console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon openshift

CONSOLE-4266: Fix CSP inline script tag error in Console HTML template

Open vojtechszocs opened this issue 1 year ago • 6 comments

This PR addresses a CSP violation due to Console HTML index template containing an inline <script> tag.

By default, CSP standard treats inline <script> tags as unsafe.

This particular <script> tag is part of the Console application, so we allow it within our policy via the nonce attribute.

A cryptographic nonce (number used once) to allow scripts in a script-src Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.

This PR also does a bit of refactoring around crypto/rand related functions, removing code duplication.

Basic verification steps

  1. git clone Console repo, switch to latest master branch, build Console backend and frontend, oc login to cluster and run the Bridge server (enabling dynamic demo plugin is not necessary). Visit http://localhost:9000/ in your browser, the above CSP error :point_up: should appear in browser dev tools "Console" tab.
  2. Apply changes from this PR, rebuild Console backend (rebuilding frontend is not necessary) and rerun the Bridge server. Open Console in your web browser, the CSP error as mentioned above should not appear.

CSP standard compliance verification steps

  1. Inspect HTML and check the presence of nonce attribute on the inline <script> tag.

  1. Inspect network activity and check the presence of 'nonce-{value}' within the CSP response header.

  1. Reload the page and repeat steps 1. and 2. above. The value of nonce should always be different.

cc @jhadvig @spadgett

vojtechszocs avatar Oct 15 '24 17:10 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4266 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

WIP needs testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 15 '24 17:10 openshift-ci-robot

/hold

vojtechszocs avatar Oct 15 '24 17:10 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4266 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

This PR addresses a CSP violation due to Console HTML index template containing an inline <script> tag.

By default, CSP standard treats inline <script> tags as unsafe.

This particular <script> tag is part of the Console application, so we allow it within our policy via the nonce attribute.

A cryptographic nonce (number used once) to allow scripts in a script-src Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.

This PR also does a bit of refactoring around crypto/rand related functions, removing code duplication.

Basic verification steps

  1. git clone Console repo, switch to latest master branch, build Console backend and frontend, oc login to cluster and run the Bridge server (enabling dynamic demo plugin is not necessary). Visit http://localhost:9000/ in your browser, the above CSP error :point_up: should appear in browser dev tools "Console" tab.
  2. Apply changes from this PR, rebuild Console backend (rebuilding frontend is not necessary) and rerun the Bridge server. Open Console in your web browser, the CSP error as mentioned above should not appear.

CSP standard compliance verification steps

  1. Inspect HTML and check the presence of nonce attribute on the inline <script> tag.

  1. Inspect network activity and check the presence of 'nonce-{value}' within the CSP response header.

  1. Reload the page and repeat steps 1. and 2. above. The value of nonce should always be different.

cc @jhadvig @spadgett

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 17 '24 17:10 openshift-ci-robot

/hold cancel

Local testing shows that everything works as expected.

vojtechszocs avatar Oct 17 '24 17:10 vojtechszocs

@vojtechszocs: This pull request references CONSOLE-4266 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

This PR addresses a CSP violation due to Console HTML index template containing an inline <script> tag.

By default, CSP standard treats inline <script> tags as unsafe.

This particular <script> tag is part of the Console application, so we allow it within our policy via the nonce attribute.

A cryptographic nonce (number used once) to allow scripts in a script-src Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.

This PR also does a bit of refactoring around crypto/rand related functions, removing code duplication.

1. Basic verification steps

  1. git clone Console repo, switch to latest master branch, build Console backend and frontend, oc login to cluster and run the Bridge server (enabling dynamic demo plugin is not necessary). Visit http://localhost:9000/ in your browser, the above CSP error :point_up: should appear in browser dev tools "Console" tab.
  2. Apply changes from this PR, rebuild Console backend (rebuilding frontend is not necessary) and rerun the Bridge server. Open Console in your web browser, the CSP error as mentioned above should not appear.

2. CSP standard compliance verification steps

  1. Inspect HTML and check the presence of nonce attribute on the inline <script> tag.

  1. Inspect network activity and check the presence of 'nonce-{value}' within the CSP response header.

  1. Reload the page and repeat steps 1. and 2. above. The nonce value should be different upon each reload.

cc @jhadvig @spadgett

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Oct 30 '24 19:10 openshift-ci-robot

PR updated - addressed the review comment in RandomString function.

vojtechszocs avatar Oct 30 '24 19:10 vojtechszocs

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, TheRealJon, vojtechszocs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Oct 30 '24 21:10 openshift-ci[bot]

QE Approver: /assign @yapei Docs Approver: /assign @opayne1 PX Approver: /assign @reestr

jhadvig avatar Oct 30 '24 21:10 jhadvig

/retest

jhadvig avatar Oct 31 '24 12:10 jhadvig

/label docs-approved

opayne1 avatar Nov 01 '24 16:11 opayne1

/test e2e-gcp-console

vojtechszocs avatar Nov 01 '24 16:11 vojtechszocs

/label px-approved

reestr avatar Nov 07 '24 10:11 reestr

/hold

yapei avatar Nov 11 '24 02:11 yapei

/remove-hold

yapei avatar Nov 11 '24 02:11 yapei

I'm sorry, added wrong label mistakenly

yapei avatar Nov 11 '24 02:11 yapei

Tested the PR and no issues found /label qe-approved

yapei avatar Nov 13 '24 01:11 yapei

@vojtechszocs: This pull request references CONSOLE-4266 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

This PR addresses a CSP violation due to Console HTML index template containing an inline <script> tag.

By default, CSP standard treats inline <script> tags as unsafe.

This particular <script> tag is part of the Console application, so we allow it within our policy via the nonce attribute.

A cryptographic nonce (number used once) to allow scripts in a script-src Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.

This PR also does a bit of refactoring around crypto/rand related functions, removing code duplication.

1. Basic verification steps

  1. git clone Console repo, switch to latest master branch, build Console backend and frontend, oc login to cluster and run the Bridge server (enabling dynamic demo plugin is not necessary). Visit http://localhost:9000/ in your browser, the above CSP error :point_up: should appear in browser dev tools "Console" tab.
  2. Apply changes from this PR, rebuild Console backend (rebuilding frontend is not necessary) and rerun the Bridge server. Open Console in your web browser, the CSP error as mentioned above should not appear.

2. CSP standard compliance verification steps

  1. Inspect HTML and check the presence of nonce attribute on the inline <script> tag.

  1. Inspect network activity and check the presence of 'nonce-{value}' within the CSP response header.

  1. Reload the page and repeat steps 1. and 2. above. The nonce value should be different upon each reload.

cc @jhadvig @spadgett

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Nov 13 '24 01:11 openshift-ci-robot

/retest-required

Remaining retests: 0 against base HEAD 4ca6d0a8089438218b56abf6dad816cf4f039e56 and 2 for PR HEAD 32a3676c3a651d0c0c047480a2a45c659900a227 in total

openshift-ci-robot avatar Nov 13 '24 04:11 openshift-ci-robot

@vojtechszocs: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Nov 13 '24 06:11 openshift-ci[bot]

[ART PR BUILD NOTIFIER]

Distgit: openshift-enterprise-console This PR has been included in build openshift-enterprise-console-container-v4.19.0-202411130808.p0.g78307da.assembly.stream.el9. All builds following this will include this PR.

openshift-bot avatar Nov 13 '24 09:11 openshift-bot