From 0e84678150abe82503ba5253328e90ed3c21f682 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Fri, 3 Feb 2023 14:50:33 -0500
Subject: [PATCH] [PS-2416 and PS-2417] dont set CSP config value by default
 (#2667)

* dont set CSP config value by default

* space
---
 util/Setup/Configuration.cs      |  8 +-------
 util/Setup/Context.cs            | 15 +++++++++++++++
 util/Setup/NginxConfigBuilder.cs | 15 ++++++++++++++-
 3 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs
index bfe7b10d3..37afa09c3 100644
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@@ -76,13 +76,7 @@ public class Configuration
     [Description("Nginx Header Content-Security-Policy parameter\n" +
         "WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" +
         "you become responsible for maintaining this value.")]
-    public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; " +
-        "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
-        "img-src 'self' data: https://haveibeenpwned.com; " +
-        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
-        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
-        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
-        "https://api.2fa.directory; object-src 'self' blob:;";
+    public string NginxHeaderContentSecurityPolicy { get; set; }
 
     [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
         "app live sync.")]
diff --git a/util/Setup/Context.cs b/util/Setup/Context.cs
index f82e5005c..c858cde04 100644
--- a/util/Setup/Context.cs
+++ b/util/Setup/Context.cs
@@ -6,6 +6,14 @@ namespace Bit.Setup;
 public class Context
 {
     private const string ConfigPath = "/bitwarden/config.yml";
+    // This keeps track of the value of the CSP that was defined as of Jan 2023.
+    // Do not change this value.
+    private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
+        "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
+        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+        "https://api.2fa.directory; object-src 'self' blob:;";
 
     public string[] Args { get; set; }
     public bool Quiet { get; set; }
@@ -117,6 +125,13 @@ public class Context
             .WithNamingConvention(UnderscoredNamingConvention.Instance)
             .Build();
         Config = deserializer.Deserialize<Configuration>(configText);
+
+        // Fix old explicit config assignments of CSP which should be treated as a default value
+        if (Config.NginxHeaderContentSecurityPolicy == Jan2023ContentSecurityPolicy)
+        {
+            Config.NginxHeaderContentSecurityPolicy = null;
+            SaveConfiguration();
+        }
     }
 
     public void SaveConfiguration()
diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs
index 420793cef..865b8bdd6 100644
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@@ -4,6 +4,14 @@ public class NginxConfigBuilder
 {
     private const string ConfFile = "/bitwarden/nginx/default.conf";
 
+    private const string DefaultContentSecurityPolicy = "default-src 'self'; " +
+        "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
+        "img-src 'self' data: https://haveibeenpwned.com; " +
+        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+        "https://api.2fa.directory; object-src 'self' blob:;";
+
     private readonly Context _context;
 
     public NginxConfigBuilder(Context context)
@@ -72,7 +80,12 @@ public class NginxConfigBuilder
             Domain = context.Config.Domain;
             Url = context.Config.Url;
             RealIps = context.Config.RealIps;
-            ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain);
+            var csp = DefaultContentSecurityPolicy;
+            if (!string.IsNullOrWhiteSpace(context.Config.NginxHeaderContentSecurityPolicy))
+            {
+                csp = context.Config.NginxHeaderContentSecurityPolicy;
+            }
+            ContentSecurityPolicy = string.Format(csp, Domain);
 
             if (Ssl)
             {