From 9996fc7f1255da1550fde0e534234f440f5f0cdf Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Fri, 8 Nov 2024 17:40:29 +0000
Subject: [PATCH 01/12] CSP nonce E2E

---
 .../src/middleware/contentSecurityPolicy.ts   | 104 ++++++++++++++++++
 packages/backend-core/src/middleware/index.ts |   1 +
 .../src/api/controllers/static/index.ts       |   3 +
 .../static/templates/BudibaseApp.svelte       |   8 +-
 .../api/controllers/static/templates/app.hbs  |   4 +-
 .../controllers/static/templates/preview.hbs  |   2 +-
 packages/server/src/koa.ts                    |   1 +
 7 files changed, 117 insertions(+), 6 deletions(-)
 create mode 100644 packages/backend-core/src/middleware/contentSecurityPolicy.ts

diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
new file mode 100644
index 0000000000..5d465cbc3c
--- /dev/null
+++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
@@ -0,0 +1,104 @@
+import crypto from "crypto"
+
+const CSP_DIRECTIVES = {
+  "default-src": ["'self'"],
+  "script-src": [
+    "'self'",
+    // "'unsafe-inline'",
+    "'unsafe-eval'",
+    "https://*.budibase.net",
+    "https://cdn.budi.live",
+    "https://js.intercomcdn.com",
+    "https://widget.intercom.io",
+    "https://d2l5prqdbvm3op.cloudfront.net",
+    "https://us-assets.i.posthog.com"
+  ],
+  "style-src": [
+    "'self'",
+    "'unsafe-inline'",
+    "https://cdn.jsdelivr.net",
+    "https://fonts.googleapis.com",
+    "https://rsms.me",
+    "https://maxcdn.bootstrapcdn.com"
+  ],
+  "object-src": ["'none'"],
+  "base-uri": ["'self'"],
+  "connect-src": [
+    "'self'",
+    "https://*.budibase.app",
+    "https://*.budibaseqa.app",
+    "https://*.budibase.net",
+    "https://api-iam.intercom.io",
+    "https://api-ping.intercom.io",
+    "https://app.posthog.com",
+    "https://us.i.posthog.com",
+    "wss://nexus-websocket-a.intercom.io",
+    "wss://nexus-websocket-b.intercom.io",
+    "https://nexus-websocket-a.intercom.io",
+    "https://nexus-websocket-b.intercom.io",
+    "https://uploads.intercomcdn.com",
+    "https://uploads.intercomusercontent.com",
+    "https://*.amazonaws.com",
+    "https://*.s3.amazonaws.com",
+    "https://*.s3.us-east-2.amazonaws.com",
+    "https://*.s3.us-east-1.amazonaws.com",
+    "https://*.s3.us-west-1.amazonaws.com",
+    "https://*.s3.us-west-2.amazonaws.com",
+    "https://*.s3.af-south-1.amazonaws.com",
+    "https://*.s3.ap-east-1.amazonaws.com",
+    "https://*.s3.ap-south-1.amazonaws.com",
+    "https://*.s3.ap-northeast-2.amazonaws.com",
+    "https://*.s3.ap-southeast-1.amazonaws.com",
+    "https://*.s3.ap-southeast-2.amazonaws.com",
+    "https://*.s3.ap-northeast-1.amazonaws.com",
+    "https://*.s3.ca-central-1.amazonaws.com",
+    "https://*.s3.cn-north-1.amazonaws.com",
+    "https://*.s3.cn-northwest-1.amazonaws.com",
+    "https://*.s3.eu-central-1.amazonaws.com",
+    "https://*.s3.eu-west-1.amazonaws.com",
+    "https://*.s3.eu-west-2.amazonaws.com",
+    "https://*.s3.eu-south-1.amazonaws.com",
+    "https://*.s3.eu-west-3.amazonaws.com",
+    "https://*.s3.eu-north-1.amazonaws.com",
+    "https://*.s3.sa-east-1.amazonaws.com",
+    "https://*.s3.me-south-1.amazonaws.com",
+    "https://*.s3.us-gov-east-1.amazonaws.com",
+    "https://*.s3.us-gov-west-1.amazonaws.com",
+    "https://api.github.com"
+  ],
+  "font-src": [
+    "'self'",
+    "data:",
+    "https://cdn.jsdelivr.net",
+    "https://fonts.gstatic.com",
+    "https://rsms.me",
+    "https://maxcdn.bootstrapcdn.com",
+    "https://js.intercomcdn.com",
+    "https://fonts.intercomcdn.com"
+  ],
+  "frame-src": ["'self'", "https:"],
+  "img-src": ["http:", "https:", "data:", "blob:"],
+  "manifest-src": ["'self'"],
+  "media-src": ["'self'", "https://js.intercomcdn.com", "https://cdn.budi.live"],
+  "worker-src": ["blob:"]
+}
+
+export async function contentSecurityPolicy(ctx: any, next: any) {
+  try {
+    const nonce = crypto.randomBytes(16).toString("base64")
+
+    CSP_DIRECTIVES['script-src'].push(`'nonce-${nonce}'`)
+
+    ctx.state.nonce = nonce
+
+    const cspHeader = Object.entries(CSP_DIRECTIVES)
+      .map(([key, sources]) => `${key} ${sources.join(' ')}`)
+      .join('; ')
+    ctx.set("Content-Security-Policy", cspHeader);
+    await next()
+  } catch (err: any) {
+    console.error(`Some error: ${err}`)
+  }
+}
+
+export default contentSecurityPolicy
diff --git a/packages/backend-core/src/middleware/index.ts b/packages/backend-core/src/middleware/index.ts
index 20c2125b13..9ee51db45b 100644
--- a/packages/backend-core/src/middleware/index.ts
+++ b/packages/backend-core/src/middleware/index.ts
@@ -19,5 +19,6 @@ export { default as pino } from "../logging/pino/middleware"
 export { default as correlation } from "../logging/correlation/middleware"
 export { default as errorHandling } from "./errorHandling"
 export { default as querystringToBody } from "./querystringToBody"
+export { default as csp } from "./contentSecurityPolicy"
 export * as joiValidator from "./joi-validator"
 export { default as ip } from "./ip"
diff --git a/packages/server/src/api/controllers/static/index.ts b/packages/server/src/api/controllers/static/index.ts
index daf7b9b25c..139d07c86d 100644
--- a/packages/server/src/api/controllers/static/index.ts
+++ b/packages/server/src/api/controllers/static/index.ts
@@ -209,6 +209,7 @@ export const serveApp = async function (ctx: UserCtx) {
             ? objectStore.getGlobalFileUrl("settings", "logoUrl")
             : "",
         appMigrating: needMigrations,
+        nonce: ctx.state.nonce,
       })
       const appHbs = loadHandlebarsFile(appHbsPath)
       ctx.body = await processString(appHbs, {
@@ -217,6 +218,7 @@ export const serveApp = async function (ctx: UserCtx) {
         css: `:root{${themeVariables}} ${css.code}`,
         appId,
         embedded: bbHeaderEmbed,
+        nonce: ctx.state.nonce,
       })
     } else {
       // just return the app info for jest to assert on
@@ -258,6 +260,7 @@ export const serveBuilderPreview = async function (ctx: Ctx) {
     const previewHbs = loadHandlebarsFile(join(previewLoc, "preview.hbs"))
     ctx.body = await processString(previewHbs, {
       clientLibPath: objectStore.clientLibraryUrl(appId!, appInfo.version),
+      nonce: ctx.state.nonce
     })
   } else {
     // just return the app info for jest to assert on
diff --git a/packages/server/src/api/controllers/static/templates/BudibaseApp.svelte b/packages/server/src/api/controllers/static/templates/BudibaseApp.svelte
index b4bfbe6660..b88b738f90 100644
--- a/packages/server/src/api/controllers/static/templates/BudibaseApp.svelte
+++ b/packages/server/src/api/controllers/static/templates/BudibaseApp.svelte
@@ -16,6 +16,8 @@
   export let hideDevTools
   export let sideNav
   export let hideFooter
+
+  export let nonce
 </script>
 
 <svelte:head>
@@ -118,11 +120,11 @@
       <p />
     {/if}
   </div>
-  <script type="application/javascript">
+  <script type="application/javascript" {nonce}>
     window.INIT_TIME = Date.now()
   </script>
   {#if appMigrating}
-    <script type="application/javascript">
+    <script type="application/javascript" {nonce}>
       window.MIGRATING_APP = true
     </script>
   {/if}
@@ -135,7 +137,7 @@
       <script type="application/javascript" src={plugin.jsUrl}></script>
     {/each}
   {/if}
-  <script type="application/javascript">
+  <script type="application/javascript" {nonce}>
     if (window.loadBudibase) {
       window.loadBudibase()
     } else {
diff --git a/packages/server/src/api/controllers/static/templates/app.hbs b/packages/server/src/api/controllers/static/templates/app.hbs
index b01b723c3e..a6e9130189 100644
--- a/packages/server/src/api/controllers/static/templates/app.hbs
+++ b/packages/server/src/api/controllers/static/templates/app.hbs
@@ -1,5 +1,5 @@
 <html>
-  <script>
+  <script nonce="{{ nonce }}">
     document.fonts.ready.then(() => {
       window.parent.postMessage({ type: "docLoaded" });
     })
@@ -9,7 +9,7 @@
     <style>{{{css}}}</style>
   </head>
 
-  <script>
+  <script nonce="{{ nonce }}">
     window["##BUDIBASE_APP_ID##"] = "{{appId}}"
     window["##BUDIBASE_APP_EMBEDDED##"] = "{{embedded}}"
   </script>
diff --git a/packages/server/src/api/controllers/static/templates/preview.hbs b/packages/server/src/api/controllers/static/templates/preview.hbs
index 54b5b1a4e4..87b9ad6ea3 100644
--- a/packages/server/src/api/controllers/static/templates/preview.hbs
+++ b/packages/server/src/api/controllers/static/templates/preview.hbs
@@ -31,7 +31,7 @@
     }
   </style>
   <script src='{{ clientLibPath }}'></script>
-  <script>
+  <script nonce="{{ nonce }}">
     function receiveMessage(event) {
       if (!event.data) {
         return
diff --git a/packages/server/src/koa.ts b/packages/server/src/koa.ts
index acae433cc3..8400bd10e2 100644
--- a/packages/server/src/koa.ts
+++ b/packages/server/src/koa.ts
@@ -37,6 +37,7 @@ export default function createKoaApp() {
   app.use(middleware.correlation)
   app.use(middleware.pino)
   app.use(middleware.ip)
+  app.use(middleware.csp)
   app.use(userAgent)
 
   const server = http.createServer(app.callback())

From 1543e6dc2bd15e3823b884c93264501f3a3c63d5 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Sun, 10 Nov 2024 13:08:51 +0000
Subject: [PATCH 02/12] env variable for turning off csp

---
 hosting/proxy/nginx.prod.conf                 | 14 ---------
 .../src/middleware/contentSecurityPolicy.ts   | 29 +++++++++++--------
 .../src/api/controllers/static/index.ts       |  2 +-
 packages/server/src/environment.ts            |  1 +
 packages/server/src/koa.ts                    |  4 ++-
 packages/types/src/sdk/koa.ts                 |  2 ++
 packages/worker/src/environment.ts            |  1 +
 packages/worker/src/index.ts                  |  3 ++
 8 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/hosting/proxy/nginx.prod.conf b/hosting/proxy/nginx.prod.conf
index f18bae09a4..57a0120720 100644
--- a/hosting/proxy/nginx.prod.conf
+++ b/hosting/proxy/nginx.prod.conf
@@ -50,19 +50,6 @@ http {
     ignore_invalid_headers off;
     proxy_buffering off;
 
-    set $csp_default "default-src 'self'";
-    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
-    set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
-    set $csp_object "object-src 'none'";
-    set $csp_base_uri "base-uri 'self'";
-    set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io  https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io  wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io  https://uploads.intercomcdn.com  https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com";    
-    set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com  https://js.intercomcdn.com  https://fonts.intercomcdn.com";
-    set $csp_frame "frame-src 'self' https:";
-    set $csp_img "img-src http: https: data: blob:";
-    set $csp_manifest "manifest-src 'self'";
-    set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live"; 
-    set $csp_worker "worker-src blob:";
-
     error_page 502 503 504 /error.html;
     location = /error.html {
       root /usr/share/nginx/html;
@@ -73,7 +60,6 @@ http {
     add_header X-Frame-Options SAMEORIGIN always;
     add_header X-Content-Type-Options nosniff always;
     add_header X-XSS-Protection "1; mode=block" always;
-    add_header Content-Security-Policy "${csp_default}; ${csp_script}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
     # upstreams
diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
index 5d465cbc3c..008c7ddc83 100644
--- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts
+++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
@@ -4,14 +4,13 @@ const CSP_DIRECTIVES = {
   "default-src": ["'self'"],
   "script-src": [
     "'self'",
-    // "'unsafe-inline'",
     "'unsafe-eval'",
     "https://*.budibase.net",
     "https://cdn.budi.live",
     "https://js.intercomcdn.com",
     "https://widget.intercom.io",
     "https://d2l5prqdbvm3op.cloudfront.net",
-    "https://us-assets.i.posthog.com"
+    "https://us-assets.i.posthog.com",
   ],
   "style-src": [
     "'self'",
@@ -19,7 +18,7 @@ const CSP_DIRECTIVES = {
     "https://cdn.jsdelivr.net",
     "https://fonts.googleapis.com",
     "https://rsms.me",
-    "https://maxcdn.bootstrapcdn.com"
+    "https://maxcdn.bootstrapcdn.com",
   ],
   "object-src": ["'none'"],
   "base-uri": ["'self'"],
@@ -64,7 +63,7 @@ const CSP_DIRECTIVES = {
     "https://*.s3.me-south-1.amazonaws.com",
     "https://*.s3.us-gov-east-1.amazonaws.com",
     "https://*.s3.us-gov-west-1.amazonaws.com",
-    "https://api.github.com"
+    "https://api.github.com",
   ],
   "font-src": [
     "'self'",
@@ -74,30 +73,36 @@ const CSP_DIRECTIVES = {
     "https://rsms.me",
     "https://maxcdn.bootstrapcdn.com",
     "https://js.intercomcdn.com",
-    "https://fonts.intercomcdn.com"
+    "https://fonts.intercomcdn.com",
   ],
   "frame-src": ["'self'", "https:"],
   "img-src": ["http:", "https:", "data:", "blob:"],
   "manifest-src": ["'self'"],
-  "media-src": ["'self'", "https://js.intercomcdn.com", "https://cdn.budi.live"],
-  "worker-src": ["blob:"]
+  "media-src": [
+    "'self'",
+    "https://js.intercomcdn.com",
+    "https://cdn.budi.live",
+  ],
+  "worker-src": ["blob:"],
 }
 
 export async function contentSecurityPolicy(ctx: any, next: any) {
   try {
     const nonce = crypto.randomBytes(16).toString("base64")
 
-    CSP_DIRECTIVES['script-src'].push(`'nonce-${nonce}'`)
+    CSP_DIRECTIVES["script-src"].push(`'nonce-${nonce}'`)
 
     ctx.state.nonce = nonce
 
     const cspHeader = Object.entries(CSP_DIRECTIVES)
-      .map(([key, sources]) => `${key} ${sources.join(' ')}`)
-      .join('; ')
-    ctx.set("Content-Security-Policy", cspHeader);
+      .map(([key, sources]) => `${key} ${sources.join(" ")}`)
+      .join("; ")
+    ctx.set("Content-Security-Policy", cspHeader)
     await next()
   } catch (err: any) {
-    console.error(`Some error: ${err}`)
+    console.error(
+      `Error occurred in Content-Security-Policy middleware: ${err}`
+    )
   }
 }
 
diff --git a/packages/server/src/api/controllers/static/index.ts b/packages/server/src/api/controllers/static/index.ts
index 139d07c86d..1bf04e94f0 100644
--- a/packages/server/src/api/controllers/static/index.ts
+++ b/packages/server/src/api/controllers/static/index.ts
@@ -260,7 +260,7 @@ export const serveBuilderPreview = async function (ctx: Ctx) {
     const previewHbs = loadHandlebarsFile(join(previewLoc, "preview.hbs"))
     ctx.body = await processString(previewHbs, {
       clientLibPath: objectStore.clientLibraryUrl(appId!, appInfo.version),
-      nonce: ctx.state.nonce
+      nonce: ctx.state.nonce,
     })
   } else {
     // just return the app info for jest to assert on
diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts
index 45d675ec3f..5e277feebe 100644
--- a/packages/server/src/environment.ts
+++ b/packages/server/src/environment.ts
@@ -114,6 +114,7 @@ const environment = {
     DEFAULTS.JS_RUNNER_MEMORY_LIMIT,
   LOG_JS_ERRORS: process.env.LOG_JS_ERRORS,
   DISABLE_USER_SYNC: process.env.DISABLE_USER_SYNC,
+  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // old
   CLIENT_ID: process.env.CLIENT_ID,
   _set(key: string, value: any) {
diff --git a/packages/server/src/koa.ts b/packages/server/src/koa.ts
index 8400bd10e2..e595ddc9e6 100644
--- a/packages/server/src/koa.ts
+++ b/packages/server/src/koa.ts
@@ -37,7 +37,9 @@ export default function createKoaApp() {
   app.use(middleware.correlation)
   app.use(middleware.pino)
   app.use(middleware.ip)
-  app.use(middleware.csp)
+  if (!env.DISABLE_CONTENT_SECURITY_POLICY) {
+    app.use(middleware.csp)
+  }
   app.use(userAgent)
 
   const server = http.createServer(app.callback())
diff --git a/packages/types/src/sdk/koa.ts b/packages/types/src/sdk/koa.ts
index 8be3a6fa53..5ec10b94c1 100644
--- a/packages/types/src/sdk/koa.ts
+++ b/packages/types/src/sdk/koa.ts
@@ -48,6 +48,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
   request: BBRequest<RequestBody>
   body: ResponseBody
   userAgent: UserAgentContext["userAgent"]
+  state: { nonce: string }
 }
 
 /**
@@ -56,6 +57,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
 export interface UserCtx<RequestBody = any, ResponseBody = any>
   extends Ctx<RequestBody, ResponseBody> {
   user: ContextUser
+  state: { nonce: string }
   roleId?: string
   eventEmitter?: ContextEmitter
   loginMethod?: LoginMethod
diff --git a/packages/worker/src/environment.ts b/packages/worker/src/environment.ts
index 3a9efd70ce..3947c7431e 100644
--- a/packages/worker/src/environment.ts
+++ b/packages/worker/src/environment.ts
@@ -46,6 +46,7 @@ const environment = {
   SMTP_FALLBACK_ENABLED: process.env.SMTP_FALLBACK_ENABLED,
   DISABLE_DEVELOPER_LICENSE: process.env.DISABLE_DEVELOPER_LICENSE,
   BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT,
+  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // smtp
   SMTP_USER: process.env.SMTP_USER,
   SMTP_PASSWORD: process.env.SMTP_PASSWORD,
diff --git a/packages/worker/src/index.ts b/packages/worker/src/index.ts
index fb6a97a844..89232034a4 100644
--- a/packages/worker/src/index.ts
+++ b/packages/worker/src/index.ts
@@ -56,6 +56,9 @@ app.use(koaSession(app))
 app.use(middleware.correlation)
 app.use(middleware.pino)
 app.use(middleware.ip)
+if (!env.DISABLE_CONTENT_SECURITY_POLICY) {
+  app.use(middleware.csp)
+}
 app.use(userAgent)
 
 // authentication

From 9525cf8682c7ef6fb899d3c9fd5a2901ff851223 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Sun, 10 Nov 2024 13:11:49 +0000
Subject: [PATCH 03/12] make directives immutable

---
 .../backend-core/src/middleware/contentSecurityPolicy.ts     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
index 008c7ddc83..f06fc567a4 100644
--- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts
+++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
@@ -90,11 +90,12 @@ export async function contentSecurityPolicy(ctx: any, next: any) {
   try {
     const nonce = crypto.randomBytes(16).toString("base64")
 
-    CSP_DIRECTIVES["script-src"].push(`'nonce-${nonce}'`)
+    const directives = { ...CSP_DIRECTIVES }
+    directives["script-src"] = [...CSP_DIRECTIVES["script-src"], `'nonce-${nonce}'`]
 
     ctx.state.nonce = nonce
 
-    const cspHeader = Object.entries(CSP_DIRECTIVES)
+    const cspHeader = Object.entries(directives)
       .map(([key, sources]) => `${key} ${sources.join(" ")}`)
       .join("; ")
     ctx.set("Content-Security-Policy", cspHeader)

From 87f85a0d637109f86429dac189be78b0421d28cf Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Sun, 10 Nov 2024 13:17:21 +0000
Subject: [PATCH 04/12] unit test

---
 .../src/middleware/contentSecurityPolicy.ts   |  5 +-
 .../tests/contentSecurityPolicy.spec.ts       | 73 +++++++++++++++++++
 packages/types/src/sdk/koa.ts                 |  4 +-
 3 files changed, 79 insertions(+), 3 deletions(-)
 create mode 100644 packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts

diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
index f06fc567a4..d1668d3dd5 100644
--- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts
+++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
@@ -91,7 +91,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) {
     const nonce = crypto.randomBytes(16).toString("base64")
 
     const directives = { ...CSP_DIRECTIVES }
-    directives["script-src"] = [...CSP_DIRECTIVES["script-src"], `'nonce-${nonce}'`]
+    directives["script-src"] = [
+      ...CSP_DIRECTIVES["script-src"],
+      `'nonce-${nonce}'`,
+    ]
 
     ctx.state.nonce = nonce
 
diff --git a/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts b/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts
new file mode 100644
index 0000000000..745c94fcef
--- /dev/null
+++ b/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts
@@ -0,0 +1,73 @@
+import crypto from "crypto"
+import contentSecurityPolicy from "../contentSecurityPolicy"
+
+jest.mock("crypto", () => ({
+  randomBytes: jest.fn(),
+  randomUUID: jest.fn(),
+}))
+
+describe("contentSecurityPolicy middleware", () => {
+  let ctx: any
+  let next: any
+  const mockNonce = "mocked/nonce"
+
+  beforeEach(() => {
+    ctx = {
+      state: {},
+      set: jest.fn(),
+    }
+    next = jest.fn()
+    crypto.randomBytes.mockReturnValue(Buffer.from(mockNonce, "base64"))
+  })
+
+  afterEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it("should generate a nonce and set it in the script-src directive", async () => {
+    await contentSecurityPolicy(ctx, next)
+
+    expect(ctx.state.nonce).toBe(mockNonce)
+    expect(ctx.set).toHaveBeenCalledWith(
+      "Content-Security-Policy",
+      expect.stringContaining(
+        `script-src 'self' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com 'nonce-${mockNonce}'`
+      )
+    )
+    expect(next).toHaveBeenCalled()
+  })
+
+  it("should include all CSP directives in the header", async () => {
+    await contentSecurityPolicy(ctx, next)
+
+    const cspHeader = ctx.set.mock.calls[0][1]
+    expect(cspHeader).toContain("default-src 'self'")
+    expect(cspHeader).toContain("script-src 'self' 'unsafe-eval'")
+    expect(cspHeader).toContain("style-src 'self' 'unsafe-inline'")
+    expect(cspHeader).toContain("object-src 'none'")
+    expect(cspHeader).toContain("base-uri 'self'")
+    expect(cspHeader).toContain("connect-src 'self'")
+    expect(cspHeader).toContain("font-src 'self'")
+    expect(cspHeader).toContain("frame-src 'self'")
+    expect(cspHeader).toContain("img-src http: https: data: blob:")
+    expect(cspHeader).toContain("manifest-src 'self'")
+    expect(cspHeader).toContain("media-src 'self'")
+    expect(cspHeader).toContain("worker-src blob:")
+  })
+
+  it("should handle errors and log an error message", async () => {
+    const consoleSpy = jest.spyOn(console, "error").mockImplementation()
+    const error = new Error("Test error")
+    crypto.randomBytes.mockImplementation(() => {
+      throw error
+    })
+
+    await contentSecurityPolicy(ctx, next)
+
+    expect(consoleSpy).toHaveBeenCalledWith(
+      `Error occurred in Content-Security-Policy middleware: ${error}`
+    )
+    expect(next).not.toHaveBeenCalled()
+    consoleSpy.mockRestore()
+  })
+})
diff --git a/packages/types/src/sdk/koa.ts b/packages/types/src/sdk/koa.ts
index 5ec10b94c1..826b7b371c 100644
--- a/packages/types/src/sdk/koa.ts
+++ b/packages/types/src/sdk/koa.ts
@@ -48,7 +48,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
   request: BBRequest<RequestBody>
   body: ResponseBody
   userAgent: UserAgentContext["userAgent"]
-  state: { nonce: string }
+  state: { nonce?: string }
 }
 
 /**
@@ -57,7 +57,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
 export interface UserCtx<RequestBody = any, ResponseBody = any>
   extends Ctx<RequestBody, ResponseBody> {
   user: ContextUser
-  state: { nonce: string }
+  state: { nonce?: string }
   roleId?: string
   eventEmitter?: ContextEmitter
   loginMethod?: LoginMethod

From ddd5a379289972e4a62a4703f8157b56038c7334 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Sun, 10 Nov 2024 13:26:45 +0000
Subject: [PATCH 05/12] add csp env var to backend-core

---
 packages/backend-core/src/environment.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/backend-core/src/environment.ts b/packages/backend-core/src/environment.ts
index 4cb0a9c731..0a9dd822a0 100644
--- a/packages/backend-core/src/environment.ts
+++ b/packages/backend-core/src/environment.ts
@@ -225,6 +225,7 @@ const environment = {
   OPENAI_API_KEY: process.env.OPENAI_API_KEY,
   MIN_VERSION_WITHOUT_POWER_ROLE:
     process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
+  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
 }
 
 export function setEnv(newEnvVars: Partial<typeof environment>): () => void {

From 78cf68158087e0de92a5072d06ddaa3426a19b8a Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Fri, 15 Nov 2024 14:41:05 +0000
Subject: [PATCH 06/12] ignore types for direct mockImpl calls

---
 .../src/middleware/tests/contentSecurityPolicy.spec.ts          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts b/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts
index 745c94fcef..0c5838e7fe 100644
--- a/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts
+++ b/packages/backend-core/src/middleware/tests/contentSecurityPolicy.spec.ts
@@ -17,6 +17,7 @@ describe("contentSecurityPolicy middleware", () => {
       set: jest.fn(),
     }
     next = jest.fn()
+    // @ts-ignore
     crypto.randomBytes.mockReturnValue(Buffer.from(mockNonce, "base64"))
   })
 
@@ -58,6 +59,7 @@ describe("contentSecurityPolicy middleware", () => {
   it("should handle errors and log an error message", async () => {
     const consoleSpy = jest.spyOn(console, "error").mockImplementation()
     const error = new Error("Test error")
+    // @ts-ignore
     crypto.randomBytes.mockImplementation(() => {
       throw error
     })

From dcecd5c4a98a2133189fbcb9185397b4dc268f52 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Fri, 15 Nov 2024 15:02:34 +0000
Subject: [PATCH 07/12] add unsafe-inline migration strategy

---
 packages/backend-core/src/environment.ts                     | 2 ++
 .../backend-core/src/middleware/contentSecurityPolicy.ts     | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/packages/backend-core/src/environment.ts b/packages/backend-core/src/environment.ts
index 0a9dd822a0..e71b30e969 100644
--- a/packages/backend-core/src/environment.ts
+++ b/packages/backend-core/src/environment.ts
@@ -226,6 +226,8 @@ const environment = {
   MIN_VERSION_WITHOUT_POWER_ROLE:
     process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
   DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
+  // stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP
+  DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS,
 }
 
 export function setEnv(newEnvVars: Partial<typeof environment>): () => void {
diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
index d1668d3dd5..e0dfbe6f64 100644
--- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts
+++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts
@@ -1,4 +1,5 @@
 import crypto from "crypto"
+import env from "../environment"
 
 const CSP_DIRECTIVES = {
   "default-src": ["'self'"],
@@ -96,6 +97,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) {
       `'nonce-${nonce}'`,
     ]
 
+    if (!env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) {
+      directives["script-src"].push("'unsafe-inline'")
+    }
+
     ctx.state.nonce = nonce
 
     const cspHeader = Object.entries(directives)

From cdbf4b53b7672e391bec567f4b029cbc173e58f1 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Fri, 15 Nov 2024 15:19:10 +0000
Subject: [PATCH 08/12] lint

---
 packages/backend-core/src/environment.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/backend-core/src/environment.ts b/packages/backend-core/src/environment.ts
index e71b30e969..b2f95210d3 100644
--- a/packages/backend-core/src/environment.ts
+++ b/packages/backend-core/src/environment.ts
@@ -227,7 +227,8 @@ const environment = {
     process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
   DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP
-  DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS,
+  DISABLE_CSP_UNSAFE_INLINE_SCRIPTS:
+    process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS,
 }
 
 export function setEnv(newEnvVars: Partial<typeof environment>): () => void {

From dcbe4f0493a80d7de0fc9ed40acf09c0b8bdd511 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Fri, 15 Nov 2024 16:01:23 +0000
Subject: [PATCH 09/12] clean up env var

---
 hosting/nginx.dev.conf             | 14 ++++++++++++++
 packages/server/src/environment.ts |  1 -
 packages/server/src/koa.ts         | 10 ++++++++--
 packages/worker/src/environment.ts |  1 -
 packages/worker/src/index.ts       |  2 +-
 yarn.lock                          |  2 +-
 6 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/hosting/nginx.dev.conf b/hosting/nginx.dev.conf
index f0a58a9a98..e3d6d47287 100644
--- a/hosting/nginx.dev.conf
+++ b/hosting/nginx.dev.conf
@@ -45,6 +45,20 @@ http {
     client_max_body_size 50000m;
     ignore_invalid_headers off;
     proxy_buffering off;
+    set $csp_default "default-src 'self'";
+    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
+    set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
+    set $csp_object "object-src 'none'";
+    set $csp_base_uri "base-uri 'self'";
+    set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io  https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io  wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io  https://uploads.intercomcdn.com  https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com";
+    set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com  https://js.intercomcdn.com  https://fonts.intercomcdn.com";
+    set $csp_frame "frame-src 'self' https:";
+    set $csp_img "img-src http: https: data: blob:";
+    set $csp_manifest "manifest-src 'self'";
+    set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live";
+    set $csp_worker "worker-src blob:";
+
+    add_header Content-Security-Policy "${csp_default}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always;
 
     error_page 502 503 504 /error.html;
     location = /error.html {
diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts
index 5e277feebe..45d675ec3f 100644
--- a/packages/server/src/environment.ts
+++ b/packages/server/src/environment.ts
@@ -114,7 +114,6 @@ const environment = {
     DEFAULTS.JS_RUNNER_MEMORY_LIMIT,
   LOG_JS_ERRORS: process.env.LOG_JS_ERRORS,
   DISABLE_USER_SYNC: process.env.DISABLE_USER_SYNC,
-  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // old
   CLIENT_ID: process.env.CLIENT_ID,
   _set(key: string, value: any) {
diff --git a/packages/server/src/koa.ts b/packages/server/src/koa.ts
index e595ddc9e6..0dc7fd7081 100644
--- a/packages/server/src/koa.ts
+++ b/packages/server/src/koa.ts
@@ -6,7 +6,13 @@ import * as api from "./api"
 import * as automations from "./automations"
 import { Thread } from "./threads"
 import * as redis from "./utilities/redis"
-import { events, logging, middleware, timers } from "@budibase/backend-core"
+import {
+  events,
+  logging,
+  middleware,
+  timers,
+  env as coreEnv,
+} from "@budibase/backend-core"
 import destroyable from "server-destroy"
 import { userAgent } from "koa-useragent"
 
@@ -37,7 +43,7 @@ export default function createKoaApp() {
   app.use(middleware.correlation)
   app.use(middleware.pino)
   app.use(middleware.ip)
-  if (!env.DISABLE_CONTENT_SECURITY_POLICY) {
+  if (!coreEnv.DISABLE_CONTENT_SECURITY_POLICY) {
     app.use(middleware.csp)
   }
   app.use(userAgent)
diff --git a/packages/worker/src/environment.ts b/packages/worker/src/environment.ts
index 3947c7431e..3a9efd70ce 100644
--- a/packages/worker/src/environment.ts
+++ b/packages/worker/src/environment.ts
@@ -46,7 +46,6 @@ const environment = {
   SMTP_FALLBACK_ENABLED: process.env.SMTP_FALLBACK_ENABLED,
   DISABLE_DEVELOPER_LICENSE: process.env.DISABLE_DEVELOPER_LICENSE,
   BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT,
-  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // smtp
   SMTP_USER: process.env.SMTP_USER,
   SMTP_PASSWORD: process.env.SMTP_PASSWORD,
diff --git a/packages/worker/src/index.ts b/packages/worker/src/index.ts
index 89232034a4..010aa4c1a0 100644
--- a/packages/worker/src/index.ts
+++ b/packages/worker/src/index.ts
@@ -56,7 +56,7 @@ app.use(koaSession(app))
 app.use(middleware.correlation)
 app.use(middleware.pino)
 app.use(middleware.ip)
-if (!env.DISABLE_CONTENT_SECURITY_POLICY) {
+if (!coreEnv.DISABLE_CONTENT_SECURITY_POLICY) {
   app.use(middleware.csp)
 }
 app.use(userAgent)
diff --git a/yarn.lock b/yarn.lock
index 8fabcddd00..73a4e8fa4d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -23244,4 +23244,4 @@ zip-stream@^6.0.1:
   dependencies:
     archiver-utils "^5.0.0"
     compress-commons "^6.0.2"
-    readable-stream "^4.0.0"
+    readable-stream "^4.0.0"
\ No newline at end of file

From 300e7ca0e4dc2b434049057cacdce591441ac630 Mon Sep 17 00:00:00 2001
From: Budibase Staging Release Bot <>
Date: Fri, 15 Nov 2024 16:42:25 +0000
Subject: [PATCH 10/12] Bump version to 3.2.2

---
 lerna.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lerna.json b/lerna.json
index 8d45ff71ac..7b0410659a 100644
--- a/lerna.json
+++ b/lerna.json
@@ -1,6 +1,6 @@
 {
   "$schema": "node_modules/lerna/schemas/lerna-schema.json",
-  "version": "3.2.1",
+  "version": "3.2.2",
   "npmClient": "yarn",
   "packages": [
     "packages/*",

From 04a2da6a64b60c3acde5e876f4157681b5f6bd8e Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Sat, 16 Nov 2024 14:50:56 +0000
Subject: [PATCH 11/12] enable proxy buffering for calls to OIDC endpoints

---
 hosting/proxy/nginx.prod.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosting/proxy/nginx.prod.conf b/hosting/proxy/nginx.prod.conf
index 57a0120720..c5d378afd8 100644
--- a/hosting/proxy/nginx.prod.conf
+++ b/hosting/proxy/nginx.prod.conf
@@ -106,6 +106,12 @@ http {
 
     location ~ ^/api/(system|admin|global)/ {
       proxy_set_header    Host                $host;
+
+      # Enable buffering for potentially large OIDC configs
+      proxy_buffering on;
+      proxy_buffer_size 16k;
+      proxy_buffers 4 32k;
+
       proxy_pass      $worker;
     }
 

From 50e66f3bcf4b2a2274f033ab297377e0400342b8 Mon Sep 17 00:00:00 2001
From: Budibase Staging Release Bot <>
Date: Sat, 16 Nov 2024 15:08:50 +0000
Subject: [PATCH 12/12] Bump version to 3.2.3

---
 lerna.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lerna.json b/lerna.json
index 7b0410659a..582f95b303 100644
--- a/lerna.json
+++ b/lerna.json
@@ -1,6 +1,6 @@
 {
   "$schema": "node_modules/lerna/schemas/lerna-schema.json",
-  "version": "3.2.2",
+  "version": "3.2.3",
   "npmClient": "yarn",
   "packages": [
     "packages/*",