OpenSearch-Dashboards icon indicating copy to clipboard operation
OpenSearch-Dashboards copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

[BUG] Content Security policy for OpenSearch Dashboards

Open gupta-mayank opened this issue 1 year ago • 9 comments

CSP Policy for OpenSearch Dashboards

We have been using OpenSearch Dashboards as a primary tool to visualize logs for triaging and get other insights from the logs. Of late, we have run some testing on the OpenSearch Dashboards(ver 2.11.1) and found that the value for Content-Security-Policy(CSP) response header has 'unsafe-eval' and 'unsafe-inline' for script-src and style-src directives. This makes it easy to inject malicious code that will not be blocked by the browser (due to 'unsafe-eval' & 'unsafe-inline' in the CSP). This is a major security issue and hence we would like to know if there is a setting that we should apply or a workaround so that the security risk can be mitigated.

We have tried removing the unsafe directives from the CSP header (via our proxy) but the application fails to intialize properly in the browser. We have also explored the possibility of using 'nonce' with 'strict-dynamic' directives but looks like opensearch dashboards does not give any options/configurations to enable this. Removing the CSP header entirely would not be valid solution either as the code still remains vulnerable.

Any suggestions or guidance on this will be really helpful.

More strict CSP as applicable.

Opensearch 2.11.1 OpenSearch Dashboards 2.11.1

image

gupta-mayank avatar Feb 22 '24 05:02 gupta-mayank

Hello @gupta-mayank,

I believe this is a duplicate of: https://github.com/opensearch-project/OpenSearch-Dashboards/issues/5639.

@tianleh do you mind verifying if your contribution will be mitigating this issue as well?

kavilla avatar Feb 22 '24 20:02 kavilla

My related change is for mitigating Clickjacking vulnerability, specifically the directive frame-ancestors in CSP rules.

The current issue by @gupta-mayank is about the directives script-src and style-src in CSP rules.

While the infrastructure to be introduced by my issue will help customers specify hot reloading CSP rules, choosing values to use for script-src and style-src is a different problem.

@kavilla

cc @seraphjiang

tianleh avatar Feb 22 '24 21:02 tianleh

@tianleh the solution for CSP should be supported without additional effort according to your current design which is to set the whole CSP policy that include the iframe related policy as well as other.

If yes, it issue should be covered. if not, could you share what's the gap to extend the solution to support this case.

seraphjiang avatar Feb 25 '24 03:02 seraphjiang

@tianleh the solution for CSP should be supported without additional effort according to your current design which is to set the whole CSP policy that include the iframe related policy as well as other.

If yes, it issue should be covered. if not, could you share what's the gap to extend the solution to support this case.

Yes. From this perspective, the issue is covered. @seraphjiang

cc @kavilla

tianleh avatar Feb 26 '24 21:02 tianleh

it's possible to specify CSP settings (for example, csp.strict: true) in the configuration file. See https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/src/core/server/csp/config.ts#L38 for the full configuration options.

wbeckler avatar Feb 27 '24 15:02 wbeckler

Today, there are a range of dependencies that block a stricter CSP. See the appendix here: https://github.com/opensearch-project/OpenSearch-Dashboards/issues/4306

wbeckler avatar Feb 27 '24 15:02 wbeckler

"We have also explored the possibility of using 'nonce' with 'strict-dynamic' directives but looks like opensearch dashboards does not give any options/configurations to enable this."

csp.rules in OSD YML can be used in this syntax

csp.rules: ["script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self';"]

tianleh avatar Feb 27 '24 19:02 tianleh

@tianleh ,is there a way to turn on the nonce attributes for all the script and style elements that get loaded when the dashboards is initialized on the browser? I see a condition(s) in the minified code that conditionally sets the nonce attribute for the script elements like this: if (webpack_require.nc) { script.setAttribute("nonce", webpack_require.nc) } Is there a way to turn this on via the configuration? Also, will it be possible to avoid using 'unsafe-eval' and 'unsafe-inline' via some configuration?

gupta-mayank avatar Mar 07 '24 08:03 gupta-mayank

@tianleh ,is there a way to turn on the nonce attributes for all the script and style elements that get loaded when the dashboards is initialized on the browser? I see a condition(s) in the minified code that conditionally sets the nonce attribute for the script elements like this: if (webpack_require.nc) { script.setAttribute("nonce", webpack_require.nc) } Is there a way to turn this on via the configuration? Also, will it be possible to avoid using 'unsafe-eval' and 'unsafe-inline' via some configuration?

checking

tianleh avatar Mar 07 '24 21:03 tianleh

@tianleh , could you please let me know if you had the opportunity to check on this?

gupta-mayank avatar Mar 17 '24 12:03 gupta-mayank

@tianleh , could you please let me know if you had the opportunity to check on this?

Have been busy with 2.13.0 release recently with code freeze date 3/19/2024. Will check again this week after release.

tianleh avatar Mar 18 '24 19:03 tianleh

  1. The nonce syntax has been deprecated. See the code reference https://github.com/opensearch-project/OpenSearch-Dashboards/blame/27d73ab263a1663f90981d816ac77fb7660553d3/src/core/server/config/deprecation/core_deprecations.ts#L91

  2. The key problem is that OSD will fail to load if you remove them.

See the comment https://github.com/opensearch-project/OpenSearch-Dashboards/issues/5917#issuecomment-1966829386 why stricter CSP is not supported.

tianleh avatar Mar 23 '24 01:03 tianleh