From a7152903aa0ddd812e10b7dfa9ec091ae9c19d5e Mon Sep 17 00:00:00 2001 From: mingan <11653241+mingan666@users.noreply.github.com> Date: Sat, 17 Jun 2023 22:21:35 +0200 Subject: [PATCH 1/6] Add csp rules for api --- config/secure-headers.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/config/secure-headers.php b/config/secure-headers.php index c1e50b8b010..d6989de9332 100644 --- a/config/secure-headers.php +++ b/config/secure-headers.php @@ -469,7 +469,10 @@ 'report-sample' => true, 'allow' => array_merge( - ['https://www.dropbox.com/static/api/1/dropins.js'], + [ + 'https://www.dropbox.com/static/api/1/dropins.js', + 'https://unpkg.com/@stoplight/elements/web-components.min.js', + ], explode(",", env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', '')) ), @@ -558,6 +561,10 @@ 'style-src' => [ 'self' => true, 'unsafe-inline' => true, // We need this one due to direct styles (not just style classes) applied by JavaScript + 'allow' => [ + 'https://unpkg.com/@stoplight/elements/styles.min.css', + // 'url', + ], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr From 27b2c84694db7c83fb4e7b66f1d216bfadc7ef82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20Viguier?= Date: Sat, 17 Jun 2023 23:13:42 +0200 Subject: [PATCH 2/6] Update config/secure-headers.php Co-authored-by: Martin Stone <1611702+d7415@users.noreply.github.com> --- config/secure-headers.php | 1 - 1 file changed, 1 deletion(-) diff --git a/config/secure-headers.php b/config/secure-headers.php index d6989de9332..2d45d60d482 100644 --- a/config/secure-headers.php +++ b/config/secure-headers.php @@ -563,7 +563,6 @@ 'unsafe-inline' => true, // We need this one due to direct styles (not just style classes) applied by JavaScript 'allow' => [ 'https://unpkg.com/@stoplight/elements/styles.min.css', - // 'url', ], ], From 84603f0f2a4fa3c847fe1fddf2e3020385b96d24 Mon Sep 17 00:00:00 2001 From: ildyria Date: Tue, 20 Jun 2023 18:19:35 +0200 Subject: [PATCH 3/6] disable csp when query for docs/api --- app/Providers/AppServiceProvider.php | 12 ++++++++++++ config/secure-headers.php | 14 ++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index fe8b1b6ce74..fe33d5c33da 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -110,6 +110,8 @@ public function boot() // filter for the same name anew will fail. } + $this->disableCSP(); + /** * Set up the Authorization layer for accessing Logs in LogViewer. */ @@ -154,4 +156,14 @@ public function register() SizeVariantDefaultFactory::class ); } + + /** + * Consider making this a config parameter later. + */ + private function disableCSP() + { + if (request()->getRequestUri() === '/docs/api') { + config(['secure-headers.csp.enable' => false]); + } + } } diff --git a/config/secure-headers.php b/config/secure-headers.php index 2d45d60d482..a1b157d00e6 100644 --- a/config/secure-headers.php +++ b/config/secure-headers.php @@ -317,7 +317,7 @@ * There is no easy way to use CSP with debug bar at the moment, so we disable CSP if debug bar is enabled. */ 'csp' => [ - 'enable' => ((bool) env('DEBUGBAR_ENABLED', false)) === false, + 'enable' => true, // ((bool) env('DEBUGBAR_ENABLED', false)) === false, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 'report-only' => false, @@ -347,7 +347,7 @@ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src 'connect-src' => array_merge( ['https://lycheeorg.github.io/update.json'], - explode(",", env('SECURITY_HEADER_CSP_CONNECT_SRC', '')) + explode(',', env('SECURITY_HEADER_CSP_CONNECT_SRC', '')) ), // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src @@ -469,11 +469,8 @@ 'report-sample' => true, 'allow' => array_merge( - [ - 'https://www.dropbox.com/static/api/1/dropins.js', - 'https://unpkg.com/@stoplight/elements/web-components.min.js', - ], - explode(",", env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', '')) + ['https://www.dropbox.com/static/api/1/dropins.js'], + explode(',', env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', '')) ), 'schemes' => [ @@ -561,9 +558,6 @@ 'style-src' => [ 'self' => true, 'unsafe-inline' => true, // We need this one due to direct styles (not just style classes) applied by JavaScript - 'allow' => [ - 'https://unpkg.com/@stoplight/elements/styles.min.css', - ], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr From 4846aae3f14a66b608adc8c88e1ca576fc433a5b Mon Sep 17 00:00:00 2001 From: ildyria Date: Tue, 20 Jun 2023 18:21:32 +0200 Subject: [PATCH 4/6] more documentation --- app/Providers/AppServiceProvider.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index fe33d5c33da..f282140663a 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -159,6 +159,7 @@ public function register() /** * Consider making this a config parameter later. + * Consider integrating this into a middleware. */ private function disableCSP() { From eadde180fb835684644a67bdf035853365f54c85 Mon Sep 17 00:00:00 2001 From: ildyria Date: Tue, 20 Jun 2023 19:02:13 +0200 Subject: [PATCH 5/6] fix phpstan --- app/Providers/AppServiceProvider.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index f282140663a..d624faee68b 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -161,7 +161,7 @@ public function register() * Consider making this a config parameter later. * Consider integrating this into a middleware. */ - private function disableCSP() + private function disableCSP(): void { if (request()->getRequestUri() === '/docs/api') { config(['secure-headers.csp.enable' => false]); From 70ac81275f702088e3214c48c24ae60cf8b84a6c Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 21 Jun 2023 09:29:12 +0200 Subject: [PATCH 6/6] better implementation of csp modification --- app/Http/Kernel.php | 2 ++ app/Http/Middleware/DisableCSP.php | 49 ++++++++++++++++++++++++++++ app/Providers/AppServiceProvider.php | 21 ------------ config/secure-headers.php | 2 +- 4 files changed, 52 insertions(+), 22 deletions(-) create mode 100644 app/Http/Middleware/DisableCSP.php diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index a1cb91d52e0..cd7300f5d39 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -42,6 +42,7 @@ class Kernel extends HttpKernel \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, + \App\Http\Middleware\DisableCSP::class, ], 'web-admin' => [ @@ -53,6 +54,7 @@ class Kernel extends HttpKernel \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, + \App\Http\Middleware\DisableCSP::class, ], 'web-install' => [ diff --git a/app/Http/Middleware/DisableCSP.php b/app/Http/Middleware/DisableCSP.php new file mode 100644 index 00000000000..43763e2ac47 --- /dev/null +++ b/app/Http/Middleware/DisableCSP.php @@ -0,0 +1,49 @@ +getRequestUri() === '/docs/api' + ) { + config(['secure-headers.csp.enable' => false]); + } + + if ($request->getRequestUri() === '/' . config('log-viewer.route_path', 'Logs')) { + // We must disable unsafe-eval because vue3 used by log-viewer requires it. + // We must disable unsafe-inline (and hashes) because log-viewer uses inline script with parameter to boot. + // Those parameters are not know by Lychee if someone modifies the config. + // We only do that in that specific case. It is disabled by default otherwise. + config(['secure-headers.csp.script-src.unsafe-eval' => true]); + config(['secure-headers.csp.script-src.unsafe-inline' => true]); + config(['secure-headers.csp.script-src.hashes.sha256' => []]); + } + + return $next($request); + } +} diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index d624faee68b..ac20a61ac66 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -110,20 +110,10 @@ public function boot() // filter for the same name anew will fail. } - $this->disableCSP(); - /** * Set up the Authorization layer for accessing Logs in LogViewer. */ LogViewer::auth(function ($request) { - // We must disable unsafe-eval because vue3 used by log-viewer requires it. - // We must disable unsafe-inline (and hashes) because log-viewer uses inline script with parameter to boot. - // Those parameters are not know by Lychee if someone modifies the config. - // We only do that in that specific case. It is disabled by default otherwise. - config(['secure-headers.csp.script-src.unsafe-eval' => true]); - config(['secure-headers.csp.script-src.unsafe-inline' => true]); - config(['secure-headers.csp.script-src.hashes.sha256' => []]); - // Allow to bypass when debug is ON and when env is dev // At this point, it is no longer our fault if the Lychee admin have their logs publically accessible. if (config('app.debug', false) === true && config('app.env', 'production') === 'dev') { @@ -156,15 +146,4 @@ public function register() SizeVariantDefaultFactory::class ); } - - /** - * Consider making this a config parameter later. - * Consider integrating this into a middleware. - */ - private function disableCSP(): void - { - if (request()->getRequestUri() === '/docs/api') { - config(['secure-headers.csp.enable' => false]); - } - } } diff --git a/config/secure-headers.php b/config/secure-headers.php index a1b157d00e6..32351f91e5c 100644 --- a/config/secure-headers.php +++ b/config/secure-headers.php @@ -317,7 +317,7 @@ * There is no easy way to use CSP with debug bar at the moment, so we disable CSP if debug bar is enabled. */ 'csp' => [ - 'enable' => true, // ((bool) env('DEBUGBAR_ENABLED', false)) === false, + 'enable' => true, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 'report-only' => false,