From 4084887abf4e998c0a1f14e747a0a9b9ae57c79f Mon Sep 17 00:00:00 2001 From: Ian Sigmon Date: Tue, 11 Feb 2025 16:56:04 -0800 Subject: [PATCH 1/2] Upgrade Netty (#986) --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 7877098308..fe42b277f5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -248,7 +248,7 @@ mssqlJdbcVersion=12.8.1.jre11 mysqlDriverVersion=9.1.0 # forced compatibility between docker and UserReg-WS -nettyVersion=4.1.115.Final +nettyVersion=4.1.118.Final objenesisVersion=1.0 From 3e9f96846c3787495e122c34d72e429feb31d8ce Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Fri, 14 Feb 2025 17:14:35 -0800 Subject: [PATCH 2/2] replace CSP with new default, with start/end markers for auto replacement (#984) (#990) * replace CSP with new default, with start/end markers for auto replacement * add copy_csp_blocks action * add guard against updating chef repo when ap file didn't change --------- Co-authored-by: labkey-tchad --- .github/workflows/copy_csp_blocks.yml | 187 ++++++++++++++++++++++++++ server/configs/application.properties | 27 ++-- 2 files changed, 200 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/copy_csp_blocks.yml diff --git a/.github/workflows/copy_csp_blocks.yml b/.github/workflows/copy_csp_blocks.yml new file mode 100644 index 0000000000..3730705b03 --- /dev/null +++ b/.github/workflows/copy_csp_blocks.yml @@ -0,0 +1,187 @@ +name: Copy CSP Blocks +# Upon merge of a PR in which 'server/configs/application.properties' was updated... +# this workflow copies the Content Security Policy blocks to other repos, as marked by: +# start: "## START OF CSP COPY BLOCK" or "## START OF CSP ENFORCE BLOCK" (to only copy and uncomment the csp.enforce section) +# end: "## END OF CSP COPY BLOCK" or "## END OF CSP ENFORCE BLOCK" +# note: if the contents between the start/end have not changed, it's a no-op, and no PRs are pushed to the target repos + +on: + pull_request: + types: + - closed + branches: + - fb_* + paths: + - server/configs/application.properties + +jobs: + copy_csp: + if: github.event.pull_request.merged + runs-on: ubuntu-latest + outputs: + csp_report_on: ${{ steps.cspvars.outputs.csp_report_on }} + csp_enforce_off: ${{ steps.cspvars.outputs.csp_enforce_off }} + csp_enforce_on: ${{ steps.cspvars.outputs.csp_enforce_on }} + steps: + - name: Check Out Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Copy CSP blocks into vars + id: cspvars + run: | + # report block, fixing report-uri for non-teamcity usage: + CSP_REPORT_ON=$( awk '/## END OF CSP REPORT BLOCK/{p=0};p;/## START OF CSP REPORT BLOCK/{p=1}' server/configs/application.properties |\ + sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) + + # enforce block, fixing report-uri for non-teamcity usage, removing useLocalBuild comment, adding upgrade-insecure-requests: + CSP_ENFORCE_OFF=$( awk '/## END OF CSP ENFORCE BLOCK/{p=0};p;/## START OF CSP ENFORCE BLOCK/{p=1}' server/configs/application.properties |\ + sed 's/^#useLocalBuild#/# /' |\ + sed '/base-uri/a# upgrade-insecure-requests ;\\' |\ + sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) + + # enforce block, uncommented: + CSP_ENFORCE_ON=$( awk '/## END OF CSP ENFORCE BLOCK/{p=0};p;/## START OF CSP ENFORCE BLOCK/{p=1}' server/configs/application.properties |\ + sed 's/^#useLocalBuild#//' |\ + sed '/base-uri/a\ upgrade-insecure-requests ;\\' |\ + sed 's/report-uri /report-uri https:\/\/www.labkey.org/' ) + + # use unique delimiter for multiline outputs: https://stackoverflow.com/a/74256214 + delimiter="$(openssl rand -hex 8)" + + echo "csp_report_on<<${delimiter}" >> "${GITHUB_OUTPUT}" + echo "$CSP_REPORT_ON" >> "${GITHUB_OUTPUT}" + echo "${delimiter}" >> "${GITHUB_OUTPUT}" + + echo "csp_enforce_off<<${delimiter}" >> "${GITHUB_OUTPUT}" + echo "$CSP_ENFORCE_OFF" >> "${GITHUB_OUTPUT}" + echo "${delimiter}" >> "${GITHUB_OUTPUT}" + + echo "csp_enforce_on<<${delimiter}" >> "${GITHUB_OUTPUT}" + echo "$CSP_ENFORCE_ON" >> "${GITHUB_OUTPUT}" + echo "${delimiter}" >> "${GITHUB_OUTPUT}" + + paste_csp_into_chef_repo: + needs: copy_csp + runs-on: ubuntu-latest + env: + csp_report_on: ${{ needs.copy_csp.outputs.csp_report_on }} + csp_enforce_off: ${{ needs.copy_csp.outputs.csp_enforce_off }} + ap_file: "cookbooks/lk_appserver/templates/default/application.properties.erb" + steps: + - name: Check out repo + uses: actions/checkout@v4 + with: + repository: LabKey/syseng-chef-server + token: ${{ secrets.TERRAFORM_TOKEN }} + - name: Paste Into Chef Repo + run: | + printf "\n\n>>>> $ap_file before I change it: <<<<\n\n" + cat $ap_file + + printf "\n\n>>>> caught csp_report_on env var: <<<<\n$csp_report_on n\n" + printf "\n\n>>>> caught csp_enforce_off env var: <<<<\n$csp_enforce_off n\n" + + printf "\n\n>>>> replacing csp blocks in $ap_file <<<<\n\n" + + python <>>> updated $ap_file: <<<<\n\n" + cat $ap_file + + git status + if [[ $(git diff-index --name-only HEAD |grep application.properties) ]]; then + printf "\n\n>>>> changes detected, so updating chef recipe version <<<<\n\n" + NEW_VER=$(grep version cookbooks/lk_appserver/metadata.rb |cut -d '"' -f 2 |awk -F. -v OFS=. '{$NF += 1 ; print}') + sed -i 's/\(version.*\)".*"/\1"'$NEW_VER'"/' cookbooks/lk_appserver/metadata.rb + sed -i 's/\(lk_appserver .*\)([0-9]*.[0-9]*.[0-9]*)/\1('$NEW_VER')/' Berksfile.lock + fi + + - name: Create Pull Request + id: cpr + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.TERRAFORM_TOKEN }} + branch: fb_update_csp_per_${{ github.sha }} + title: "update CSP to match commit ${{ github.sha }}" + body: "update CSP to match commit ${{ github.sha }}" + commit-message: "update CSP to match commit ${{ github.sha }}" + add-paths: | + ${{ env.ap_file }} + cookbooks/lk_appserver/metadata.rb + Berksfile.lock + + - name: Check outputs + if: ${{ steps.cpr.outputs.pull-request-number }} + run: | + echo "Chef Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY + + paste_enforce_csp_into_dockerfile_repo: + needs: copy_csp + runs-on: ubuntu-latest + env: + csp_enforce_on: ${{ needs.copy_csp.outputs.csp_enforce_on }} + ap_file: "application.properties" + steps: + - name: Check out repo + uses: actions/checkout@v4 + with: + repository: Labkey/Dockerfile + token: ${{ secrets.TERRAFORM_TOKEN }} + - name: Paste Into Dockerfile Repo + run: | + printf "\n\n>>>> $ap_file before I change it: <<<<\n\n" + cat $ap_file + + printf "\n\n>>>> caught csp_enforce_on env var:<<<<\n$csp_enforce_on\n\n" + + printf "\n\n>>>> replacing csp block in $ap_file <<<<\n\n" + + python <>>> updated $ap_file: <<<<\n\n" + cat $ap_file + + - name: Create Pull Request + id: cpr + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.TERRAFORM_TOKEN }} + branch: fb_update_csp_per_${{ github.sha }} + title: "update CSP to match commit ${{ github.sha }}" + body: "update CSP to match commit ${{ github.sha }}" + commit-message: "update CSP to match commit ${{ github.sha }}" + add-paths: ${{ env.ap_file }} + + - name: Check outputs + if: ${{ steps.cpr.outputs.pull-request-number }} + run: | + echo "Dockerfile Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY diff --git a/server/configs/application.properties b/server/configs/application.properties index 6d2dc1e758..440252a61e 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -125,34 +125,33 @@ management.server.port=@@shutdownPort@@ #jsonaccesslog.condition-if=attributeName #jsonaccesslog.condition-unless=attributeName -## Define one or both of 'csp.report' and 'csp.enforce' to enable Content Security Policy (CSP) headers -## Do not use these examples for any production environment without understanding the meaning of each directive! - -## Default enforce CSP for dev deployments +## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) #useLocalBuild#csp.enforce=\ -#useLocalBuild# default-src 'self' https: http: ;\ -#useLocalBuild# connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\ +#useLocalBuild# default-src 'self' https: ;\ +#useLocalBuild# connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\ #useLocalBuild# object-src 'none' ;\ #useLocalBuild# style-src 'self' https: 'unsafe-inline' ;\ #useLocalBuild# img-src 'self' https: data: ;\ -#useLocalBuild# font-src 'self' http: https: data: ;\ -#useLocalBuild# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\ +#useLocalBuild# font-src 'self' data: ;\ +#useLocalBuild# script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\ #useLocalBuild# base-uri 'self' ;\ #useLocalBuild# frame-ancestors 'self' ;\ #useLocalBuild# report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; +## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) -## Default report CSP for TeamCity and dev deployments +## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) csp.report=\ - default-src 'self' https: http: ;\ - connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\ + default-src 'self' ;\ + connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\ object-src 'none' ;\ - style-src 'self' https: 'unsafe-inline' ;\ - img-src 'self' https: data: ;\ - font-src 'self' http: https: data: ;\ + style-src 'self' 'unsafe-inline' ;\ + img-src 'self' data: ;\ + font-src 'self' data: ;\ script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\ base-uri 'self' ;\ frame-ancestors 'self' ;\ report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; +## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) ## Use a custom logging configuration #logging.config=path/to/alternative/log4j2.xml