hedgedoc/lib/csp.js

const config = require('./config')
const { v4: uuidv4 } = require('uuid')
const { buildDomainOriginWithProtocol } = require('./config/buildDomainOriginWithProtocol')

const CspStrategy = {}

const defaultDirectives = {
  defaultSrc: ['\'none\''],
  baseUri: ['\'self\''],
  connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')],
  fontSrc: ['\'self\''],
  manifestSrc: ['\'self\''],
  frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
  imgSrc: ['*'], // we allow using arbitrary images
  scriptSrc: [
    config.serverURL + '/build/',
    config.serverURL + '/js/',
    config.serverURL + '/config',
    'https://gist.github.com/',
    'https://vimeo.com/api/oembed.json',
    'https://www.slideshare.net/api/oembed/2',
    '\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes
  ],
  styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
  objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
  formAction: ['\'self\''],
  mediaSrc: ['*']
}

const disqusDirectives = {
  scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
  styleSrc: ['https://*.disquscdn.com'],
  fontSrc: ['https://*.disquscdn.com']
}

const googleAnalyticsDirectives = {
  scriptSrc: ['https://www.google-analytics.com']
}

const dropboxDirectives = {
  scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
}

const disallowFramingDirectives = {
  frameAncestors: ['\'self\'']
}

const allowPDFEmbedDirectives = {
  objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects
  frameSrc: ['*'] // Chrome also checks PDFs against frame-src
}

const configuredGitLabInstanceDirectives = {
  connectSrc: [config.gitlab.baseURL]
}

CspStrategy.computeDirectives = function () {
  const directives = {}
  mergeDirectives(directives, config.csp.directives)
  mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
  mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
  mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
  mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
  mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
  mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)
  mergeDirectivesIf(config.isGitlabSnippetsEnable, directives, configuredGitLabInstanceDirectives)
  addInlineScriptExceptions(directives)
  addUpgradeUnsafeRequestsOptionTo(directives)
  addReportURI(directives)
  return directives
}

function mergeDirectives (existingDirectives, newDirectives) {
  for (const propertyName in newDirectives) {
    const newDirective = newDirectives[propertyName]
    if (newDirective) {
      const existingDirective = existingDirectives[propertyName] || []
      existingDirectives[propertyName] = existingDirective.concat(newDirective)
    }
  }
}

function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
  if (condition) {
    mergeDirectives(existingDirectives, newDirectives)
  }
}

function addInlineScriptExceptions (directives) {
  directives.scriptSrc.push(getCspNonce)
  // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
  // Any more clean solution appreciated.
  directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
}

function getCspNonce (req, res) {
  return '\'nonce-' + res.locals.nonce + '\''
}

function addUpgradeUnsafeRequestsOptionTo (directives) {
  if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) {
    directives.upgradeInsecureRequests = []
  } else if (config.csp.upgradeInsecureRequests === true) {
    directives.upgradeInsecureRequests = []
  }
}

function addReportURI (directives) {
  if (config.csp.reportURI) {
    directives.reportUri = config.csp.reportURI
  }
}

CspStrategy.addNonceToLocals = function (req, res, next) {
  res.locals.nonce = uuidv4()
  next()
}

module.exports = CspStrategy
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const config = require('./config')`
Use new uuid export Signed-off-by: David Mehren <git@herrmehren.de> 2021-02-16 16:21:13 -05:00			`const { v4: uuidv4 } = require('uuid')`
Refactor existing code to add the configured domain to connect-src Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2021-09-14 15:09:32 -04:00			`const { buildDomainOriginWithProtocol } = require('./config/buildDomainOriginWithProtocol')`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const CspStrategy = {}`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const defaultDirectives = {`
Tighten up default Content-Security-Policy This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-06 15:17:56 -04:00			`defaultSrc: ['\'none\''],`
			`baseUri: ['\'self\''],`
Refactor existing code to add the configured domain to connect-src Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2021-09-14 15:09:32 -04:00			`connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')],`
Tighten up default Content-Security-Policy This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-06 15:17:56 -04:00			`fontSrc: ['\'self\''],`
CSP: Allow self as manifest-src Chrome complains otherwise, as it can't download the Web Manifest. Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-06 06:11:53 -04:00			`manifestSrc: ['\'self\''],`
CSP: Allow self as frame-src The reveal.js speaker view uses frames to display the slides Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-06 06:11:08 -04:00			`frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],`
Tighten up default Content-Security-Policy This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-06 15:17:56 -04:00			`imgSrc: ['*'], // we allow using arbitrary images`
			`scriptSrc: [`
			`config.serverURL + '/build/',`
			`config.serverURL + '/js/',`
			`config.serverURL + '/config',`
			`'https://gist.github.com/',`
			`'https://vimeo.com/api/oembed.json',`
			`'https://www.slideshare.net/api/oembed/2',`
			`'\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes`
			`],`
CSP: Allow styles from /css/ Reveal.js styles are hosted there Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-06 06:09:20 -04:00			`styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/`
CSP: Allow all sources for media Otherwise, `video` tags and reveal background video does not work Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-14 18:35:57 -04:00			`formAction: ['\'self\''],`
			`mediaSrc: ['*']`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const disqusDirectives = {`
Fix disqus CSP Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-12-05 07:14:34 -05:00			`scriptSrc: ['https://disqus.com', 'https://.disqus.com', 'https://.disquscdn.com'],`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`styleSrc: ['https://*.disquscdn.com'],`
			`fontSrc: ['https://*.disquscdn.com']`
			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const googleAnalyticsDirectives = {`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`scriptSrc: ['https://www.google-analytics.com']`
			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const dropboxDirectives = {`
Add missing unsafe-inline CSP directive Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2020-08-22 19:29:53 -04:00			`scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']`
Add dropbox CSP directive if configured and make button clickable The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2020-08-22 19:11:31 -04:00			`}`

Add config option to disallow framing via CSP Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-18 03:59:14 -04:00			`const disallowFramingDirectives = {`
			`frameAncestors: ['\'self\'']`
			`}`

Add config option to disallow embedding PDFs Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-06 06:58:22 -04:00			`const allowPDFEmbedDirectives = {`
			`objectSrc: ['*'], // Chrome and Firefox treat PDFs as objects`
			`frameSrc: ['*'] // Chrome also checks PDFs against frame-src`
			`}`

Fix GitLab snippet export The snippet export broke due to two reasons. First of all, the request to GitLab fail in the default configuration due to the CSP not being set properly. This commit adds the configured GitLab base url to the connect-src directives. The second problem is a change in the GitLab API spec. Instead of `code` and `file_name` the GitLab API now requires an `files` array with `content` and `file_path` entries per snippet. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2022-04-03 16:47:42 -04:00			`const configuredGitLabInstanceDirectives = {`
			`connectSrc: [config.gitlab.baseURL]`
			`}`

Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`CspStrategy.computeDirectives = function () {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const directives = {}`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`mergeDirectives(directives, config.csp.directives)`
			`mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)`
			`mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)`
Add dropbox CSP directive if configured and make button clickable The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2020-08-22 19:11:31 -04:00			`mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)`
Add config option to disallow framing via CSP Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-18 03:59:14 -04:00			`mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)`
Add config option to disallow embedding PDFs Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-06 06:58:22 -04:00			`mergeDirectivesIf(config.csp.allowPDFEmbed, directives, allowPDFEmbedDirectives)`
Fix GitLab snippet export The snippet export broke due to two reasons. First of all, the request to GitLab fail in the default configuration due to the CSP not being set properly. This commit adds the configured GitLab base url to the connect-src directives. The second problem is a change in the GitLab API spec. Instead of `code` and `file_name` the GitLab API now requires an `files` array with `content` and `file_path` entries per snippet. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2022-04-03 16:47:42 -04:00			`mergeDirectivesIf(config.isGitlabSnippetsEnable, directives, configuredGitLabInstanceDirectives)`
Tighten up default Content-Security-Policy This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-06 15:17:56 -04:00			`addInlineScriptExceptions(directives)`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`addUpgradeUnsafeRequestsOptionTo(directives)`
Add config option for report URI in CSP This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-10 08:34:14 -05:00			`addReportURI(directives)`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`return directives`
			`}`

			`function mergeDirectives (existingDirectives, newDirectives) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`for (const propertyName in newDirectives) {`
			`const newDirective = newDirectives[propertyName]`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`if (newDirective) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const existingDirective = existingDirectives[propertyName] \|\| []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`existingDirectives[propertyName] = existingDirective.concat(newDirective)`
			`}`
			`}`
			`}`

			`function mergeDirectivesIf (condition, existingDirectives, newDirectives) {`
			`if (condition) {`
			`mergeDirectives(existingDirectives, newDirectives)`
			`}`
			`}`

			`function addInlineScriptExceptions (directives) {`
			`directives.scriptSrc.push(getCspNonce)`
			`// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html`
			`// Any more clean solution appreciated.`
Update RevealJS to version 3.9.2 This update of revealJS helps us to get rid of the headjs depedency integration using webpack. It updates reveal.js to 3.9.2 and updates the csp hash accordingly for using the slide mode. Background for this update is the critical security vulnerability described by snyk in their disclosure: https://snyk.io/vuln/SNYK-JS-REVEALJS-543841 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2020-02-01 06:50:07 -05:00			`directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`

			`function getCspNonce (req, res) {`
Cleanup csp.js Signed-off-by: David Mehren <git@herrmehren.de> 2021-08-05 17:06:28 -04:00			`return '\'nonce-' + res.locals.nonce + '\''`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`

			`function addUpgradeUnsafeRequestsOptionTo (directives) {`
Add config option to disallow framing via CSP Signed-off-by: David Mehren <git@herrmehren.de> 2021-07-18 03:59:14 -04:00			`if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL \|\| config.protocolUseSSL)) {`
Fix upgradeInsecureRequests CSP directive The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de> 2021-05-04 05:10:53 -04:00			`directives.upgradeInsecureRequests = []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`} else if (config.csp.upgradeInsecureRequests === true) {`
Fix upgradeInsecureRequests CSP directive The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de> 2021-05-04 05:10:53 -04:00			`directives.upgradeInsecureRequests = []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`
			`}`

Add config option for report URI in CSP This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-10 08:34:14 -05:00			`function addReportURI (directives) {`
			`if (config.csp.reportURI) {`
			`directives.reportUri = config.csp.reportURI`
			`}`
			`}`

Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`CspStrategy.addNonceToLocals = function (req, res, next) {`
Use new uuid export Signed-off-by: David Mehren <git@herrmehren.de> 2021-02-16 16:21:13 -05:00			`res.locals.nonce = uuidv4()`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`next()`
			`}`

			`module.exports = CspStrategy`