decap-cms icon indicating copy to clipboard operation
decap-cms copied to clipboard
verified publisher icon decaporg

Use static config validation with built in widgets to pass CSP without unsafe-eval

Open taras opened this issue 4 years ago • 2 comments

Closes #2138

Summary

Follow up to our proposal in https://github.com/netlify/netlify-cms/issues/2138#issuecomment-998741205 to introduce static config validation that allows Netlify CMS to run in environments where Content Security Policy (CSP) prevents runtime code eval with unsafe-eval rule.

This PR introduces a number of changes to make this work,

  1. Upgraded ajv package to 8.8.2 & ajv-keywords to 5.0.0 in netlify-cms-core workspace
  2. Added ajv-cli as a dependency to netlify-cms-core
  3. Validation schema necessary to validate all of the built in widgets was extracted to packages/netlify-cms-core/config.schema.json
  4. Added write-validate-schema to package.json of netlify-cms-core which uses ajv CLI command to generate package/netlify-cms-core/src/constants/staticValidateConfig.js
  5. package/netlify-cms-core/validation-rules/{instanceof.js,uniqueItemProprties.js} created with support for ajv@8 which is not supported in ajv-keywords
  6. validateConfig function modified to check if there are any custom widgets with custom schema. When no custom schemas are present, NetlifyCMS config validation defaults to use staticValidateConfig.js instead of dynamic validation
  7. Removed ajv-errors because errorMessage keyword is not used in the schema

Test plan

Refactored configSchema.spec.js to run tests for dynamic and static validation.

TODO

  • [ ] TypeScript needs to be upgraded because AJV 8 uses TypeScript 4 which includes definitions that can not pass tsc --noEmit.

Checklist

Please add a x inside each checkbox:

  • [ ] I have read the contribution guidelines.
  • [ ] Code is formatted via running yarn format.
  • [ ] Tests are passing via running yarn test.
  • [ ] The status checks are successful (continuous integration). Those can be seen below.

A picture of a cute animal (not mandatory but encouraged)

Picture of my husky at the Pacific Ocean

6AF1FF80-CB8D-49DA-BA33-73D27642CC1D_1_105_c

taras avatar Jan 07 '22 21:01 taras

@erezrokah this PR is going to be blocked by the fact that ajv@8 uses TypeScript 4+ and has syntax in type definition files that is not supported by TypeScript 3 used by this project. As a result, tests pass but type check fails. I'm not sure what to do with this because it's out of scope of this particular issue.

taras avatar Jan 07 '22 21:01 taras

@taras are you still interested in moving this forward?

martinjagodic avatar Oct 16 '23 09:10 martinjagodic