From ba183ce6543f102ae635502a0da0ac7c923cc97a Mon Sep 17 00:00:00 2001 From: Literallie Date: Wed, 18 Oct 2017 17:10:23 +0200 Subject: Add basic CSP support --- lib/config/default.js | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib') diff --git a/lib/config/default.js b/lib/config/default.js index f4c45e3d..e207dfc6 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -13,6 +13,16 @@ module.exports = { includeSubdomains: true, preload: true }, + csp: { + enable: true, + reportUri: '', + directives: { + defaultSrc: ["'self'"], + scriptSrc: ["'self'"], + styleSrc: ["'self'", "'unsafe-inline'"], + fontSrc: ["'self'"] + } + }, protocolusessl: false, usecdn: true, allowanonymous: true, -- cgit v1.2.3 From 5d2d3ec875310de07fe79ae605dfbc0f1df585c5 Mon Sep 17 00:00:00 2001 From: Literallie Date: Wed, 18 Oct 2017 17:45:57 +0200 Subject: CSP: Upgrade insecure requests if possible Config option; default is to only upgrade if usessl --- lib/config/default.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/config/default.js b/lib/config/default.js index e207dfc6..217d11d0 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -20,8 +20,9 @@ module.exports = { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], - fontSrc: ["'self'"] - } + fontSrc: ["'self'"], + }, + upgradeInsecureRequests: 'auto' }, protocolusessl: false, usecdn: true, -- cgit v1.2.3 From 080436aebb4c4681f85cc8bf5d8563832ff8dbdd Mon Sep 17 00:00:00 2001 From: Literallie Date: Wed, 18 Oct 2017 17:48:53 +0200 Subject: CSP: Add nonce to slide view inline JS --- lib/response.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/response.js b/lib/response.js index a22d1e70..287d53e0 100755 --- a/lib/response.js +++ b/lib/response.js @@ -584,7 +584,8 @@ function showPublishSlide (req, res, next) { lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, robots: meta.robots || false, // default allow robots GA: meta.GA, - disqus: meta.disqus + disqus: meta.disqus, + cspNonce: res.locals.nonce } return renderPublishSlide(data, res) }).catch(function (err) { -- cgit v1.2.3 From 0cbdc852cb29bfcadf1229899938c757b03f5ed6 Mon Sep 17 00:00:00 2001 From: Literallie Date: Wed, 18 Oct 2017 22:44:16 +0200 Subject: CSP: Allow more content types --- lib/config/default.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/config/default.js b/lib/config/default.js index 217d11d0..0b6ca26a 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -18,9 +18,13 @@ module.exports = { reportUri: '', directives: { defaultSrc: ["'self'"], - scriptSrc: ["'self'"], - styleSrc: ["'self'", "'unsafe-inline'"], - fontSrc: ["'self'"], + scriptSrc: ["'self'", "'unsafe-eval'", "vimeo.com", "https://gist.github.com", "www.slideshare.net", "https://query.yahooapis.com", "https://*.disqus.com"], + imgSrc: ["*"], + styleSrc: ["'self'", "'unsafe-inline'", "https://assets-cdn.github.com"], + fontSrc: ["'self'", "https://public.slidesharecdn.com"], + objectSrc: ["*"], + childSrc: ["*"], + connectSrc: ["'self'", "https://links.services.disqus.com", "wss://realtime.services.disqus.com"] }, upgradeInsecureRequests: 'auto' }, -- cgit v1.2.3 From 91101c856c3efac53e8a4db4cc537b77370aa7df Mon Sep 17 00:00:00 2001 From: Literallie Date: Fri, 20 Oct 2017 12:31:16 +0200 Subject: Change CSP config format to be more intuitive --- lib/config/default.js | 10 +--------- lib/config/environment.js | 3 +++ 2 files changed, 4 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/lib/config/default.js b/lib/config/default.js index 0b6ca26a..cfde9ae9 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -15,17 +15,9 @@ module.exports = { }, csp: { enable: true, - reportUri: '', directives: { - defaultSrc: ["'self'"], - scriptSrc: ["'self'", "'unsafe-eval'", "vimeo.com", "https://gist.github.com", "www.slideshare.net", "https://query.yahooapis.com", "https://*.disqus.com"], - imgSrc: ["*"], - styleSrc: ["'self'", "'unsafe-inline'", "https://assets-cdn.github.com"], - fontSrc: ["'self'", "https://public.slidesharecdn.com"], - objectSrc: ["*"], - childSrc: ["*"], - connectSrc: ["'self'", "https://links.services.disqus.com", "wss://realtime.services.disqus.com"] }, + addDefaults: true, upgradeInsecureRequests: 'auto' }, protocolusessl: false, diff --git a/lib/config/environment.js b/lib/config/environment.js index 40b7e09f..fa9698f6 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -14,6 +14,9 @@ module.exports = { includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS), preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, + csp: { + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined, usecdn: toBooleanConfig(process.env.HMD_USECDN), -- cgit v1.2.3 From 04f5e3a3414abbb76841df8375598fb690323f11 Mon Sep 17 00:00:00 2001 From: Literallie Date: Sun, 22 Oct 2017 01:22:48 +0200 Subject: Move CSP logic to new file, Fix boolean config examples Not sure why I was quoting these in the first place --- lib/csp.js | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 lib/csp.js (limited to 'lib') diff --git a/lib/csp.js b/lib/csp.js new file mode 100644 index 00000000..509bc530 --- /dev/null +++ b/lib/csp.js @@ -0,0 +1,80 @@ +var config = require('./config') +var uuid = require('uuid') + +var CspStrategy = {} + +var defaultDirectives = { + defaultSrc: ['\'self\''], + scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''], + // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594 + imgSrc: ['*'], + styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views + fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'], + objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ + childSrc: ['*'], + connectSrc: ['*'] +} + +var cdnDirectives = { + scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'], + styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'], + fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com'] +} + +CspStrategy.computeDirectives = function () { + var directives = {} + mergeDirectives(directives, config.csp.directives) + mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives) + mergeDirectivesIf(config.usecdn, directives, cdnDirectives) + if (!areAllInlineScriptsAllowed(directives)) { + addInlineScriptExceptions(directives) + } + addUpgradeUnsafeRequestsOptionTo(directives) + return directives +} + +function mergeDirectives (existingDirectives, newDirectives) { + for (var propertyName in newDirectives) { + var newDirective = newDirectives[propertyName] + if (newDirective) { + var existingDirective = existingDirectives[propertyName] || [] + existingDirectives[propertyName] = existingDirective.concat(newDirective) + } + } +} + +function mergeDirectivesIf (condition, existingDirectives, newDirectives) { + if (condition) { + mergeDirectives(existingDirectives, newDirectives) + } +} + +function areAllInlineScriptsAllowed (directives) { + return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1 +} + +function addInlineScriptExceptions (directives) { + directives.scriptSrc.push(getCspNonce) + // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html + // Any more clean solution appreciated. + directives.scriptSrc.push('\'sha256-EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=\'') +} + +function getCspNonce (req, res) { + return "'nonce-" + res.locals.nonce + "'" +} + +function addUpgradeUnsafeRequestsOptionTo (directives) { + if (config.csp.upgradeInsecureRequests === 'auto' && config.usessl) { + directives.upgradeInsecureRequests = true + } else if (config.csp.upgradeInsecureRequests === true) { + directives.upgradeInsecureRequests = true + } +} + +CspStrategy.addNonceToLocals = function (req, res, next) { + res.locals.nonce = uuid.v4() + next() +} + +module.exports = CspStrategy -- cgit v1.2.3