http: add X-Content-Type-Options header support

.github/sync.yml

@@ -45,6 +45,7 @@ group:
       - src/main/kotlin/br/ufpe/liber/controllers/DefaultExceptionHandler.kt
       - src/main/kotlin/br/ufpe/liber/controllers/ErrorsController.kt
       - src/main/kotlin/br/ufpe/liber/controllers/KteController.kt
+      - src/main/kotlin/br/ufpe/liber/controllers/XContentTypeOptionsFilter.kt
       - src/main/kotlin/br/ufpe/liber/views/CSPHelper.kt
       - src/main/kotlin/br/ufpe/liber/views/ViewsHelper.kt
       - source: src/main/kotlin/br/ufpe/liber/views/LinksHelper.kt
@@ -60,9 +61,11 @@ group:
       - src/test/kotlin/br/ufpe/liber/controllers/AssetsControllerTest.kt
       - src/test/kotlin/br/ufpe/liber/controllers/DefaultExceptionHandlerTest.kt
       - src/test/kotlin/br/ufpe/liber/controllers/ErrorsControllerTest.kt
+      - src/test/kotlin/br/ufpe/liber/controllers/XContentTypeOptionsFilterTest.kt
       - source: src/test/kotlin/br/ufpe/liber/ApplicationTest.kt
         replace: false
       - src/test/kotlin/br/ufpe/liber/KteWritableExtensions.kt
+      - src/test/kotlin/br/ufpe/liber/HttpClientExtensions.kt
       - src/test/kotlin/br/ufpe/liber/TemplatesFactoryTest.kt
       - src/test/kotlin/br/ufpe/liber/ProjectConfig.kt
       - src/test/resources/public/test-assets-metadata.json
@@ -124,6 +127,7 @@ group:
       - src/main/kotlin/br/ufpe/liber/controllers/DefaultExceptionHandler.kt
       - src/main/kotlin/br/ufpe/liber/controllers/ErrorsController.kt
       - src/main/kotlin/br/ufpe/liber/controllers/KteController.kt
+      - src/main/kotlin/br/ufpe/liber/controllers/XContentTypeOptionsFilter.kt
       - src/main/kotlin/br/ufpe/liber/views/CSPHelper.kt
       - src/main/kotlin/br/ufpe/liber/views/ViewsHelper.kt
       - source: src/main/kotlin/br/ufpe/liber/views/LinksHelper.kt
@@ -139,9 +143,11 @@ group:
       - src/test/kotlin/br/ufpe/liber/controllers/AssetsControllerTest.kt
       - src/test/kotlin/br/ufpe/liber/controllers/DefaultExceptionHandlerTest.kt
       - src/test/kotlin/br/ufpe/liber/controllers/ErrorsControllerTest.kt
+      - src/test/kotlin/br/ufpe/liber/controllers/XContentTypeOptionsFilterTest.kt
       - source: src/test/kotlin/br/ufpe/liber/ApplicationTest.kt
         replace: false
       - src/test/kotlin/br/ufpe/liber/KteWritableExtensions.kt
+      - src/test/kotlin/br/ufpe/liber/HttpClientExtensions.kt
       - src/test/kotlin/br/ufpe/liber/TemplatesFactoryTest.kt
       - src/test/kotlin/br/ufpe/liber/ProjectConfig.kt
       - src/test/resources/public/test-assets-metadata.json

src/main/kotlin/br/ufpe/liber/controllers/XContentTypeOptionsFilter.kt

@@ -0,0 +1,17 @@
+package br.ufpe.liber.controllers
+
+import io.micronaut.core.order.Ordered
+import io.micronaut.http.MutableHttpResponse
+import io.micronaut.http.annotation.Filter
+import io.micronaut.http.annotation.ResponseFilter
+import io.micronaut.http.annotation.ServerFilter
+import io.micronaut.http.filter.ServerFilterPhase
+
+@ServerFilter(Filter.MATCH_ALL_PATTERN)
+@Suppress("CLASS_NAME_INCORRECT")
+class XContentTypeOptionsFilter : Ordered {
+    @ResponseFilter
+    fun addHeader(res: MutableHttpResponse<Any>) = res.header("X-Content-Type-Options", "nosniff")
+
+    override fun getOrder(): Int = ServerFilterPhase.LAST.order()
+}

src/test/kotlin/br/ufpe/liber/HttpClientExtensions.kt

@@ -0,0 +1,13 @@
+package br.ufpe.liber
+
+import io.micronaut.http.HttpResponse
+import io.micronaut.http.client.BlockingHttpClient
+
+// DO NOT EDIT: this file is automatically synced from the template repository
+// in https://github.com/Liber-UFPE/project-starter.
+
+fun BlockingHttpClient.get(path: String): HttpResponse<String> = this.exchange(
+    path,
+    String::class.java,
+    String::class.java,
+)

src/test/kotlin/br/ufpe/liber/controllers/XContentTypeOptionsFilterTest.kt

@@ -0,0 +1,49 @@
+package br.ufpe.liber.controllers
+
+import br.ufpe.liber.assets.AssetsResolver
+import br.ufpe.liber.get
+import io.kotest.core.spec.style.BehaviorSpec
+import io.kotest.matchers.shouldBe
+import io.micronaut.context.ApplicationContext
+import io.micronaut.http.client.DefaultHttpClientConfiguration
+import io.micronaut.http.client.HttpClient
+import io.micronaut.http.filter.ServerFilterPhase
+import io.micronaut.kotlin.context.getBean
+import io.micronaut.runtime.server.EmbeddedServer
+import io.micronaut.test.extensions.kotest5.annotation.MicronautTest
+
+@MicronautTest
+@Suppress("CLASS_NAME_INCORRECT")
+class XContentTypeOptionsFilterTest(
+    private val server: EmbeddedServer,
+    private val context: ApplicationContext,
+) : BehaviorSpec({
+    val client = context
+        .createBean(
+            HttpClient::class.java,
+            server.url,
+            DefaultHttpClientConfiguration().apply { isExceptionOnErrorStatus = false },
+        )
+        .toBlocking()
+
+    beforeSpec {
+        // AssetsResolver initializes a lateinit property used by the view helpers
+        context.getBean(AssetsResolver::class.java)
+    }
+
+    given("XContentTypeOptionsFilter") {
+        `when`("a request is made") {
+            val response = client.get("/")
+            then("add the X-Content-Type-Options header") {
+                response.header("X-Content-Type-Options") shouldBe "nosniff"
+            }
+        }
+
+        `when`("ordering filters") {
+            then("it should be the last one") {
+                val filter = context.getBean<XContentTypeOptionsFilter>()
+                filter.order shouldBe ServerFilterPhase.LAST.order()
+            }
+        }
+    }
+})