Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

add more CSPs to the default correction check (#2668)

Browse Source 
* add more CSPs to the default correction check

* add Dec2020ContentSecurityPolicy
This commit is contained in:
Kyle Spearrin 2023-02-03 16:04:03 -05:00 committed by GitHub
parent 0e84678150
commit 6514bdbb7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
util/Setup/Context.cs
View File

@ -6,8 +6,26 @@ namespace Bit.Setup;
public class Context
{
private const string ConfigPath = "/bitwarden/config.yml";
// This keeps track of the value of the CSP that was defined as of Jan 2023.
// Do not change this value.
// These track of old CSP default values to correct.
// Do not change these values.
private const string Dec2020ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://twofactorauth.org; object-src 'self' blob:;";
private const string Jan2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://twofactorauth.org; object-src 'self' blob:;";
private const string Feb2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://2fa.directory; object-src 'self' blob:;";
private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
@ -15,6 +33,14 @@ public class Context
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://api.2fa.directory; object-src 'self' blob:;";
private string[] _oldCspDefaults =
{
Dec2020ContentSecurityPolicy,
Jan2021ContentSecurityPolicy,
Feb2021ContentSecurityPolicy,
Jan2023ContentSecurityPolicy
};
public string[] Args { get; set; }
public bool Quiet { get; set; }
public bool Stub { get; set; }
@ -127,7 +153,7 @@ public class Context
Config = deserializer.Deserialize<Configuration>(configText);
// Fix old explicit config assignments of CSP which should be treated as a default value
if (Config.NginxHeaderContentSecurityPolicy == Jan2023ContentSecurityPolicy)
if (_oldCspDefaults.Any(c => c == Config.NginxHeaderContentSecurityPolicy))
{
Config.NginxHeaderContentSecurityPolicy = null;
SaveConfiguration();