hedgedoc/lib/csp.ts

import { config } from './config'
import { IHelmetContentSecurityPolicyDirectives } from 'helmet'
import uuid from 'uuid'
import { NextFunction, Request, Response } from 'express'

type CSPDirectives = IHelmetContentSecurityPolicyDirectives

const defaultDirectives = {
  defaultSrc: ['\'self\''],
  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
  // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
  imgSrc: ['*'],
  styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
  fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
  objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
  mediaSrc: ['*'],
  childSrc: ['*'],
  connectSrc: ['*']
}

const cdnDirectives = {
  scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
  styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
  fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
}

const disqusDirectives = {
  scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
  styleSrc: ['https://*.disquscdn.com'],
  fontSrc: ['https://*.disquscdn.com']
}

const googleAnalyticsDirectives = {
  scriptSrc: ['https://www.google-analytics.com']
}

function mergeDirectives (existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {
  for (const propertyName in newDirectives) {
    const newDirective = newDirectives[propertyName]
    if (newDirective) {
      const existingDirective = existingDirectives[propertyName] || []
      existingDirectives[propertyName] = existingDirective.concat(newDirective)
    }
  }
}

function mergeDirectivesIf (condition: boolean, existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {
  if (condition) {
    mergeDirectives(existingDirectives, newDirectives)
  }
}

function areAllInlineScriptsAllowed (directives: CSPDirectives): boolean {
  if (directives.scriptSrc) {
    return directives.scriptSrc.includes('\'unsafe-inline\'')
  }
  return false
}

function getCspNonce (req: Request, res: Response): string {
  return "'nonce-" + res.locals.nonce + "'"
}

function addInlineScriptExceptions (directives: CSPDirectives): void {
  if (!directives.scriptSrc) {
    directives.scriptSrc = []
  }
  directives.scriptSrc.push(getCspNonce)
  // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
  // Any more clean solution appreciated.
  directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')
}

function addUpgradeUnsafeRequestsOptionTo (directives: CSPDirectives): void {
  if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
    directives.upgradeInsecureRequests = true
  } else if (config.csp.upgradeInsecureRequests === true) {
    directives.upgradeInsecureRequests = true
  }
}

function addReportURI (directives): void {
  if (config.csp.reportURI) {
    directives.reportUri = config.csp.reportURI
  }
}

export function addNonceToLocals (req: Request, res: Response, next: NextFunction): void {
  res.locals.nonce = uuid.v4()
  next()
}

export function computeDirectives (): CSPDirectives {
  const directives: CSPDirectives = {}
  mergeDirectives(directives, config.csp.directives)
  mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
  mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
  mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
  mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
  if (!areAllInlineScriptsAllowed(directives)) {
    addInlineScriptExceptions(directives)
  }
  addUpgradeUnsafeRequestsOptionTo(directives)
  addReportURI(directives)
  return directives
}
Use import syntax for logger and config Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 07:11:06 -04:00			`import { config } from './config'`
Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`import { IHelmetContentSecurityPolicyDirectives } from 'helmet'`
			`import uuid from 'uuid'`
			`import { NextFunction, Request, Response } from 'express'`
Use import syntax for logger and config Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 07:11:06 -04:00
Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`type CSPDirectives = IHelmetContentSecurityPolicyDirectives`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00
Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`const defaultDirectives = {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`defaultSrc: ['\'self\''],`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],`
Final replacements Looks like I missed a few. This should be complete now. And make us ready for the repo rename and merging. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-06-24 08:13:38 -04:00			`// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`imgSrc: ['*'],`
Fix broken Gist embedding Looks like GitHub changed their asset system and our CSP prevented them from getting loaded. This patch should fix the Gist embedding with enabled CSP by replacing the old URL `https://assets-cdn.github.com` with the new `https://github.githubassets.com`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-12-20 16:38:31 -05:00			`styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views`
Add `data:` URL to CSP and upgrade helmet Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-10-03 21:02:55 -04:00			`fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/`
Allow embedding of video and audio tags Adding mediaSrc to CSP so video and audio files can be embedded without problems. From a security perspective it should be fine to load audio and video data without introducing a high security issue. Only from a privacy perspective it allows another way to track users if there are data embedded. But it doesn't introduce any new attack vector as pictures are also allowed from everywhere. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-25 14:50:30 -04:00			`mediaSrc: ['*'],`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`childSrc: ['*'],`
			`connectSrc: ['*']`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`const cdnDirectives = {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],`
			`styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],`
			`fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`const disqusDirectives = {`
Fix disqus CSP Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-12-05 07:14:34 -05:00			`scriptSrc: ['https://disqus.com', 'https://.disqus.com', 'https://.disquscdn.com'],`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`styleSrc: ['https://*.disquscdn.com'],`
			`fontSrc: ['https://*.disquscdn.com']`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`const googleAnalyticsDirectives = {`
Fix CSP for disqus and Google Analytics This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-30 10:33:32 -04:00			`scriptSrc: ['https://www.google-analytics.com']`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`function mergeDirectives (existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {`
			`for (const propertyName in newDirectives) {`
			`const newDirective = newDirectives[propertyName]`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`if (newDirective) {`
Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`const existingDirective = existingDirectives[propertyName] \|\| []`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`existingDirectives[propertyName] = existingDirective.concat(newDirective)`
			`}`
			`}`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`function mergeDirectivesIf (condition: boolean, existingDirectives: CSPDirectives, newDirectives: CSPDirectives): void {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`if (condition) {`
			`mergeDirectives(existingDirectives, newDirectives)`
			`}`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`function areAllInlineScriptsAllowed (directives: CSPDirectives): boolean {`
			`if (directives.scriptSrc) {`
			`return directives.scriptSrc.includes('\'unsafe-inline\'')`
			`}`
			`return false`
			`}`

			`function getCspNonce (req: Request, res: Response): string {`
			`return "'nonce-" + res.locals.nonce + "'"`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`function addInlineScriptExceptions (directives: CSPDirectives): void {`
			`if (!directives.scriptSrc) {`
			`directives.scriptSrc = []`
			`}`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`directives.scriptSrc.push(getCspNonce)`
			`// TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html`
			`// Any more clean solution appreciated.`
Update RevealJS to version 3.9.2 This update of revealJS helps us to get rid of the headjs depedency integration using webpack. It updates reveal.js to 3.9.2 and updates the csp hash accordingly for using the slide mode. Background for this update is the critical security vulnerability described by snyk in their disclosure: https://snyk.io/vuln/SNYK-JS-REVEALJS-543841 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2020-02-01 06:50:07 -05:00			`directives.scriptSrc.push('\'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM=\'')`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`function addUpgradeUnsafeRequestsOptionTo (directives: CSPDirectives): void {`
Change config to camel case with backwards compatibility This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-07 09:17:35 -05:00			`if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`directives.upgradeInsecureRequests = true`
			`} else if (config.csp.upgradeInsecureRequests === true) {`
			`directives.upgradeInsecureRequests = true`
			`}`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`function addReportURI (directives): void {`
Add config option for report URI in CSP This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-10 08:34:14 -05:00			`if (config.csp.reportURI) {`
			`directives.reportUri = config.csp.reportURI`
			`}`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`export function addNonceToLocals (req: Request, res: Response, next: NextFunction): void {`
Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place 2017-10-21 19:22:48 -04:00			`res.locals.nonce = uuid.v4()`
			`next()`
			`}`

Added Types for csp.ts Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-12 13:07:26 -04:00			`export function computeDirectives (): CSPDirectives {`
			`const directives: CSPDirectives = {}`
			`mergeDirectives(directives, config.csp.directives)`
			`mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)`
			`mergeDirectivesIf(config.useCDN, directives, cdnDirectives)`
			`mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)`
			`mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)`
			`if (!areAllInlineScriptsAllowed(directives)) {`
			`addInlineScriptExceptions(directives)`
			`}`
			`addUpgradeUnsafeRequestsOptionTo(directives)`
			`addReportURI(directives)`
			`return directives`
			`}`