XSS Override (#193)

XSS Override
6 years ago · de637bb70e
5 changed files with 24 additions and 9 deletions
--- a/index.js
+++ b/index.js
@ -94,6 +94,12 @@ if (require.main === module) {
          type: 'string',
          default: process.env.COMMAND || 'login',
        },
+        bypasshelmet: {
+          demand: false,
+          description: 'disable helmet from placing security restrictions',
+          type: 'boolean',
+          default: false,
+        },
        help: {
          demand: false,
          alias: 'h',
--- a/package.json
+++ b/package.json
@ -94,7 +94,7 @@
    "eslint-plugin-typescript": "^1.0.0-rc.1",
    "file-loader": "^3.0.1",
    "husky": "^1.3.1",
-    "lint-staged": "^6.1.1",
+    "lint-staged": "~8.2.0",
    "mini-css-extract-plugin": "^0.5.0",
    "node-sass": "^4.11.0",
    "nodemon": "^1.14.10",
--- a/src/server/index.ts
+++ b/src/server/index.ts
@ -17,6 +17,7 @@ export interface Options {
  port: number;
  title: string;
  command?: string;
+  bypasshelmet?: boolean;
 }

 interface CLI extends Options {
@ -38,6 +39,7 @@ export default class Server {
    command,
    sslkey,
    sslcert,
+    bypasshelmet,
  }: Options): Promise<void> {
    wetty
      .on('exit', ({ code, msg }: { code: number; msg: string }) => {
@ -56,11 +58,11 @@ export default class Server {
        host: sshhost,
        auth: sshauth,
        port: sshport,
-        title: title,
+        title,
        pass: sshpass,
        key: sshkey,
      },
-      { base, host, port, title },
+      { base, host, port, title, bypasshelmet },
      command,
      { key: sslkey, cert: sslcert }
    );
--- a/src/server/interfaces.ts
+++ b/src/server/interfaces.ts
@ -21,4 +21,5 @@ export interface Server {
  port: number;
  host: string;
  base: string;
+  bypasshelmet: boolean;
 }
--- a/src/server/server.ts
+++ b/src/server/server.ts
@ -17,7 +17,7 @@ const distDir = path.join(__dirname, 'client');
 const trim = (str: string): string => str.replace(/\/*$/, '');

 export default function createServer(
-  { base, port, host, title }: Server,
+  { base, port, host, title, bypasshelmet }: Server,
  { key, cert }: SSLBuffer
 ): SocketIO.Server {
  const basePath = trim(base);
@ -61,7 +61,6 @@ export default function createServer(
  const app = express();
  app
    .use(morgan('combined', { stream: logger.stream }))
-    .use(helmet())
    .use(compression())
    .use(favicon(path.join(distDir, 'favicon.ico')))
    .use(`${basePath}/public`, express.static(distDir))
@ -73,9 +72,16 @@ export default function createServer(
      )
        res.redirect(301, req.url.slice(0, -1));
      else next();
-    })
-    .get(basePath, html)
-    .get(`${basePath}/ssh/:user`, html);
+    });
+
+  // Allow helmet to be bypassed.
+  // Unfortunately, order matters with middleware
+  // which is why this is thrown in the middle
+  if (!bypasshelmet) {
+    app.use(helmet());
+  }
+
+  app.get(basePath, html).get(`${basePath}/ssh/:user`, html);

  return socket(
    !isUndefined(key) && !isUndefined(cert)