From 1543e6dc2bd15e3823b884c93264501f3a3c63d5 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Sun, 10 Nov 2024 13:08:51 +0000 Subject: [PATCH] env variable for turning off csp --- hosting/proxy/nginx.prod.conf | 14 --------- .../src/middleware/contentSecurityPolicy.ts | 29 +++++++++++-------- .../src/api/controllers/static/index.ts | 2 +- packages/server/src/environment.ts | 1 + packages/server/src/koa.ts | 4 ++- packages/types/src/sdk/koa.ts | 2 ++ packages/worker/src/environment.ts | 1 + packages/worker/src/index.ts | 3 ++ 8 files changed, 28 insertions(+), 28 deletions(-) diff --git a/hosting/proxy/nginx.prod.conf b/hosting/proxy/nginx.prod.conf index f18bae09a4..57a0120720 100644 --- a/hosting/proxy/nginx.prod.conf +++ b/hosting/proxy/nginx.prod.conf @@ -50,19 +50,6 @@ http { ignore_invalid_headers off; proxy_buffering off; - set $csp_default "default-src 'self'"; - set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com"; - set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com"; - set $csp_object "object-src 'none'"; - set $csp_base_uri "base-uri 'self'"; - set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com"; - set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com https://js.intercomcdn.com https://fonts.intercomcdn.com"; - set $csp_frame "frame-src 'self' https:"; - set $csp_img "img-src http: https: data: blob:"; - set $csp_manifest "manifest-src 'self'"; - set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live"; - set $csp_worker "worker-src blob:"; - error_page 502 503 504 /error.html; location = /error.html { root /usr/share/nginx/html; @@ -73,7 +60,6 @@ http { add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "${csp_default}; ${csp_script}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # upstreams diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts index 5d465cbc3c..008c7ddc83 100644 --- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts +++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts @@ -4,14 +4,13 @@ const CSP_DIRECTIVES = { "default-src": ["'self'"], "script-src": [ "'self'", - // "'unsafe-inline'", "'unsafe-eval'", "https://*.budibase.net", "https://cdn.budi.live", "https://js.intercomcdn.com", "https://widget.intercom.io", "https://d2l5prqdbvm3op.cloudfront.net", - "https://us-assets.i.posthog.com" + "https://us-assets.i.posthog.com", ], "style-src": [ "'self'", @@ -19,7 +18,7 @@ const CSP_DIRECTIVES = { "https://cdn.jsdelivr.net", "https://fonts.googleapis.com", "https://rsms.me", - "https://maxcdn.bootstrapcdn.com" + "https://maxcdn.bootstrapcdn.com", ], "object-src": ["'none'"], "base-uri": ["'self'"], @@ -64,7 +63,7 @@ const CSP_DIRECTIVES = { "https://*.s3.me-south-1.amazonaws.com", "https://*.s3.us-gov-east-1.amazonaws.com", "https://*.s3.us-gov-west-1.amazonaws.com", - "https://api.github.com" + "https://api.github.com", ], "font-src": [ "'self'", @@ -74,30 +73,36 @@ const CSP_DIRECTIVES = { "https://rsms.me", "https://maxcdn.bootstrapcdn.com", "https://js.intercomcdn.com", - "https://fonts.intercomcdn.com" + "https://fonts.intercomcdn.com", ], "frame-src": ["'self'", "https:"], "img-src": ["http:", "https:", "data:", "blob:"], "manifest-src": ["'self'"], - "media-src": ["'self'", "https://js.intercomcdn.com", "https://cdn.budi.live"], - "worker-src": ["blob:"] + "media-src": [ + "'self'", + "https://js.intercomcdn.com", + "https://cdn.budi.live", + ], + "worker-src": ["blob:"], } export async function contentSecurityPolicy(ctx: any, next: any) { try { const nonce = crypto.randomBytes(16).toString("base64") - CSP_DIRECTIVES['script-src'].push(`'nonce-${nonce}'`) + CSP_DIRECTIVES["script-src"].push(`'nonce-${nonce}'`) ctx.state.nonce = nonce const cspHeader = Object.entries(CSP_DIRECTIVES) - .map(([key, sources]) => `${key} ${sources.join(' ')}`) - .join('; ') - ctx.set("Content-Security-Policy", cspHeader); + .map(([key, sources]) => `${key} ${sources.join(" ")}`) + .join("; ") + ctx.set("Content-Security-Policy", cspHeader) await next() } catch (err: any) { - console.error(`Some error: ${err}`) + console.error( + `Error occurred in Content-Security-Policy middleware: ${err}` + ) } } diff --git a/packages/server/src/api/controllers/static/index.ts b/packages/server/src/api/controllers/static/index.ts index 139d07c86d..1bf04e94f0 100644 --- a/packages/server/src/api/controllers/static/index.ts +++ b/packages/server/src/api/controllers/static/index.ts @@ -260,7 +260,7 @@ export const serveBuilderPreview = async function (ctx: Ctx) { const previewHbs = loadHandlebarsFile(join(previewLoc, "preview.hbs")) ctx.body = await processString(previewHbs, { clientLibPath: objectStore.clientLibraryUrl(appId!, appInfo.version), - nonce: ctx.state.nonce + nonce: ctx.state.nonce, }) } else { // just return the app info for jest to assert on diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts index 45d675ec3f..5e277feebe 100644 --- a/packages/server/src/environment.ts +++ b/packages/server/src/environment.ts @@ -114,6 +114,7 @@ const environment = { DEFAULTS.JS_RUNNER_MEMORY_LIMIT, LOG_JS_ERRORS: process.env.LOG_JS_ERRORS, DISABLE_USER_SYNC: process.env.DISABLE_USER_SYNC, + DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, // old CLIENT_ID: process.env.CLIENT_ID, _set(key: string, value: any) { diff --git a/packages/server/src/koa.ts b/packages/server/src/koa.ts index 8400bd10e2..e595ddc9e6 100644 --- a/packages/server/src/koa.ts +++ b/packages/server/src/koa.ts @@ -37,7 +37,9 @@ export default function createKoaApp() { app.use(middleware.correlation) app.use(middleware.pino) app.use(middleware.ip) - app.use(middleware.csp) + if (!env.DISABLE_CONTENT_SECURITY_POLICY) { + app.use(middleware.csp) + } app.use(userAgent) const server = http.createServer(app.callback()) diff --git a/packages/types/src/sdk/koa.ts b/packages/types/src/sdk/koa.ts index 8be3a6fa53..5ec10b94c1 100644 --- a/packages/types/src/sdk/koa.ts +++ b/packages/types/src/sdk/koa.ts @@ -48,6 +48,7 @@ export interface Ctx extends Context { request: BBRequest body: ResponseBody userAgent: UserAgentContext["userAgent"] + state: { nonce: string } } /** @@ -56,6 +57,7 @@ export interface Ctx extends Context { export interface UserCtx extends Ctx { user: ContextUser + state: { nonce: string } roleId?: string eventEmitter?: ContextEmitter loginMethod?: LoginMethod diff --git a/packages/worker/src/environment.ts b/packages/worker/src/environment.ts index 3a9efd70ce..3947c7431e 100644 --- a/packages/worker/src/environment.ts +++ b/packages/worker/src/environment.ts @@ -46,6 +46,7 @@ const environment = { SMTP_FALLBACK_ENABLED: process.env.SMTP_FALLBACK_ENABLED, DISABLE_DEVELOPER_LICENSE: process.env.DISABLE_DEVELOPER_LICENSE, BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT, + DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, // smtp SMTP_USER: process.env.SMTP_USER, SMTP_PASSWORD: process.env.SMTP_PASSWORD, diff --git a/packages/worker/src/index.ts b/packages/worker/src/index.ts index fb6a97a844..89232034a4 100644 --- a/packages/worker/src/index.ts +++ b/packages/worker/src/index.ts @@ -56,6 +56,9 @@ app.use(koaSession(app)) app.use(middleware.correlation) app.use(middleware.pino) app.use(middleware.ip) +if (!env.DISABLE_CONTENT_SECURITY_POLICY) { + app.use(middleware.csp) +} app.use(userAgent) // authentication