fix: Add basic CSRF protection

Closes #12

.github/workflows/code-quality.yml

@@ -0,0 +1,26 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  format:
+    name: Format
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Use Node.js 16.x
+        uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+          cache: "npm"
+
+      - run: npm ci
+
+      - run: npx prettier --check .
+# vim: set et ts=2 sw=2:

index.js

@@ -27,8 +27,8 @@ const handlebars = require("handlebars");
 
 const port = +process.env.PORT || 8080;
 
-let app = express();
-let http = app.listen(port);
+const app = express();
+const http = app.listen(port);
 
 app.set("views", path.join(__dirname, "views"));
 app.engine(
@@ -175,6 +175,24 @@ function flashify(req, obj) {
   return obj;
 }
 
+app.use((req, res, next) => {
+  if (req.method === "GET") {
+    return next();
+  }
+  let sourceHost = null;
+  if (req.headers.origin) {
+    sourceHost = new URL(req.headers.origin).host;
+  } else if (req.headers.referer) {
+    sourceHost = new URL(req.headers.referer).host;
+  }
+  if (sourceHost !== req.headers.host) {
+    throw new Error(
+      "Origin or Referer header does not match or is missing. Request has been blocked to prevent CSRF"
+    );
+  }
+  next();
+});
+
 app.all("/*", (req, res, next) => {
   res.filename = req.params[0];
 

package.json

@@ -10,6 +10,7 @@
     "file-manager": "index.js"
   },
   "dependencies": {
+    "@primer/octicons": "^16.1.1",
     "archiver": "^5.3.0",
     "body-parser": "^1.19.0",
     "bootstrap": "^5.0.0",
@@ -22,7 +23,6 @@
     "jquery": "^3.6.0",
     "node-pty": "^0.10.1",
     "notp": "^2.0.3",
-    "@primer/octicons": "^16.1.1",
     "rimraf": "^3.0.2",
     "thirty-two": "^1.0.2",
     "ws": "^8.2.3",