Merge pull request 'fix: security hardening from pentest findings' (#6) from fix/pentest-security-hardening into stage
Stage — Build, push & deploy to marketing-stage / deploy-stage (push) Failing after 2m37s
Stage — Build, push & deploy to marketing-stage / deploy-stage (push) Failing after 2m37s
This commit was merged in pull request #6.
This commit is contained in:
+79
-13
@@ -502,7 +502,7 @@ fn config_get(key: String) -> String {
|
||||
// function - it serves __html_file__ directly with text/html.
|
||||
// This handler covers /api/* and /brand/* routes.
|
||||
|
||||
fn handle_request(method: String, path: String, body: String) -> String {
|
||||
fn handle_request_inner(method: String, path: String, body: String) -> String {
|
||||
let src_dir: String = state_get("__src_dir__")
|
||||
|
||||
// ── Root — serve El-generated landing page ────────────────────────────────
|
||||
@@ -520,7 +520,7 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
|
||||
// ── robots.txt ────────────────────────────────────────────────────────────
|
||||
if str_eq(path, "/robots.txt") {
|
||||
return "User-agent: *\nAllow: /\nSitemap: https://neurontechnologies.ai/sitemap.xml\n"
|
||||
return "User-agent: *\nAllow: /\n"
|
||||
}
|
||||
|
||||
// ── About page ────────────────────────────────────────────────────────────
|
||||
@@ -990,12 +990,18 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
let ua_safe: String = str_replace(str_replace(attest_ua, "\\", "\\\\"), "\"", "\\\"")
|
||||
// Write to Supabase waitlist (attestation in dedicated column)
|
||||
waitlist_upsert(attest_email, attest_name, attest_plan, "founding-attestation", attest_text, attest_ua, 0)
|
||||
// Also save to GCS as immutable legal record
|
||||
// Also save to GCS as immutable legal record.
|
||||
// Written to the dedicated attestations bucket (GCS_ATTEST_BUCKET) which
|
||||
// is private and separate from the public-read shares bucket.
|
||||
let record: String = "{\"plan\":\"" + attest_plan + "\",\"name\":\"" + n_safe + "\",\"email\":\"" + e_safe + "\",\"timestamp\":\"" + attest_ts + "\",\"attestation\":\"" + t_safe + "\",\"user_agent\":\"" + ua_safe + "\"}"
|
||||
let gcs_bucket: String = env("GCS_SHARE_BUCKET")
|
||||
if !str_eq(gcs_bucket, "") {
|
||||
let attest_key: String = "attestations/" + attest_ts + "-" + attest_email + ".json"
|
||||
let gcs_ok: String = gcs_write(gcs_bucket, attest_key, record)
|
||||
let attest_bucket: String = env("GCS_ATTEST_BUCKET")
|
||||
if str_eq(attest_bucket, "") {
|
||||
// Fall back to share bucket with attestations/ prefix for legacy deploys
|
||||
let attest_bucket = env("GCS_SHARE_BUCKET")
|
||||
}
|
||||
if !str_eq(attest_bucket, "") {
|
||||
let attest_key: String = attest_ts + "-" + attest_email + ".json"
|
||||
let gcs_ok: String = gcs_write(attest_bucket, attest_key, record)
|
||||
println("[attest] gcs write " + attest_key + " -> " + gcs_ok)
|
||||
}
|
||||
// Email notification
|
||||
@@ -1117,15 +1123,21 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
}
|
||||
state_set(rl_key, int_to_str(rl_count + 1) + "|" + int_to_str(today_day))
|
||||
}
|
||||
// Turnstile: verify on first message only (tokens are single-use).
|
||||
// Per-message verification breaks chat flow. Forms get full verification.
|
||||
// Turnstile: server-side verification is mandatory on every first
|
||||
// message (tokens are single-use; per-message verification would
|
||||
// break streaming chat flow so only the first message carries one).
|
||||
// Requests without a cf_token are rejected outright — the widget
|
||||
// must execute successfully before the first POST is sent.
|
||||
let cf_token: String = json_get(body, "cf_token")
|
||||
if !str_eq(cf_token, "") {
|
||||
let ts_secret: String = "0x4AAAAAADHAZTok46L-l2sa9biSGpgN3GY"
|
||||
let ts_secret: String = state_get("__turnstile_secret_key__")
|
||||
if str_eq(cf_token, "") && !str_eq(ts_secret, "") {
|
||||
return "{\"error\":\"Bot check required. Please complete the challenge.\"}"
|
||||
}
|
||||
if !str_eq(cf_token, "") && !str_eq(ts_secret, "") {
|
||||
let verify_body: String = "secret=" + ts_secret + "&response=" + cf_token
|
||||
let verify_resp: String = http_post("https://challenges.cloudflare.com/turnstile/v0/siteverify", verify_body)
|
||||
let verify_resp: String = http_post("https://challenges.cloudflare.com/turnstile/v1/siteverify", verify_body)
|
||||
let is_valid: String = json_get(verify_resp, "success")
|
||||
if str_eq(is_valid, "false") {
|
||||
if !str_eq(is_valid, "true") {
|
||||
return "{\"error\":\"Bot check failed. Please try again.\"}"
|
||||
}
|
||||
}
|
||||
@@ -1617,9 +1629,15 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
} else {
|
||||
let share_html = fs_read(src_dir + "/shares/" + id + ".html")
|
||||
}
|
||||
// Guard against empty responses and GCS error JSON (e.g. {"error":...}).
|
||||
// A valid share card always starts with "<" (HTML). Anything else is
|
||||
// treated as a missing card to avoid leaking bucket names or GCS details.
|
||||
if str_eq(share_html, "") {
|
||||
return "{\"__status__\":404,\"error\":\"not found\"}"
|
||||
}
|
||||
if !str_starts_with(share_html, "<") {
|
||||
return "{\"__status__\":404,\"error\":\"not found\"}"
|
||||
}
|
||||
return share_html
|
||||
}
|
||||
|
||||
@@ -1827,6 +1845,52 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
return "{\"__status__\":404,\"error\":\"not found\"}"
|
||||
}
|
||||
|
||||
// ── Security header wrapper ───────────────────────────────────────────────────
|
||||
//
|
||||
// Injects mandatory security headers on every response. Called by
|
||||
// handle_request which is the actual http_set_handler target; the inner
|
||||
// dispatcher (handle_request_inner) returns plain bodies so all the existing
|
||||
// route code is unchanged.
|
||||
//
|
||||
// Headers applied:
|
||||
// Strict-Transport-Security — forces HTTPS for 2 years + preload
|
||||
// X-Content-Type-Options — no MIME sniffing
|
||||
// X-Frame-Options — no framing except same origin
|
||||
// Referrer-Policy — full URL within origin, origin-only cross-site
|
||||
// Permissions-Policy — deny geo/mic/camera
|
||||
// Content-Security-Policy — allow self + trusted CDNs used by the app
|
||||
|
||||
fn sec_headers_json() -> String {
|
||||
"{\"Strict-Transport-Security\":\"max-age=63072000; includeSubDomains; preload\","
|
||||
+ "\"X-Content-Type-Options\":\"nosniff\","
|
||||
+ "\"X-Frame-Options\":\"SAMEORIGIN\","
|
||||
+ "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
|
||||
+ "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
|
||||
+ "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
|
||||
}
|
||||
|
||||
fn handle_request(method: String, path: String, body: String) -> String {
|
||||
let inner_resp: String = handle_request_inner(method, path, body)
|
||||
// Detect envelope already set by inner handler (starts with
|
||||
// {"el_http_response":1). If so, let it pass through unmodified —
|
||||
// the status code it carries takes precedence and we must not
|
||||
// double-wrap. (Currently inner never returns an envelope, but guard
|
||||
// defensively so a future route returning http_response(...) still works.)
|
||||
if str_starts_with(inner_resp, "{\"el_http_response\":1") {
|
||||
return inner_resp
|
||||
}
|
||||
// Detect the __status__ convention used by many routes so we can forward
|
||||
// the correct HTTP status code while still injecting security headers.
|
||||
let status_code: Int = 200
|
||||
if str_starts_with(inner_resp, "{\"__status__\":") {
|
||||
let status_str: String = json_get(inner_resp, "__status__")
|
||||
if !str_eq(status_str, "") {
|
||||
let status_code = str_to_int(status_str)
|
||||
}
|
||||
}
|
||||
http_response(status_code, sec_headers_json(), inner_resp)
|
||||
}
|
||||
|
||||
// ── Startup ───────────────────────────────────────────────────────────────────
|
||||
//
|
||||
// Order matters:
|
||||
@@ -1856,6 +1920,7 @@ let resend_api_key: String = env("RESEND_API_KEY")
|
||||
let supabase_anon_key: String = env("SUPABASE_ANON_KEY")
|
||||
let supabase_service_key: String = env("SUPABASE_SERVICE_KEY")
|
||||
let supabase_project_url: String = "https://ocojsghaonltunidkzpw.supabase.co"
|
||||
let turnstile_secret_key: String = env("TURNSTILE_SECRET_KEY")
|
||||
|
||||
// Origin — drives Stripe redirect URLs; never hardcoded to localhost.
|
||||
let neuron_origin_env: String = env("NEURON_ORIGIN")
|
||||
@@ -1903,6 +1968,7 @@ state_set("__origin__", neuron_origin)
|
||||
state_set("__founding_sold_file__", sold_file)
|
||||
state_set("__founding_sold__", int_to_str(real_sold))
|
||||
state_set("__founding_total__", int_to_str(FOUNDING_TOTAL))
|
||||
state_set("__turnstile_secret_key__", turnstile_secret_key)
|
||||
persist_founding_count(real_sold)
|
||||
|
||||
println(color_bold("Neuron") + " - " + neuron_origin)
|
||||
|
||||
+1
-1
@@ -1828,7 +1828,7 @@ fn page_open() -> String {
|
||||
button[disabled] { opacity: 0.6; cursor: not-allowed; }
|
||||
|
||||
</style>
|
||||
<script src=\"https://cdn.jsdelivr.net/npm/marked/marked.min.js\"></script>
|
||||
<script src=\"https://cdn.jsdelivr.net/npm/marked/marked.min.js\" integrity=\"sha384-948ahk4ZmxYVYOc+rxN1H2gM1EJ2Duhp7uHtZ4WSLkV4Vtx5MUqnV+l7u9B+jFv+\" crossorigin=\"anonymous\"></script>
|
||||
<script src=\"https://challenges.cloudflare.com/turnstile/v0/api.js\" async defer></script>
|
||||
<noscript><style>.reveal { opacity: 1 !important; transform: none !important; }</style></noscript>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user