hedgedoc/lib/csp.js

const config = require('./config')
const { v4: uuidv4 } = require('uuid')

const CspStrategy = {}

const defaultDirectives = {
  defaultSrc: ['\'self\''],
  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],
  imgSrc: ['*'],
  styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
  fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
  objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
  mediaSrc: ['*'],
  childSrc: ['*'],
  connectSrc: ['*']
}

const cdnDirectives = {
  scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
  styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
  fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
}

const disqusDirectives = {
  scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
  styleSrc: ['https://*.disquscdn.com'],
  fontSrc: ['https://*.disquscdn.com']
}

const googleAnalyticsDirectives = {
  scriptSrc: ['https://www.google-analytics.com']
}

const dropboxDirectives = {
  scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
}

CspStrategy.computeDirectives = function () {
  const directives = {}
  mergeDirectives(directives, config.csp.directives)
  mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
  mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
  mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
  mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
  mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
  if (!areAllInlineScriptsAllowed(directives)) {
    addInlineScriptExceptions(directives)
  }
  addUpgradeUnsafeRequestsOptionTo(directives)
  addReportURI(directives)
  return directives
}

function mergeDirectives (existingDirectives, newDirectives) {
  for (const propertyName in newDirectives) {
    const newDirective = newDirectives[propertyName]
    if (newDirective) {
      const existingDirective = existingDirectives[propertyName] || []
      existingDirectives[propertyName] = existingDirective.concat(newDirective)
    }
  }
}

function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
  if (condition) {
    mergeDirectives(existingDirectives, newDirectives)
  }
}

function areAllInlineScriptsAllowed (directives) {
  return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1
}

function addInlineScriptExceptions (directives) {
  directives.scriptSrc.push(getCspNonce)
  // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
  // Any more clean solution appreciated.
  directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
}

function getCspNonce (req, res) {
  return "'nonce-" + res.locals.nonce + "'"
}

function addUpgradeUnsafeRequestsOptionTo (directives) {
  if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
    directives.upgradeInsecureRequests = []
  } else if (config.csp.upgradeInsecureRequests === true) {
    directives.upgradeInsecureRequests = []
  }
}

function addReportURI (directives) {
  if (config.csp.reportURI) {
    directives.reportUri = config.csp.reportURI
  }
}

CspStrategy.addNonceToLocals = function (req, res, next) {
  res.locals.nonce = uuidv4()
  next()
}

module.exports = CspStrategy
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const config = require('./config')`
Use new uuid export Signed-off-by: David Mehren <git@herrmehren.de> 2021-02-16 16:21:13 -05:00			`const { v4: uuidv4 } = require('uuid')`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const CspStrategy = {}`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const defaultDirectives = {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`defaultSrc: ['\'self\''],`
Remove unsafe-eval from default CSP As script-loader was removed in the previous commits, we can finally tighten up security. Signed-off-by: David Mehren <git@herrmehren.de> 2021-06-06 12:25:55 -04:00			`scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`imgSrc: ['*'],`
Fix broken Gist embedding Looks like GitHub changed their asset system and our CSP prevented them from getting loaded. This patch should fix the Gist embedding with enabled CSP by replacing the old URL `https://assets-cdn.github.com` with the new `https://github.githubassets.com`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-12-20 16:38:31 -05:00			`styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views`
Add `data:` URL to CSP and upgrade helmet Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-10-03 21:02:55 -04:00			`fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/`
Allow embedding of video and audio tags Adding mediaSrc to CSP so video and audio files can be embedded without problems. From a security perspective it should be fine to load audio and video data without introducing a high security issue. Only from a privacy perspective it allows another way to track users if there are data embedded. But it doesn't introduce any new attack vector as pictures are also allowed from everywhere. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-25 14:50:30 -04:00			`mediaSrc: ['*'],`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`childSrc: ['*'],`
			`connectSrc: ['*']`
			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const cdnDirectives = {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],`
			`styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],`
			`fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']`
			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const disqusDirectives = {`
Fix disqus CSP Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-12-05 07:14:34 -05:00			`scriptSrc: ['https://disqus.com', 'https://.disqus.com', 'https://.disquscdn.com'],`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`styleSrc: ['https://*.disquscdn.com'],`
			`fontSrc: ['https://*.disquscdn.com']`
			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const googleAnalyticsDirectives = {`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`scriptSrc: ['https://www.google-analytics.com']`
			`}`

Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const dropboxDirectives = {`
Add missing unsafe-inline CSP directive Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2020-08-22 19:29:53 -04:00			`scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']`
Add dropbox CSP directive if configured and make button clickable The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2020-08-22 19:11:31 -04:00			`}`

Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`CspStrategy.computeDirectives = function () {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const directives = {}`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`mergeDirectives(directives, config.csp.directives)`
			`mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)`
Change config to camel case with backwards compatibility This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-07 09:17:35 -05:00			`mergeDirectivesIf(config.useCDN, directives, cdnDirectives)`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)`
			`mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)`
Add dropbox CSP directive if configured and make button clickable The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2020-08-22 19:11:31 -04:00			`mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`if (!areAllInlineScriptsAllowed(directives)) {`
			`addInlineScriptExceptions(directives)`
			`}`
			`addUpgradeUnsafeRequestsOptionTo(directives)`
Add config option for report URI in CSP This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-10 08:34:14 -05:00			`addReportURI(directives)`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`return directives`
			`}`

			`function mergeDirectives (existingDirectives, newDirectives) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`for (const propertyName in newDirectives) {`
			`const newDirective = newDirectives[propertyName]`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`if (newDirective) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const existingDirective = existingDirectives[propertyName] \|\| []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`existingDirectives[propertyName] = existingDirective.concat(newDirective)`
			`}`
			`}`
			`}`

			`function mergeDirectivesIf (condition, existingDirectives, newDirectives) {`
			`if (condition) {`
			`mergeDirectives(existingDirectives, newDirectives)`
			`}`
			`}`

			`function areAllInlineScriptsAllowed (directives) {`
			`return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1`
			`}`

			`function addInlineScriptExceptions (directives) {`
			`directives.scriptSrc.push(getCspNonce)`
			`// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html`
			`// Any more clean solution appreciated.`
Update RevealJS to version 3.9.2 This update of revealJS helps us to get rid of the headjs depedency integration using webpack. It updates reveal.js to 3.9.2 and updates the csp hash accordingly for using the slide mode. Background for this update is the critical security vulnerability described by snyk in their disclosure: https://snyk.io/vuln/SNYK-JS-REVEALJS-543841 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2020-02-01 06:50:07 -05:00			`directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`

			`function getCspNonce (req, res) {`
			`return "'nonce-" + res.locals.nonce + "'"`
			`}`

			`function addUpgradeUnsafeRequestsOptionTo (directives) {`
Change config to camel case with backwards compatibility This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-07 09:17:35 -05:00			`if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {`
Fix upgradeInsecureRequests CSP directive The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de> 2021-05-04 05:10:53 -04:00			`directives.upgradeInsecureRequests = []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`} else if (config.csp.upgradeInsecureRequests === true) {`
Fix upgradeInsecureRequests CSP directive The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de> 2021-05-04 05:10:53 -04:00			`directives.upgradeInsecureRequests = []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`
			`}`

Add config option for report URI in CSP This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-10 08:34:14 -05:00			`function addReportURI (directives) {`
			`if (config.csp.reportURI) {`
			`directives.reportUri = config.csp.reportURI`
			`}`
			`}`

Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`CspStrategy.addNonceToLocals = function (req, res, next) {`
Use new uuid export Signed-off-by: David Mehren <git@herrmehren.de> 2021-02-16 16:21:13 -05:00			`res.locals.nonce = uuidv4()`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`next()`
			`}`

			`module.exports = CspStrategy`