Security Event Logging & Bugfixes (#1882)

* Fixed bookmarking failing to convert to webp * Brought the ag-swipe/ng-swipe code into Kavita due to being abandoned by developer and angular requirements. * Fixed average reading time per week finally * Cleaned up some extra decimals on time duration pipe * Don't try to update index.html for base url on local. Fixed ag-swipe on prod mode. * Updated a link on theme manager to point to the new github * Range knobs should be primary color on firefox too * Implemented the ability to get thumbnails of pages inside an archive or pdf. * Updated packages and fixed opds-ps 1.2 issue * Fixed lock file * Allow Kavita's Swagger to hit instances with CORS * Added IP/Request logging for Security Audits * Linked up Summary tag from CBL into Kavita. * Redid the migration so SecurityEvent now has UTC date as well. * Split security logging to a separate file * Update to new versions of checkout and setup * Added a PR check on PR body to ensure that it doesn't contain any characters that break our discord hook. * Updating action * optimize regex in action * Fixed an issue where fit to width would cause the actual height of the image to be shown for pagination bars, instead of rendered. * Added some new code in GetPageFromFiles to ensure pages that exceed array map down to last file. * Added comment about robots * Fixed up unit tests for new ReaderService signature * Kavita now cleans up empty reading lists at night * Don't allow nightly cleanup to run if we are running media conversion tasks * Fixed some bugs in typeahead, it should behave much more reliably. * Fix an issue where emulate comic book wasn't extending to the bottom properly * Added support for Series Chapter 001 Volume 001 * Refactor XFrameOptions="SameOrigins" out to allow users to override in appsettings.json. * Added a rate limiter for some endpoints, but it doesn't seem to be triggering --------- Co-authored-by: Robbie Davis <robbie@therobbiedavis.com>
2023-03-16 15:57:34 -05:00 · 2023-03-16 15:57:34 -05:00 · c10acb1279
commit c10acb1279
parent 21203414f0
60 changed files with 2890 additions and 302 deletions
--- a/Kavita.Common/Configuration.cs
+++ b/Kavita.Common/Configuration.cs
@ -10,6 +10,7 @@ public static class Configuration
 {
    public const string DefaultIpAddresses = "0.0.0.0,::";
    public const string DefaultBaseUrl = "/";
+    public const string DefaultXFrameOptions = "SAMEORIGIN";
    private static readonly string AppSettingsFilename = Path.Join("config", GetAppSettingFilename());

    public static int Port
@ -36,6 +37,8 @@ public static class Configuration
        set => SetBaseUrl(GetAppSettingFilename(), value);
    }

+    public static string XFrameOptions => GetXFrameOptions(GetAppSettingFilename());
+
    private static string GetAppSettingFilename()
    {
        if (!string.IsNullOrEmpty(AppSettingsFilename))
@ -224,7 +227,7 @@ public static class Configuration
            if (jsonObj.TryGetProperty(key, out JsonElement tokenElement))
            {
                var baseUrl = tokenElement.GetString();
-                if (!String.IsNullOrEmpty(baseUrl))
+                if (!string.IsNullOrEmpty(baseUrl))
                {
                    baseUrl = !baseUrl.StartsWith("/")
                                ? $"/{baseUrl}"
@ -277,6 +280,35 @@ public static class Configuration
    }
    #endregion

+    #region XFrameOrigins
+    private static string GetXFrameOptions(string filePath)
+    {
+        if (new OsInfo(Array.Empty<IOsVersionAdapter>()).IsDocker)
+        {
+            return DefaultBaseUrl;
+        }
+
+        try
+        {
+            var json = File.ReadAllText(filePath);
+            var jsonObj = JsonSerializer.Deserialize<dynamic>(json);
+            const string key = "XFrameOrigins";
+
+            if (jsonObj.TryGetProperty(key, out JsonElement tokenElement))
+            {
+                var origins = tokenElement.GetString();
+                return !string.IsNullOrEmpty(origins) ? origins : DefaultBaseUrl;
+            }
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine("Error reading app settings: " + ex.Message);
+        }
+
+        return DefaultXFrameOptions;
+    }
+    #endregion
+
    private class AppSettings
    {
        public string TokenKey { get; set; }