| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546 |
- export const httpStreamOutput = function(readStream, name, http, downloadFlag, cacheControl) {
- readStream.on('data', data => {
- http.response.write(data);
- });
- readStream.on('end', () => {
- // don't pass parameters to end() or it will be attached to the file's binary stream
- http.response.end();
- });
- readStream.on('error', (err) => {
- console.error(`Download stream error for file '${name}':`, err);
- http.response.statusCode = 404;
- http.response.end('not found');
- });
- if (cacheControl) {
- http.response.setHeader('Cache-Control', cacheControl);
- }
- // Set Content-Disposition header
- http.response.setHeader('Content-Disposition', getContentDisposition(name, http?.params?.query?.download));
- // Add security headers to prevent XSS attacks
- const isSvgFile = name && name.toLowerCase().endsWith('.svg');
- if (isSvgFile) {
- // For SVG files, add strict CSP to prevent script execution
- http.response.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'none'; object-src 'none';");
- http.response.setHeader('X-Content-Type-Options', 'nosniff');
- http.response.setHeader('X-Frame-Options', 'DENY');
- }
- };
- /** will initiate download, if links are called with ?download="true" queryparam */
- const getContentDisposition = (name, downloadFlag) => {
- // Force attachment disposition for SVG files to prevent XSS attacks
- const isSvgFile = name && name.toLowerCase().endsWith('.svg');
- const forceAttachment = isSvgFile || downloadFlag === 'true';
- const dispositionType = forceAttachment ? 'attachment;' : 'inline;';
- const encodedName = encodeURIComponent(name);
- const dispositionName = `filename="${encodedName}"; filename=*UTF-8"${encodedName}";`;
- const dispositionEncoding = 'charset=utf-8';
- return `${dispositionType} ${dispositionName} ${dispositionEncoding}`;
- };
|
