Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Csp updates #15003

Merged
merged 11 commits into from
Nov 15, 2024
Merged

Csp updates #15003

merged 11 commits into from
Nov 15, 2024

Conversation

shogunpurple
Copy link
Member

@shogunpurple shogunpurple commented Nov 10, 2024
edited
Loading

Description

This PR contains code that moves the management of our Content-Security-Policy to our node backend, rather than managing it through NGINX. This was a security requirement for an enterprise customer, and in order to remove the unsafe-inline rule from our CSP, which allows any kind of inline script, we need to dynamically generate a hash (or nonce) and have that returned dynamically in the CSP header, as well as injected into any script tags that Budibase needs to run. Doing this has the added benefit of allowing people to control and switch off CSP altogether with an environment variable - DISABLE_CONTENT_SECURITY_POLICY. Today, users do this by bind mounting the NGINX config and disabling it directly there, which means that they have effectively "ejected" their NGINX config, and if we update it they won't get the update in later versions of our proxy-service - causing reverse proxy issues in some cases.

It also turns the CSP on in dev. I think this is valuable, as it means we can catch CSP issues before pushing to QA or even prod. If there's any dev specific CSP exceptions that need to be made, we can do it in the CSP middleware rather than turning it off altogether.

Testing

  • Test backwards compatibility with old NGINX configuration
  • Test that embeds and plugins still work as expected
  • Potentially add another env var (on by default) that allows people to keep the unsafe-inline rule, to ease migration, as this is technically a change for one customer therefore the exception rather than the rule

Addresses

Launchcontrol

Move Content-Security-Policy management into the node app code, rather than hardcoding it in NGINX. New DISABLE_CONTENT_SECURITY_POLICY env var to allow people to switch it off without editing NGINX config

@shogunpurple shogunpurple requested a review from a team as a code owner November 10, 2024 13:27
@shogunpurple shogunpurple requested review from mike12345567 and removed request for a team November 10, 2024 13:27
@qa-wolf QA Wolf
Copy link

qa-wolf bot commented Nov 10, 2024

QA Wolf here! As you write new code it's important that your test coverage is keeping up.
Click here to request test coverage for this PR!

mike12345567
mike12345567 approved these changes Nov 15, 2024
View reviewed changes
Copy link
Collaborator

@mike12345567 mike12345567 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! One minor comment about environment files - thats it!

@shogunpurple shogunpurple force-pushed the csp-updates branch 2 times, most recently from f973a41 to ab4969b Compare November 15, 2024 16:14
@shogunpurple shogunpurple merged commit 2f6556a into master Nov 15, 2024
11 checks passed
@shogunpurple shogunpurple deleted the csp-updates branch November 15, 2024 16:36
@github-actions github-actions bot locked and limited conversation to collaborators Nov 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mike12345567 mike12345567 mike12345567 approved these changes

Assignees
No one assigned
Labels
size/m
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shogunpurple @mike12345567