Add new decorator to prevent reflected text attacks

Instead of disabling repo names with periods in them, we simply disallow calls to the API when they are GET requests, whose path ends in a dot, and that do not have a referrer from the frontend.
2018-01-29 14:52:50 -05:00 · 2018-01-29 14:52:50 -05:00 · 188ea98441
commit 188ea98441
parent b342111edb
8 changed files with 82 additions and 12 deletions
--- a/static/js/quay-run.ts
+++ b/static/js/quay-run.ts
@ -11,6 +11,7 @@ provideRun.$inject = [
  'PlanService',
  '$http',
  'CookieService',
+  'UserService',
  'Features',
  '$anchorScroll',
  'MetaService',
@ -20,6 +21,7 @@ export function provideRun($rootScope: QuayRunScope,
                           planService: any,
                           $http: ng.IHttpService,
                           cookieService: any,
+                           userService: any,
                           features: any,
                           $anchorScroll: ng.IAnchorScrollService,
                           metaService: any): void {
@ -29,6 +31,8 @@ export function provideRun($rootScope: QuayRunScope,
  restangular.setDefaultRequestParams(['post', 'put', 'remove', 'delete'],
    {'_csrf_token': (<any>window).__token || ''});

+  restangular.setDefaultHeaders({'X-Requested-With': 'XMLHttpRequest'});
+
  // Handle session expiration.
  restangular.setErrorInterceptor(function(response) {
    if (response !== undefined && response.status == 503) {
@ -120,6 +124,9 @@ export function provideRun($rootScope: QuayRunScope,
    }
    return $http.pendingRequests.length > 0;
  };
+
+  // Load the inital user information.
+  userService.load();
 }