From dcd6bd347f8544ae13f424b5d358b3712cccbf7d Mon Sep 17 00:00:00 2001
From: Alf Eaton <75253002+aeaton-overleaf@users.noreply.github.com>
Date: Fri, 16 Apr 2021 10:38:12 +0100
Subject: [PATCH] Use the full (relative) view path for CSP exclusion (#3916)

GitOrigin-RevId: f6828a447abcc550f0c7dfd0fc6fc72f4b5b1f7e
---
 services/web/app/src/infrastructure/CSP.js   | 13 +++++++++++--
 services/web/config/settings.defaults.coffee |  5 ++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/services/web/app/src/infrastructure/CSP.js b/services/web/app/src/infrastructure/CSP.js
index 8697e991f2..3354deee67 100644
--- a/services/web/app/src/infrastructure/CSP.js
+++ b/services/web/app/src/infrastructure/CSP.js
@@ -1,4 +1,5 @@
 const crypto = require('crypto')
+const path = require('path')
 
 module.exports = function ({
   reportUri,
@@ -10,8 +11,7 @@ module.exports = function ({
     const originalRender = res.render
 
     res.render = (...args) => {
-      // use the view path after removing any prefix up to a "views" folder
-      const view = args[0].split('/views/').pop()
+      const view = relativeViewPath(args[0])
 
       // enable the CSP header for a percentage of requests
       const belowCutoff = Math.random() * 100 <= percentage
@@ -51,3 +51,12 @@ module.exports = function ({
     next()
   }
 }
+
+const webRoot = path.resolve(__dirname, '..', '..', '..')
+
+// build the view path relative to the web root
+function relativeViewPath(view) {
+  return path.isAbsolute(view)
+    ? path.relative(webRoot, view)
+    : path.join('app', 'views', view)
+}
diff --git a/services/web/config/settings.defaults.coffee b/services/web/config/settings.defaults.coffee
index 1c3bfb540a..ac40c0ad43 100644
--- a/services/web/config/settings.defaults.coffee
+++ b/services/web/config/settings.defaults.coffee
@@ -735,5 +735,8 @@ module.exports = settings =
 		enabled: process.env.CSP_ENABLED == 'true'
 		reportOnly: process.env.CSP_REPORT_ONLY == 'true'
 		reportUri: process.env.CSP_REPORT_URI
-		exclude: ['project/editor', 'project/list']
+		exclude: [
+			'app/views/project/editor',
+			'app/views/project/list',
+		]
 	}