1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-22 12:15:36 +01:00

add more CSPs to the default correction check (#2668)

* add more CSPs to the default correction check

* add Dec2020ContentSecurityPolicy
This commit is contained in:
Kyle Spearrin 2023-02-03 16:04:03 -05:00 committed by GitHub
parent 0e84678150
commit 6514bdbb7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6,8 +6,26 @@ namespace Bit.Setup;
public class Context public class Context
{ {
private const string ConfigPath = "/bitwarden/config.yml"; private const string ConfigPath = "/bitwarden/config.yml";
// This keeps track of the value of the CSP that was defined as of Jan 2023.
// Do not change this value. // These track of old CSP default values to correct.
// Do not change these values.
private const string Dec2020ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://twofactorauth.org; object-src 'self' blob:;";
private const string Jan2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://twofactorauth.org; object-src 'self' blob:;";
private const string Feb2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://2fa.directory; object-src 'self' blob:;";
private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " + private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " + "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " + "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
@ -15,6 +33,14 @@ public class Context
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " + "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://api.2fa.directory; object-src 'self' blob:;"; "https://api.2fa.directory; object-src 'self' blob:;";
private string[] _oldCspDefaults =
{
Dec2020ContentSecurityPolicy,
Jan2021ContentSecurityPolicy,
Feb2021ContentSecurityPolicy,
Jan2023ContentSecurityPolicy
};
public string[] Args { get; set; } public string[] Args { get; set; }
public bool Quiet { get; set; } public bool Quiet { get; set; }
public bool Stub { get; set; } public bool Stub { get; set; }
@ -127,7 +153,7 @@ public class Context
Config = deserializer.Deserialize<Configuration>(configText); Config = deserializer.Deserialize<Configuration>(configText);
// Fix old explicit config assignments of CSP which should be treated as a default value // Fix old explicit config assignments of CSP which should be treated as a default value
if (Config.NginxHeaderContentSecurityPolicy == Jan2023ContentSecurityPolicy) if (_oldCspDefaults.Any(c => c == Config.NginxHeaderContentSecurityPolicy))
{ {
Config.NginxHeaderContentSecurityPolicy = null; Config.NginxHeaderContentSecurityPolicy = null;
SaveConfiguration(); SaveConfiguration();