implement content-security-policy

ansibleguy · Jul 15, 2024 · 5cbe2f8 · 5cbe2f8
1 parent 087f266
commit 5cbe2f8
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## Version 0
 
+### 0.0.23
+
+* Fix for possible XSS
+* Implemented [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to protect against XSS and injections
+* Migrated vendor CSS/JS to be included in the package
+
 ### 0.0.22
 
 * Improved [custom execution prompts](https://webui.ansibleguy.net/en/latest/usage/jobs.html#execute)

diff --git a/src/ansibleguy-webui/aw/templates/head.html b/src/ansibleguy-webui/aw/templates/head.html
@@ -7,19 +7,30 @@
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="robots" content="noindex, nofollow">
 <meta name="color-scheme" content="light dark" />
+{% if script_unsafe_inline is none %}
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'">
+{% else %}
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline'">
+{% endif %}
+{% comment %}
+  CSP NOTES:
+  fontawesome will fail if style-src is restricted
+  script-src unsafe-eval is for the setInterval calls..
+  script_unsafe_inline is for template-generated inline-scripts (only on job-edit view)
+{% endcomment %}
 <link rel="icon" {% if get_logo|find:"svg" %}type="image/svg"{% endif %} href="{% get_logo %}">
 
-<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/5.3.2/css/bootstrap.min.css" integrity="sha512-b2QcS5SsA8tZodcDtGRELiGv5SaKSk1vDHDaQRda0htPYWZ6046lr3kJ5bAAQdpV2mmA/4v0wQF9MyU6/pDIAg==" crossorigin="anonymous" referrerpolicy="no-referrer" />
-<link href="{% static 'fontawesomefree/css/fontawesome.css' %}" rel="stylesheet" type="text/css">
-<link href="{% static 'fontawesomefree/css/solid.css' %}" rel="stylesheet" type="text/css">
+<link href="{% static 'vendor/css/bootstrap.min.css' %}" rel="stylesheet" type="text/css" crossorigin="anonymous" referrerpolicy="no-referrer">
+<link href="{% static 'fontawesomefree/css/fontawesome.css' %}" rel="stylesheet" type="text/css" crossorigin="anonymous" referrerpolicy="no-referrer">
+<link href="{% static 'fontawesomefree/css/solid.css' %}" rel="stylesheet" type="text/css" crossorigin="anonymous" referrerpolicy="no-referrer">
 <!--<link href="{% static 'fontawesomefree/css/brands.css' %}" rel="stylesheet" type="text/css" crossorigin="anonymous" referrerpolicy="no-referrer">-->
 
-<script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/5.3.2/js/bootstrap.min.js" integrity="sha512-WW8/jxkELe2CAiE4LvQfwm1rajOS8PHasCCx+knHG0gBHt8EXxS6T6tJRTGuDQVnluuAvMxWF4j8SNFDKceLFg==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+<script src="{% static 'vendor/js/bootstrap.min.js' %}" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+<script src="{% static 'vendor/js/jquery.min.js' %}" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+<script src="{% static 'vendor/js/popper.min.js' %}" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 <script src="{% static 'fontawesomefree/js/fontawesome.js' %}" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 <script src="{% static 'fontawesomefree/js/solid.js' %}" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 <script src="{% static 'fontawesomefree/js/brands.js' %}" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js" integrity="sha512-v2CJ7UaYy4JwqLDIrZUI/4hqeoQieOmAZNXBeQyjo21dadnwR+8ZaIJVT8EE2iyI61OV8e6M8PP2/4hpQINQ/g==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/2.11.8/umd/popper.min.js" integrity="sha512-TPh2Oxlg1zp+kz3nFA0C5vVC6leG/6mm1z9+mA81MI5eaUVqasPLO8Cuk4gMF4gUfP5etR73rgU/8PNMsSesoQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 
 <link rel="stylesheet" type="text/css" href="{% static 'css/aw.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'css/aw_mobile.css' %}">

diff --git a/src/ansibleguy-webui/aw/views/forms/job.py b/src/ansibleguy-webui/aw/views/forms/job.py
@@ -92,7 +92,7 @@ def job_edit(request, job_id: int = None, clone: bool = False) -> HttpResponse:
     )
     return render(
         request, status=200, template_name='jobs/edit.html',
-        context={'form': job_form_html, 'form_api': form_api, 'form_method': form_method}
+        context={'form': job_form_html, 'form_api': form_api, 'form_method': form_method, 'script_unsafe_inline': True}
     )