Improve security on raw files endpoint (#613)

internal/web/handlers/gist/download.go

@@ -3,6 +3,7 @@ package gist
 import (
 	"archive/zip"
 	"bytes"
+	"net/url"
 	"strconv"
 
 	"github.com/thomiceli/opengist/internal/db"
@@ -19,8 +20,23 @@ func RawFile(ctx *context.Context) error {
 	if file == nil {
 		return ctx.NotFound("File not found")
 	}
-	ctx.Response().Header().Set("Content-Type", file.MimeType.ContentType)
+
-	ctx.Response().Header().Set("Content-Disposition", "inline; filename=\""+file.Filename+"\"")
+	if file.MimeType.IsSVG() {
+		ctx.Response().Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
+	} else if file.MimeType.IsPDF() {
+		ctx.Response().Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'")
+	}
+
+	if file.MimeType.CanBeEmbedded() {
+		ctx.Response().Header().Set("Content-Type", file.MimeType.ContentType)
+	} else if file.MimeType.IsText() {
+		ctx.Response().Header().Set("Content-Type", "text/plain")
+	} else {
+		ctx.Response().Header().Set("Content-Type", "application/octet-stream")
+	}
+
+	ctx.Response().Header().Set("Content-Disposition", "inline; filename=\""+url.PathEscape(file.Filename)+"\"")
+	ctx.Response().Header().Set("X-Content-Type-Options", "nosniff")
 	return ctx.PlainText(200, file.Content)
 }
 
@@ -36,8 +52,9 @@ func DownloadFile(ctx *context.Context) error {
 	}
 
 	ctx.Response().Header().Set("Content-Type", file.MimeType.ContentType)
-	ctx.Response().Header().Set("Content-Disposition", "attachment; filename="+file.Filename)
+	ctx.Response().Header().Set("Content-Disposition", "attachment; filename=\""+url.PathEscape(file.Filename)+"\"")
 	ctx.Response().Header().Set("Content-Length", strconv.Itoa(len(file.Content)))
+	ctx.Response().Header().Set("X-Content-Type-Options", "nosniff")
 	_, err = ctx.Response().Write([]byte(file.Content))
 	if err != nil {
 		return ctx.ErrorRes(500, "Error downloading the file", err)