logo

Database

Insecure or unset HTTP headers - X-Content-Type-Options

Need

Enforce secure content type handling

Context

• Usage of Dart 2.12.0 for developing cross-platform applications

• Usage of Shelf for managing and organizing data in a Node.js application

Description

1. Non compliant code

import 'package:shelf/shelf.dart' as shelf;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080).then((server) {
    print('Serving at http://${server.address.host}:${server.port}');
}...

In the provided code, a HTTP server is created using the shelf framework in Dart. The server is listening on localhost at port 8080. The `_echoRequest` function is used as the request handler for all incoming HTTP requests. The vulnerability lies in the fact that the server's responses do not include the `X-Content-Type-Options` HTTP header. This header is used to protect the website from MIME type confusion attacks. It prevents the browser from trying to parse files as a different MIME type to what the server says they are. In simpler terms, if a file is declared to be one type, and the browser thinks it's another, the browser will stop and not display the file. This is a security feature that helps prevent attacks where a file is disguised as a different type. In this case, not including the `X-Content-Type-Options` header in the server's responses could potentially expose the server and its users to security risks.

2. Steps

• Import the 'shelf' package in your Dart file.

• In the '_echoRequest' function, when creating the 'shelf.Response', add the 'X-Content-Type-Options' HTTP header.

• Set the value of the 'X-Content-Type-Options' header to 'nosniff'. This prevents the browser from trying to interpret content differently from the declared content type.

• This can be done by passing a map to the 'headers' parameter of the 'shelf.Response.ok' method. The map should contain a key-value pair where the key is 'X-Content-Type-Options' and the value is 'nosniff'.

3. Secure code example

import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080).then((server) {
  });...

The code above is a Dart backend application using the Shelf framework. The main function sets up a server that listens on localhost port 8080. It uses a pipeline with a logging middleware and a handler function `_echoRequest`. The `_echoRequest` function is where the response to each request is defined. In the original code, the response was missing the `X-Content-Type-Options` HTTP header, which is a security vulnerability. This header is used to protect against MIME type confusion attacks. It prevents the browser from interpreting the content differently from the declared content type. To fix this vulnerability, the `X-Content-Type-Options` header is added to the response in the `_echoRequest` function. This is done by passing a map to the `headers` parameter of the `shelf.Response.ok` method. The map contains a key-value pair where the key is `X-Content-Type-Options` and the value is `nosniff`. This tells the browser not to try to interpret the content differently from the declared content type.