fix(security): add CSP headers and patch cookie expiry and cache key bugs

- Add Content-Security-Policy, X-Frame-Options, X-Content-Type-Options,
  and Referrer-Policy headers via new securityHeaders middleware
- Fix setCookie to check exminutes instead of expired (which was never null),
  so omitting exminutes correctly creates a session cookie
- Fix Cache.getAllKeys() to filter out .expires sidecar files before mapping

Author: AriaEdo

.env.example

@@ -3,3 +3,20 @@ PORT=4321
 
 # Astro environment variables
 ASTRO_TELEMETRY_DISABLED=1
+
+# GitHub App credentials (required for roadmap and changelog data)
+APP_ID=
+APP_INSTALLATION_ID=
+APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
+...
+-----END RSA PRIVATE KEY-----"
+
+# PostgreSQL database (required for voting)
+POSTGRES_USER=
+POSTGRES_PASSWORD=
+POSTGRES_HOST=
+POSTGRES_PORT=5432
+POSTGRES_DB=
+
+# Cache clear API secret (required to authenticate /api/cache-clear)
+CACHE_CLEAR_SECRET=

docker-compose.yml

@@ -14,7 +14,8 @@ services:
       - HOST=0.0.0.0
       - PORT=4321
     env_file:
-      - .env
+      - path: .env
+        required: false
     develop:
       watch:
         - path: ./public
@@ -35,5 +36,6 @@ services:
       - HOST=0.0.0.0
       - PORT=4321
     env_file:
-      - .env
+      - path: .env
+        required: false
     restart: unless-stopped

src/layouts/Layout.astro

@@ -168,7 +168,8 @@ const descriptionValue =
             if (formattedStarCount == null) {
               return;
             }
-            button.innerHTML = `${starIcon} ${formattedStarCount}`;
+            button.innerHTML = starIcon;
+            button.appendChild(document.createTextNode(` ${formattedStarCount}`));
           });
         }
       });

src/libs/cache.ts

@@ -11,9 +11,17 @@ export class Cache {
     }
   }
 
+  private sanitizeKey(key: string): string {
+    const sanitized = path.basename(key);
+    if (!sanitized || sanitized === '.' || sanitized === '..') {
+      throw new Error(`Invalid cache key: "${key}"`);
+    }
+    return sanitized;
+  }
+
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   set(key: string, data: any, expiresIn?: number): void {
-    const filePath = path.join(this.cacheDir, `${key}.json`);
+    const filePath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.json`);
     fs.writeFileSync(filePath, JSON.stringify(data), 'utf-8');
 
     if (expiresIn) {
@@ -27,8 +35,8 @@ export class Cache {
   }
 
   get<T>(key: string): T | null {
-    const filePath = path.join(this.cacheDir, `${key}.json`);
-    const expiresPath = path.join(this.cacheDir, `${key}.expires`);
+    const filePath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.json`);
+    const expiresPath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.expires`);
 
     if (fs.existsSync(filePath)) {
       const data = fs.readFileSync(filePath, 'utf-8');
@@ -47,8 +55,8 @@ export class Cache {
   }
 
   clear(key: string): void {
-    const filePath = path.join(this.cacheDir, `${key}.json`);
-    const expiresPath = path.join(this.cacheDir, `${key}.expires`);
+    const filePath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.json`);
+    const expiresPath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.expires`);
     if (fs.existsSync(filePath)) {
       fs.unlinkSync(filePath);
     }
@@ -65,8 +73,8 @@ export class Cache {
   }
 
   has(key: string): boolean {
-    const filePath = path.join(this.cacheDir, `${key}.json`);
-    const expiresPath = path.join(this.cacheDir, `${key}.expires`);
+    const filePath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.json`);
+    const expiresPath = path.join(this.cacheDir, `${this.sanitizeKey(key)}.expires`);
 
     if (fs.existsSync(filePath)) {
       if (fs.existsSync(expiresPath)) {
@@ -83,6 +91,8 @@ export class Cache {
 
   getAllKeys(): string[] {
     const files = fs.readdirSync(this.cacheDir);
-    return files.map((file) => path.basename(file, '.json'));
+    return files
+      .filter((file) => file.endsWith('.json'))
+      .map((file) => path.basename(file, '.json'));
   }
 }

src/libs/cookie.ts

@@ -21,7 +21,7 @@ function setCookie(key: string, value: string, exminutes?: number | null) {
 
   const newValue =
     value +
-    (expired == null ? '' : ';expires=' + expired.toUTCString() + ';Secure;SameSite:Lax;path=/');
+    (exminutes == null ? '' : ';expires=' + expired.toUTCString() + ';Secure;SameSite=Lax;path=/');
   document.cookie = key + '=' + newValue;
 }
 

src/libs/github.ts

@@ -3,7 +3,6 @@ import { createAppAuth } from '@octokit/auth-app';
 import { graphql } from '@octokit/graphql';
 import type { RequestParameters } from '@octokit/types';
 
-let response = {};
 const appId = import.meta.env.APP_ID || process.env.APP_ID;
 const privateKey = import.meta.env.APP_PRIVATE_KEY || process.env.APP_PRIVATE_KEY;
 const installationId = parseInt(
@@ -12,6 +11,8 @@ const installationId = parseInt(
 );
 
 async function graph(query: string, variables?: RequestParameters) {
+  let response = {};
+
   if (appId && installationId && privateKey) {
     const auth = createAppAuth({
       appId,
@@ -38,6 +39,8 @@ async function graph(query: string, variables?: RequestParameters) {
 }
 
 async function rest(query: string, variables: RequestParameters = {}) {
+  let response = {};
+
   if (appId && installationId && privateKey) {
     const octokitWithAuth = new Octokit({
       authStrategy: createAppAuth,

src/libs/postgres.ts

@@ -41,12 +41,15 @@ async function dbConnect() {
     const HOST = import.meta.env.POSTGRES_HOST || process.env.POSTGRES_HOST;
     const PORT = import.meta.env.POSTGRES_PORT || process.env.POSTGRES_PORT || 5432;
     const DB = import.meta.env.POSTGRES_DB || process.env.POSTGRES_DB;
-    const connectionString = `postgres://${USER}:${PASSWORD}@${HOST}:${PORT}/${DB}`;
 
-    if (!connectionString) {
-      throw new Error('Database environment variable is required');
+    if (!USER || !PASSWORD || !HOST || !DB) {
+      throw new Error(
+        'Missing required database environment variables: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_HOST, POSTGRES_DB'
+      );
     }
 
+    const connectionString = `postgres://${USER}:${PASSWORD}@${HOST}:${PORT}/${DB}`;
+
     sql = postgres(connectionString, {
       user: USER,
       password: PASSWORD,

src/middleware.ts

@@ -2,6 +2,19 @@ import { stargazerCount } from '@libs/milo';
 import { sequence } from 'astro:middleware';
 import type { MiddlewareHandler } from 'astro';
 
+const CSP = [
+  "default-src 'self'",
+  "script-src 'self' 'unsafe-inline' https://beacon-v2.helpscout.net https://cdn.usefathom.com https://edge.marker.io",
+  "connect-src 'self' https://api.github.com https://beacon-v2.helpscout.net https://cdn.usefathom.com https://edge.marker.io",
+  "img-src 'self' data: https:",
+  "style-src 'self' 'unsafe-inline'",
+  "font-src 'self'",
+  "frame-src 'none'",
+  "object-src 'none'",
+  "base-uri 'self'",
+  "form-action 'self'",
+].join('; ');
+
 const PROTECTED_ROUTES = [/^\/dev($|\/.*)/];
 
 const isProtected = (path: string): boolean => {
@@ -32,4 +45,13 @@ const baseMiddleware: MiddlewareHandler = async (context, next) => {
   return next();
 };
 
-export const onRequest = sequence(routeGuard, baseMiddleware);
+const securityHeaders: MiddlewareHandler = async (_context, next) => {
+  const response = await next();
+  response.headers.set('Content-Security-Policy', CSP);
+  response.headers.set('X-Content-Type-Options', 'nosniff');
+  response.headers.set('X-Frame-Options', 'DENY');
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+  return response;
+};
+
+export const onRequest = sequence(routeGuard, baseMiddleware, securityHeaders);