(decodedURL)`
First commit 2017-11-20 00:10:04 -05:00
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`response.New(w, r).WithCaching(etag, 72time.Hour, func(b response.Builder) {`
Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`b.WithStatus(resp.StatusCode)`
Add Content-Security-Policy header to feed icon url - SVG images could contains Javascript. This CSP blocks inline script. - Feed icons are served using <img> tag and Javascript is not interpreted. See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions 2022-01-02 20:24:49 -05:00			b.WithHeader("Content-Security-Policy", `default-src 'self'`)
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))`
Proxy support for several media types closes #615 closes #635 2023-02-25 03:36:19 -05:00			`forwardedResponseHeader := []string{"Content-Encoding", "Content-Type", "Content-Length", "Accept-Ranges", "Content-Range"}`
			`for _, responseHeaderName := range forwardedResponseHeader {`
			`if resp.Header.Get(responseHeaderName) != "" {`
			`b.WithHeader(responseHeaderName, resp.Header.Get(responseHeaderName))`
			`}`
			`}`
Do not buffer responses in the image proxy The image proxy buffered the whole image before sending it to the browser. If the image is large and/or hosted on a slow server, this caused a long delay before the user's browser could display anything. 2019-08-14 11:54:02 -04:00			`b.WithBody(resp.Body)`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`b.WithoutCompression()`
			`b.Write()`
			`})`
First commit 2017-11-20 00:10:04 -05:00			`}`