Project

General

Profile

Actions

Bug #25712

closed

CSP violations from status tab in utilities pages

Added by Clark ANDRIANASOLO about 2 months ago. Updated 28 days ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

In 8.2 only the "Utilities" menu in Rudder has strict CSP headers enabled, see #25032.
This means script tags need an unique valid nonce attribute.
But it appears that when loading theses pages, there are some CSP violations from some scripts that were added to render the "Status" tab in #25527, that have a different value than the one used for the script tags within the page.

The error log that is produced :

WARN  application - Content security policy violation: blocked inline in http://localhost:8080/rudder/secure/utilities/archiveManagement?continue because of script-src-elem directive

(notice that the violation is not enforced in dev mode which makes it not detectable unless we pay attention to error logs and console errors, because we have the Content-Security-Policy-Report-Only header, we should also enforce it by only using Content-Security-Policy and X-Content-Security-Policy headers)


Files

clipboard-202410211802-fhweb.png (63 KB) clipboard-202410211802-fhweb.png Clark ANDRIANASOLO, 2024-10-21 18:02
clipboard-202410211802-5uu5d.png (63 KB) clipboard-202410211802-5uu5d.png Clark ANDRIANASOLO, 2024-10-21 18:02
clipboard-202410211802-yz8zl.png (110 KB) clipboard-202410211802-yz8zl.png Clark ANDRIANASOLO, 2024-10-21 18:02

Related issues 3 (0 open3 closed)

Related to Rudder - Bug #25527: List techniques with compilation failure in bar for generation statusReleasedFrançois ARMANDActions
Related to Rudder - Bug #25032: Use Content-Security-Policy strict headers in utilities pagesReleasedFrançois ARMANDActions
Related to Rudder - Bug #25715: Avoid Content-Security-Policy-Report-Only headers in dev modeReleasedAlexis MoussetActions
Actions #1

Updated by Clark ANDRIANASOLO about 2 months ago

  • Related to Bug #25527: List techniques with compilation failure in bar for generation status added
  • Related to Bug #25032: Use Content-Security-Policy strict headers in utilities pages added

Updated by Clark ANDRIANASOLO about 2 months ago · Edited

The scripts in error involve generic CSS selectors and could be put in a global context within the request that has access to the page nonce to solve the issue.
Ans since we use buttons to open in a new page we will have some pain rewriting using the same CSP, so we likely need to rewrite buttons into a links.
The errors I saw with 3 nonce values that are not the ones allowed in the page :

Actions #3

Updated by Clark ANDRIANASOLO about 2 months ago

  • Description updated (diff)
Actions #4

Updated by Clark ANDRIANASOLO about 2 months ago

  • Related to Bug #25715: Avoid Content-Security-Policy-Report-Only headers in dev mode added
Actions #5

Updated by Clark ANDRIANASOLO about 1 month ago

  • Priority changed from To review to N/A
Actions #6

Updated by Clark ANDRIANASOLO about 1 month ago

  • Status changed from New to In progress
Actions #7

Updated by Clark ANDRIANASOLO about 1 month ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5966
Actions #8

Updated by Vincent MEMBRÉ about 1 month ago

  • Target version changed from 8.2.0 to 8.2.1
Actions #9

Updated by Clark ANDRIANASOLO about 1 month ago

  • Status changed from Pending technical review to Pending release
Actions #10

Updated by Alexis Mousset 30 days ago

  • Fix check changed from To do to Checked
Actions #11

Updated by Vincent MEMBRÉ 28 days ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.2.1 which was released today.

Actions

Also available in: Atom PDF