mirror of
https://github.com/khoj-ai/khoj.git
synced 2024-11-23 23:48:56 +01:00
Merge pull request from GHSA-h2q2-vch3-72qm
Add CSP and sanitize chat messages in Obsidian, Desktop, Web apps
This commit is contained in:
commit
1dfd6d7391
8 changed files with 733 additions and 136 deletions
3
src/interface/desktop/assets/purify.min.js
vendored
Normal file
3
src/interface/desktop/assets/purify.min.js
vendored
Normal file
File diff suppressed because one or more lines are too long
|
@ -8,6 +8,7 @@
|
|||
<link rel="icon" type="image/png" sizes="128x128" href="./assets/icons/favicon-128x128.png">
|
||||
<link rel="manifest" href="/static/khoj.webmanifest">
|
||||
</head>
|
||||
<script type="text/javascript" src="./assets/purify.min.js?v={{ khoj_version }}"></script>
|
||||
<script type="text/javascript" src="./assets/markdown-it.min.js"></script>
|
||||
<script src="./utils.js"></script>
|
||||
|
||||
|
@ -282,6 +283,8 @@
|
|||
|
||||
// Render markdown
|
||||
newHTML = raw ? newHTML : md.render(newHTML);
|
||||
// Sanitize the rendered markdown
|
||||
newHTML = DOMPurify.sanitize(newHTML);
|
||||
// Set rendered markdown to HTML DOM element
|
||||
let element = document.createElement('div');
|
||||
element.innerHTML = newHTML;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
const { app, BrowserWindow, ipcMain, Tray, Menu, nativeImage, shell } = require('electron');
|
||||
const { app, BrowserWindow, ipcMain, Tray, Menu, nativeImage, shell, session } = require('electron');
|
||||
const todesktop = require("@todesktop/runtime");
|
||||
const khojPackage = require('./package.json');
|
||||
|
||||
|
@ -401,6 +401,33 @@ async function getUserInfo() {
|
|||
}
|
||||
}
|
||||
|
||||
function addCSPHeaderToSession () {
|
||||
// Get hostURL from store or use default
|
||||
const hostURL = store.get('hostURL') || KHOJ_URL;
|
||||
|
||||
// Construct Content Security Policy
|
||||
const defaultDomains = `'self' ${hostURL} https://app.khoj.dev https://assets.khoj.dev`;
|
||||
const default_src = `default-src ${defaultDomains};`;
|
||||
const script_src = `script-src ${defaultDomains} 'unsafe-inline';`;
|
||||
const connect_src = `connect-src ${hostURL} https://ipapi.co/json;`;
|
||||
const style_src = `style-src ${defaultDomains} 'unsafe-inline' https://fonts.googleapis.com;`;
|
||||
const img_src = `img-src ${defaultDomains} data: https://*.khoj.dev https://*.googleusercontent.com;`;
|
||||
const font_src = `font-src https://fonts.gstatic.com;`;
|
||||
const child_src = `child-src 'none';`;
|
||||
const objectSrc = `object-src 'none';`;
|
||||
const csp = `${default_src} ${script_src} ${connect_src} ${style_src} ${img_src} ${font_src} ${child_src} ${objectSrc}`;
|
||||
|
||||
// Add Content Security Policy to all web requests
|
||||
session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
|
||||
callback({
|
||||
responseHeaders: {
|
||||
...details.responseHeaders,
|
||||
'Content-Security-Policy': [csp]
|
||||
}
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
let firstRun = true;
|
||||
let win = null;
|
||||
let titleBarStyle = process.platform === 'win32' ? 'default' : 'hidden';
|
||||
|
@ -480,6 +507,8 @@ const createWindow = (tab = 'chat.html') => {
|
|||
}
|
||||
|
||||
app.whenReady().then(() => {
|
||||
addCSPHeaderToSession();
|
||||
|
||||
ipcMain.on('set-title', handleSetTitle);
|
||||
|
||||
ipcMain.handle('handleFileOpen', (event, type) => {
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
"assistant"
|
||||
],
|
||||
"devDependencies": {
|
||||
"@types/dompurify": "^3.0.5",
|
||||
"@types/node": "^16.11.6",
|
||||
"@typescript-eslint/eslint-plugin": "5.29.0",
|
||||
"@typescript-eslint/parser": "5.29.0",
|
||||
|
@ -25,5 +26,8 @@
|
|||
"obsidian": "latest",
|
||||
"tslib": "2.4.0",
|
||||
"typescript": "4.7.4"
|
||||
},
|
||||
"dependencies": {
|
||||
"dompurify": "^3.1.4"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
import { MarkdownRenderer, WorkspaceLeaf, request, requestUrl, setIcon } from 'obsidian';
|
||||
import * as DOMPurify from 'dompurify';
|
||||
import { KhojSetting } from 'src/settings';
|
||||
import { KhojPaneView } from 'src/pane_view';
|
||||
import { KhojView, createCopyParentText, getLinkToEntry, pasteTextAtCursor } from 'src/utils';
|
||||
|
@ -80,6 +81,20 @@ export class KhojChatView extends KhojPaneView {
|
|||
|
||||
super.onOpen();
|
||||
|
||||
// Construct Content Security Policy
|
||||
let defaultDomains = `'self' ${this.setting.khojUrl} https://app.khoj.dev https://assets.khoj.dev`;
|
||||
const defaultSrc = `default-src ${defaultDomains};`;
|
||||
const scriptSrc = `script-src ${defaultDomains} 'unsafe-inline';`;
|
||||
const connectSrc = `connect-src ${this.setting.khojUrl} https://ipapi.co/json;`;
|
||||
const styleSrc = `style-src ${defaultDomains} 'unsafe-inline';`;
|
||||
const imgSrc = `img-src ${defaultDomains} data: https://*.khoj.dev https://*.googleusercontent.com;`;
|
||||
const childSrc = `child-src 'none';`;
|
||||
const objectSrc = `object-src 'none';`;
|
||||
const csp = `${defaultSrc} ${scriptSrc} ${connectSrc} ${styleSrc} ${imgSrc} ${childSrc} ${objectSrc}`;
|
||||
|
||||
// Add CSP meta tag to the Khoj Chat modal
|
||||
document.head.createEl("meta", { attr: { "http-equiv": "Content-Security-Policy", "content": `${csp}` } });
|
||||
|
||||
// Create area for chat logs
|
||||
let chatBodyEl = contentEl.createDiv({ attr: { id: "khoj-chat-body", class: "khoj-chat-body" } });
|
||||
|
||||
|
@ -289,6 +304,9 @@ export class KhojChatView extends KhojPaneView {
|
|||
// Remove any text between <s>[INST] and </s> tags. These are spurious instructions for the AI chat model.
|
||||
rendered_msg = rendered_msg.replace(/<s>\[INST\].+(<\/s>)?/g, '');
|
||||
|
||||
// Sanitize the markdown to render
|
||||
message = DOMPurify.sanitize(message);
|
||||
|
||||
// Render markdow to HTML DOM element
|
||||
let chat_message_body_text_el = this.contentEl.createDiv();
|
||||
chat_message_body_text_el.className = "chat-message-text-response";
|
||||
|
@ -375,6 +393,10 @@ export class KhojChatView extends KhojPaneView {
|
|||
let chat_message_body_el = chatMessageEl.createDiv();
|
||||
chat_message_body_el.addClasses(["khoj-chat-message-text", sender]);
|
||||
let chat_message_body_text_el = chat_message_body_el.createDiv();
|
||||
|
||||
// Sanitize the markdown to render
|
||||
message = DOMPurify.sanitize(message);
|
||||
|
||||
if (raw) {
|
||||
chat_message_body_text_el.innerHTML = message;
|
||||
} else {
|
||||
|
@ -422,6 +444,8 @@ export class KhojChatView extends KhojPaneView {
|
|||
async renderIncrementalMessage(htmlElement: HTMLDivElement, additionalMessage: string) {
|
||||
this.result += additionalMessage;
|
||||
htmlElement.innerHTML = "";
|
||||
// Sanitize the markdown to render
|
||||
this.result = DOMPurify.sanitize(this.result);
|
||||
// @ts-ignore
|
||||
await MarkdownRenderer.renderMarkdown(this.result, htmlElement, '', null);
|
||||
// Render action buttons for the message
|
||||
|
|
File diff suppressed because it is too large
Load diff
3
src/khoj/interface/web/assets/purify.min.js
vendored
Normal file
3
src/khoj/interface/web/assets/purify.min.js
vendored
Normal file
File diff suppressed because one or more lines are too long
|
@ -4,6 +4,15 @@
|
|||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0 maximum-scale=1.0">
|
||||
<meta property="og:image" content="https://assets.khoj.dev/khoj_hero.png">
|
||||
<meta http-equiv="Content-Security-Policy"
|
||||
content="default-src 'self' https://assets.khoj.dev;
|
||||
script-src 'self' https://assets.khoj.dev 'unsafe-inline';
|
||||
connect-src 'self' https://ipapi.co/json;
|
||||
style-src 'self' https://assets.khoj.dev 'unsafe-inline' https://fonts.googleapis.com;
|
||||
img-src 'self' data: https://*.khoj.dev https://*.googleusercontent.com;
|
||||
font-src https://assets.khoj.dev https://fonts.gstatic.com;
|
||||
child-src 'none';
|
||||
object-src 'none';">
|
||||
<title>Khoj - Chat</title>
|
||||
|
||||
<link rel="stylesheet" href="/static/assets/khoj.css?v={{ khoj_version }}">
|
||||
|
@ -18,6 +27,7 @@
|
|||
<!-- To automatically render math in text elements, include the auto-render extension: -->
|
||||
<script defer src="https://assets.khoj.dev/katex/auto-render.min.js" onload="renderMathInElement(document.body);"></script>
|
||||
</head>
|
||||
<script type="text/javascript" src="/static/assets/purify.min.js?v={{ khoj_version }}"></script>
|
||||
<script type="text/javascript" src="/static/assets/utils.js?v={{ khoj_version }}"></script>
|
||||
<script type="text/javascript" src="/static/assets/markdown-it.min.js?v={{ khoj_version }}"></script>
|
||||
<script>
|
||||
|
@ -365,6 +375,9 @@ To get started, just start typing below. You can also type / to see a list of co
|
|||
newHTML = newHTML.replace(/LEFTPAREN/g, '\\(').replace(/RIGHTPAREN/g, '\\)')
|
||||
.replace(/LEFTBRACKET/g, '\\[').replace(/RIGHTBRACKET/g, '\\]');
|
||||
|
||||
// Sanitize the rendered markdown
|
||||
newHTML = DOMPurify.sanitize(newHTML);
|
||||
|
||||
// Set rendered markdown to HTML DOM element
|
||||
let element = document.createElement('div');
|
||||
element.innerHTML = newHTML;
|
||||
|
|
Loading…
Reference in a new issue