Skip to content

Fix for ignored CSP_NONCE in ContentSecurity Header#43573

Merged
susnux merged 4 commits intomasterfrom
HolgerHees-fix-csp-nonce-handling
Aug 13, 2024
Merged

Fix for ignored CSP_NONCE in ContentSecurity Header#43573
susnux merged 4 commits intomasterfrom
HolgerHees-fix-csp-nonce-handling

Conversation

@HolgerHees
Copy link
Contributor

@HolgerHees HolgerHees commented Feb 14, 2024

We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available.

If a CSP_NONCE env var is defined, it is used nearly everywhere, except for setting the correct ContentSecurityPolicy Header.

This commit fixes this.

@susnux susnux changed the title Fix for ignored CPS_NONCE in ContentSecurity Header Fix for ignored CSP_NONCE in ContentSecurity Header Feb 14, 2024
@susnux susnux assigned HolgerHees and unassigned susnux and fsamapoor Feb 14, 2024
@susnux susnux added this to the Nextcloud 29 milestone Feb 14, 2024
@susnux susnux added bug 3. to review Waiting for reviews labels Feb 14, 2024
@susnux susnux requested review from a team, ArtificialOwl, blizzz, nfebe and nickvergessen and removed request for a team February 14, 2024 17:19
susnux
susnux approved these changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@susnux susnux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!
But then we can remove csrfTokenManager from the class as it is no longer used.

@susnux
Copy link
Contributor

susnux commented Feb 20, 2024

There might be a problem because all our webpack loaded scripts use the csrf token as nonce -> will break if you use a custom nonce. But we should fix that.

This was referenced Mar 12, 2024
Merged
Merged
Merged
This was referenced Mar 20, 2024
Merged
Merged
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
@skjnldsv skjnldsv added 2. developing Work in progress stale Ticket or PR with no recent activity and removed 3. to review Waiting for reviews labels Jul 27, 2024
@blizzz blizzz mentioned this pull request Jul 30, 2024
Merged
@HolgerHees
Copy link
Contributor Author

HolgerHees commented Jul 30, 2024

There might be a problem because all our webpack loaded scripts use the csrf token as nonce -> will break if you use a custom nonce. But we should fix that.

@susnux it looks like my change will be merged in version 30.0.0. Is the problem, you mentioned solved?

@blizzz blizzz removed their request for review July 31, 2024 21:13
@blizzz blizzz mentioned this pull request Aug 1, 2024
Merged
@susnux susnux force-pushed the HolgerHees-fix-csp-nonce-handling branch from 5cf8647 to 89575c5 Compare August 1, 2024 21:09
@susnux
Copy link
Contributor

susnux commented Aug 1, 2024
edited
Loading

There might be a problem because all our webpack loaded scripts use the csrf token as nonce -> will break if you use a custom nonce. But we should fix that.

For this issue I pushed a commit to provide the CSP nonce as <meta name="csp-nonce"> important to notice is that we can not use content because this can lead to side-channel exfiltration attacks (e.g. using CSS selectors like meta[content~=...]) but we need to use the nonce attribute as this can not be queried by selectors and only accessed using JS like element.nonce.

Ref: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes

If we approve this PR then we should go with this: nextcloud-libraries/nextcloud-auth#673

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 1, 2024
View reviewed changes
@susnux susnux mentioned this pull request Aug 2, 2024
Merged
@susnux susnux force-pushed the HolgerHees-fix-csp-nonce-handling branch from 89575c5 to 0b1d4c9 Compare August 2, 2024 21:20
@susnux susnux requested a review from nickvergessen August 2, 2024 21:22
@susnux susnux added 3. to review Waiting for reviews and removed 2. developing Work in progress stale Ticket or PR with no recent activity labels Aug 2, 2024
This was referenced Aug 5, 2024
Merged
Merged
@susnux susnux force-pushed the HolgerHees-fix-csp-nonce-handling branch from 0b1d4c9 to 68d4077 Compare August 13, 2024 07:51
HolgerHees and others added 2 commits August 13, 2024 09:52
@HolgerHees @susnux
fix: Use CSP_NONCE env variable in ContentSecurity Header
73397cd 
We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available.

Signed-off-by: Holger Hees <holger.hees@gmail.com>
@susnux
fix: Make sure CSP nonce is not double base64 encoded
86f01a3 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the HolgerHees-fix-csp-nonce-handling branch from 68d4077 to fbfa4db Compare August 13, 2024 07:52
@susnux
test: Adjust tests for CSP nonce
009761b 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the HolgerHees-fix-csp-nonce-handling branch from fbfa4db to f1c1cf1 Compare August 13, 2024 08:06
@susnux
feat: Provide CSP nonce as <meta> element
2916e5d 
This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the HolgerHees-fix-csp-nonce-handling branch from f1c1cf1 to 2916e5d Compare August 13, 2024 08:32
@skjnldsv skjnldsv mentioned this pull request Aug 13, 2024
Merged
@susnux susnux merged commit 3e409fd into master Aug 13, 2024
@susnux susnux deleted the HolgerHees-fix-csp-nonce-handling branch August 13, 2024 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susnux susnux susnux approved these changes

@nickvergessen nickvergessen nickvergessen approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@nfebe nfebe Awaiting requested review from nfebe nfebe is a code owner automatically assigned from nextcloud/server-backend

Assignees

@HolgerHees HolgerHees

Labels

3. to review Waiting for reviews bug security

Projects

None yet

Milestone

Nextcloud 30

Development

Successfully merging this pull request may close these issues.

5 participants

@HolgerHees @susnux @nickvergessen @fsamapoor @skjnldsv