0
0
mirror of https://github.com/neon-mmd/websurfx.git synced 2024-12-22 12:28:21 -05:00

Merge pull request #174 from neon-mmd/patch-csrf-security-with-cors

🛠️ Provide CORS protection against CSRF attacks
This commit is contained in:
zhou fan 2023-08-04 17:44:07 +08:00 committed by GitHub
commit a5b7d08dc6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 9 deletions

30
Cargo.lock generated
View File

@ -19,6 +19,21 @@ dependencies = [
"tracing",
]
[[package]]
name = "actix-cors"
version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b340e9cfa5b08690aae90fb61beb44e9b06f44fe3d0f93781aaa58cfba86245e"
dependencies = [
"actix-utils",
"actix-web",
"derive_more",
"futures-util",
"log",
"once_cell",
"smallvec 1.11.0",
]
[[package]]
name = "actix-files"
version = "0.6.2"
@ -190,7 +205,7 @@ dependencies = [
"serde_urlencoded 0.7.1",
"smallvec 1.11.0",
"socket2",
"time 0.3.24",
"time 0.3.25",
"url 2.4.0",
]
@ -583,7 +598,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e859cd57d0710d9e06c381b550c06e76992472a8c6d527aecd2fc673dcc231fb"
dependencies = [
"percent-encoding 2.3.0",
"time 0.3.24",
"time 0.3.25",
"version_check",
]
@ -801,9 +816,9 @@ dependencies = [
[[package]]
name = "deranged"
version = "0.3.6"
version = "0.3.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8810e7e2cf385b1e9b50d68264908ec367ba642c96d02edfe61c39e88e2a3c01"
checksum = "7684a49fb1af197853ef7b2ee694bc1f5b4179556f1e5710e1760c5db6f5e929"
[[package]]
name = "derive_more"
@ -3000,9 +3015,9 @@ dependencies = [
[[package]]
name = "time"
version = "0.3.24"
version = "0.3.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b79eabcd964882a646b3584543ccabeae7869e9ac32a46f6f22b7a5bd405308b"
checksum = "b0fdd63d58b18d663fbdf70e049f00a22c8e42be082203be7f26589213cd75ea"
dependencies = [
"deranged",
"itoa 1.0.9",
@ -3519,8 +3534,9 @@ dependencies = [
[[package]]
name = "websurfx"
version = "0.16.0"
version = "0.16.1"
dependencies = [
"actix-cors",
"actix-files",
"actix-web",
"async-trait",

View File

@ -1,6 +1,6 @@
[package]
name = "websurfx"
version = "0.16.0"
version = "0.16.1"
edition = "2021"
description = "An open-source alternative to Searx that provides clean, ad-free, and organic results with incredible speed while keeping privacy and security in mind."
repository = "https://github.com/neon-mmd/websurfx"
@ -14,6 +14,7 @@ handlebars = { version = "4.3.6", features = ["dir_source"] }
scraper = {version="*"}
actix-web = {version="4.3.1", features = ["cookies"]}
actix-files = {version="0.6.2"}
actix-cors = {version="0.6.4"}
serde_json = {version="*"}
fake-useragent = {version="*"}
env_logger = {version="0.10.0"}

View File

@ -12,8 +12,9 @@ use std::net::TcpListener;
use crate::server::routes;
use actix_cors::Cors;
use actix_files as fs;
use actix_web::{dev::Server, middleware::Logger, web, App, HttpServer};
use actix_web::{dev::Server, http::header, middleware::Logger, web, App, HttpServer};
use config::parser::Config;
use handlebars::Handlebars;
use handler::public_paths::public_path;
@ -52,9 +53,20 @@ pub fn run(listener: TcpListener, config: Config) -> std::io::Result<Server> {
let cloned_config_threads_opt: u8 = config.threads;
let server = HttpServer::new(move || {
let cors: Cors = Cors::default()
.allow_any_origin()
.allowed_methods(vec!["GET"])
.allowed_headers(vec![
header::ORIGIN,
header::CONTENT_TYPE,
header::REFERER,
header::COOKIE,
]);
App::new()
.app_data(handlebars_ref.clone())
.app_data(web::Data::new(config.clone()))
.wrap(cors)
.wrap(Logger::default()) // added logging middleware for logging.
// Serve images and static files (css and js files).
.service(