CSP nonce E2E

This commit is contained in:
Martin McKeaveney 2024-11-08 17:40:29 +00:00
parent 888820a0de
commit 9996fc7f12
7 changed files with 117 additions and 6 deletions

View File

@ -0,0 +1,104 @@
import crypto from "crypto"
const CSP_DIRECTIVES = {
"default-src": ["'self'"],
"script-src": [
"'self'",
// "'unsafe-inline'",
"'unsafe-eval'",
"https://*.budibase.net",
"https://cdn.budi.live",
"https://js.intercomcdn.com",
"https://widget.intercom.io",
"https://d2l5prqdbvm3op.cloudfront.net",
"https://us-assets.i.posthog.com"
],
"style-src": [
"'self'",
"'unsafe-inline'",
"https://cdn.jsdelivr.net",
"https://fonts.googleapis.com",
"https://rsms.me",
"https://maxcdn.bootstrapcdn.com"
],
"object-src": ["'none'"],
"base-uri": ["'self'"],
"connect-src": [
"'self'",
"https://*.budibase.app",
"https://*.budibaseqa.app",
"https://*.budibase.net",
"https://api-iam.intercom.io",
"https://api-ping.intercom.io",
"https://app.posthog.com",
"https://us.i.posthog.com",
"wss://nexus-websocket-a.intercom.io",
"wss://nexus-websocket-b.intercom.io",
"https://nexus-websocket-a.intercom.io",
"https://nexus-websocket-b.intercom.io",
"https://uploads.intercomcdn.com",
"https://uploads.intercomusercontent.com",
"https://*.amazonaws.com",
"https://*.s3.amazonaws.com",
"https://*.s3.us-east-2.amazonaws.com",
"https://*.s3.us-east-1.amazonaws.com",
"https://*.s3.us-west-1.amazonaws.com",
"https://*.s3.us-west-2.amazonaws.com",
"https://*.s3.af-south-1.amazonaws.com",
"https://*.s3.ap-east-1.amazonaws.com",
"https://*.s3.ap-south-1.amazonaws.com",
"https://*.s3.ap-northeast-2.amazonaws.com",
"https://*.s3.ap-southeast-1.amazonaws.com",
"https://*.s3.ap-southeast-2.amazonaws.com",
"https://*.s3.ap-northeast-1.amazonaws.com",
"https://*.s3.ca-central-1.amazonaws.com",
"https://*.s3.cn-north-1.amazonaws.com",
"https://*.s3.cn-northwest-1.amazonaws.com",
"https://*.s3.eu-central-1.amazonaws.com",
"https://*.s3.eu-west-1.amazonaws.com",
"https://*.s3.eu-west-2.amazonaws.com",
"https://*.s3.eu-south-1.amazonaws.com",
"https://*.s3.eu-west-3.amazonaws.com",
"https://*.s3.eu-north-1.amazonaws.com",
"https://*.s3.sa-east-1.amazonaws.com",
"https://*.s3.me-south-1.amazonaws.com",
"https://*.s3.us-gov-east-1.amazonaws.com",
"https://*.s3.us-gov-west-1.amazonaws.com",
"https://api.github.com"
],
"font-src": [
"'self'",
"data:",
"https://cdn.jsdelivr.net",
"https://fonts.gstatic.com",
"https://rsms.me",
"https://maxcdn.bootstrapcdn.com",
"https://js.intercomcdn.com",
"https://fonts.intercomcdn.com"
],
"frame-src": ["'self'", "https:"],
"img-src": ["http:", "https:", "data:", "blob:"],
"manifest-src": ["'self'"],
"media-src": ["'self'", "https://js.intercomcdn.com", "https://cdn.budi.live"],
"worker-src": ["blob:"]
}
export async function contentSecurityPolicy(ctx: any, next: any) {
try {
const nonce = crypto.randomBytes(16).toString("base64")
CSP_DIRECTIVES['script-src'].push(`'nonce-${nonce}'`)
ctx.state.nonce = nonce
const cspHeader = Object.entries(CSP_DIRECTIVES)
.map(([key, sources]) => `${key} ${sources.join(' ')}`)
.join('; ')
ctx.set("Content-Security-Policy", cspHeader);
await next()
} catch (err: any) {
console.error(`Some error: ${err}`)
}
}
export default contentSecurityPolicy

View File

@ -19,5 +19,6 @@ export { default as pino } from "../logging/pino/middleware"
export { default as correlation } from "../logging/correlation/middleware" export { default as correlation } from "../logging/correlation/middleware"
export { default as errorHandling } from "./errorHandling" export { default as errorHandling } from "./errorHandling"
export { default as querystringToBody } from "./querystringToBody" export { default as querystringToBody } from "./querystringToBody"
export { default as csp } from "./contentSecurityPolicy"
export * as joiValidator from "./joi-validator" export * as joiValidator from "./joi-validator"
export { default as ip } from "./ip" export { default as ip } from "./ip"

View File

@ -209,6 +209,7 @@ export const serveApp = async function (ctx: UserCtx) {
? objectStore.getGlobalFileUrl("settings", "logoUrl") ? objectStore.getGlobalFileUrl("settings", "logoUrl")
: "", : "",
appMigrating: needMigrations, appMigrating: needMigrations,
nonce: ctx.state.nonce,
}) })
const appHbs = loadHandlebarsFile(appHbsPath) const appHbs = loadHandlebarsFile(appHbsPath)
ctx.body = await processString(appHbs, { ctx.body = await processString(appHbs, {
@ -217,6 +218,7 @@ export const serveApp = async function (ctx: UserCtx) {
css: `:root{${themeVariables}} ${css.code}`, css: `:root{${themeVariables}} ${css.code}`,
appId, appId,
embedded: bbHeaderEmbed, embedded: bbHeaderEmbed,
nonce: ctx.state.nonce,
}) })
} else { } else {
// just return the app info for jest to assert on // just return the app info for jest to assert on
@ -258,6 +260,7 @@ export const serveBuilderPreview = async function (ctx: Ctx) {
const previewHbs = loadHandlebarsFile(join(previewLoc, "preview.hbs")) const previewHbs = loadHandlebarsFile(join(previewLoc, "preview.hbs"))
ctx.body = await processString(previewHbs, { ctx.body = await processString(previewHbs, {
clientLibPath: objectStore.clientLibraryUrl(appId!, appInfo.version), clientLibPath: objectStore.clientLibraryUrl(appId!, appInfo.version),
nonce: ctx.state.nonce
}) })
} else { } else {
// just return the app info for jest to assert on // just return the app info for jest to assert on

View File

@ -16,6 +16,8 @@
export let hideDevTools export let hideDevTools
export let sideNav export let sideNav
export let hideFooter export let hideFooter
export let nonce
</script> </script>
<svelte:head> <svelte:head>
@ -118,11 +120,11 @@
<p /> <p />
{/if} {/if}
</div> </div>
<script type="application/javascript"> <script type="application/javascript" {nonce}>
window.INIT_TIME = Date.now() window.INIT_TIME = Date.now()
</script> </script>
{#if appMigrating} {#if appMigrating}
<script type="application/javascript"> <script type="application/javascript" {nonce}>
window.MIGRATING_APP = true window.MIGRATING_APP = true
</script> </script>
{/if} {/if}
@ -135,7 +137,7 @@
<script type="application/javascript" src={plugin.jsUrl}></script> <script type="application/javascript" src={plugin.jsUrl}></script>
{/each} {/each}
{/if} {/if}
<script type="application/javascript"> <script type="application/javascript" {nonce}>
if (window.loadBudibase) { if (window.loadBudibase) {
window.loadBudibase() window.loadBudibase()
} else { } else {

View File

@ -1,5 +1,5 @@
<html> <html>
<script> <script nonce="{{ nonce }}">
document.fonts.ready.then(() => { document.fonts.ready.then(() => {
window.parent.postMessage({ type: "docLoaded" }); window.parent.postMessage({ type: "docLoaded" });
}) })
@ -9,7 +9,7 @@
<style>{{{css}}}</style> <style>{{{css}}}</style>
</head> </head>
<script> <script nonce="{{ nonce }}">
window["##BUDIBASE_APP_ID##"] = "{{appId}}" window["##BUDIBASE_APP_ID##"] = "{{appId}}"
window["##BUDIBASE_APP_EMBEDDED##"] = "{{embedded}}" window["##BUDIBASE_APP_EMBEDDED##"] = "{{embedded}}"
</script> </script>

View File

@ -31,7 +31,7 @@
} }
</style> </style>
<script src='{{ clientLibPath }}'></script> <script src='{{ clientLibPath }}'></script>
<script> <script nonce="{{ nonce }}">
function receiveMessage(event) { function receiveMessage(event) {
if (!event.data) { if (!event.data) {
return return

View File

@ -37,6 +37,7 @@ export default function createKoaApp() {
app.use(middleware.correlation) app.use(middleware.correlation)
app.use(middleware.pino) app.use(middleware.pino)
app.use(middleware.ip) app.use(middleware.ip)
app.use(middleware.csp)
app.use(userAgent) app.use(userAgent)
const server = http.createServer(app.callback()) const server = http.createServer(app.callback())