fix(core): Sandbox HTML binary files in viewing mode

netroy · netroy · commit 678fe7726a50 · 2025-04-02T12:23:18.000+02:00
diff --git a/packages/cli/src/controllers/__tests__/binary-data.controller.test.ts b/packages/cli/src/controllers/__tests__/binary-data.controller.test.ts
@@ -107,6 +107,36 @@ describe('BinaryDataController', () => {
 			);
 		});
 
+		it('should set Content-Security-Policy for HTML in view mode', async () => {
+			request.query = {
+				id: 'filesystem:123',
+				action: 'view',
+				fileName: 'test.html',
+				mimeType: 'text/html',
+			};
+
+			binaryDataService.getAsStream.mockResolvedValue(mock());
+
+			await controller.get(request, response);
+
+			expect(response.header).toHaveBeenCalledWith('Content-Security-Policy', 'sandbox');
+		});
+
+		it('should not set Content-Security-Policy for HTML in download mode', async () => {
+			request.query = {
+				id: 'filesystem:123',
+				action: 'download',
+				fileName: 'test.html',
+				mimeType: 'text/html',
+			};
+
+			binaryDataService.getAsStream.mockResolvedValue(mock());
+
+			await controller.get(request, response);
+
+			expect(response.header).not.toHaveBeenCalledWith('Content-Security-Policy', 'sandbox');
+		});
+
 		it('should return the file stream on success', async () => {
 			request.query = { id: 'filesystem:123', action: 'view' };
 
diff --git a/packages/cli/src/controllers/binary-data.controller.ts b/packages/cli/src/controllers/binary-data.controller.ts
@@ -38,7 +38,14 @@ export class BinaryDataController {
 				} catch {}
 			}
 
-			if (mimeType) res.setHeader('Content-Type', mimeType);
+			if (mimeType) {
+				res.setHeader('Content-Type', mimeType);
+
+				// Sandbox html files when viewed in a browser
+				if (mimeType === 'text/html' && action === 'view') {
+					res.header('Content-Security-Policy', 'sandbox');
+				}
+			}
 
 			if (action === 'download' && fileName) {
 				const encodedFilename = encodeURIComponent(fileName);
@@ -47,7 +54,7 @@ export class BinaryDataController {
 
 			return await this.binaryDataService.getAsStream(binaryDataId);
 		} catch (error) {
-			if (error instanceof FileNotFoundError) return res.writeHead(404).end();
+			if (error instanceof FileNotFoundError) return res.status(404).end();
 			else throw error;
 		}
 	}
