Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HTTP] Fix CSP config merge behaviour #177728

Merged
merged 5 commits into from
Feb 26, 2024
Merged

[HTTP] Fix CSP config merge behaviour #177728

merged 5 commits into from
Feb 26, 2024

Conversation

jloleysens
Copy link
Contributor

@jloleysens jloleysens commented Feb 23, 2024
edited
Loading

Summary

Bug in CSP config merging behaviour

While testing the new server.cdn.url configuration I noticed that this causes a regression due to how the CSP configs are merged. Right now if server.cdn.url is configured you cannot set csp.* because the CDN's configuration will clobber any values configured there.

@jloleysens jloleysens added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! release_note:skip Skip the PR/issue when compiling release notes Feature:Security/CSP Platform Security - Content Security Policy v8.14.0 labels Feb 23, 2024
@jloleysens jloleysens self-assigned this Feb 23, 2024
@jloleysens jloleysens requested a review from a team as a code owner February 23, 2024 15:00
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

jloleysens
jloleysens commented Feb 23, 2024
View reviewed changes
packages/core/http/core-http-server-internal/src/csp/csp_directives.ts
Comment on lines +73 to +76
const config = otherConfigs.reduce<CspConfigType>(
(acc, conf) => deepmerge(acc, conf),
firstConfig
);
Copy link
Contributor Author

@jloleysens jloleysens Feb 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

array values were clobbering each other instead of merging (which is the normal behaviour of lodash merge).

jloleysens
jloleysens commented Feb 23, 2024
View reviewed changes
packages/core/http/core-http-server-internal/src/csp/csp_directives.test.ts
};
const directives = CspDirectives.fromConfig(config, additionalConfig1, additionalConfig2);
expect(directives.getCspHeader()).toEqual(
`script-src 'report-sample' 'self' cdn.host.test; worker-src 'report-sample' 'self' blob: cdn.host.test; style-src 'report-sample' 'self' 'unsafe-inline' cdn.host.test; connect-src 'self' *.foo.bar cdn.host.test; font-src 'self' cdn.host.test; frame-src 'self' cdn.host.test; img-src 'self' *.foo.bar cdn.host.test`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this here

@jloleysens jloleysens changed the title [HTTP] Update default directives and fix CDN config merge behaviour [HTTP] Fix CSP config merge behaviour Feb 23, 2024
@jloleysens
Copy link
Contributor Author

Related #177732

afharo
afharo approved these changes Feb 24, 2024
View reviewed changes
Copy link
Member

@afharo afharo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jloleysens
Copy link
Contributor Author

@elasticmachine merge upstream

@jloleysens jloleysens enabled auto-merge (squash) February 26, 2024 09:02
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jloleysens

@jloleysens jloleysens merged commit e7d6d0d into elastic:main Feb 26, 2024
16 checks passed
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Feb 26, 2024
@jloleysens jloleysens deleted the cdn-and-csp branch February 26, 2024 10:23
semd pushed a commit to semd/kibana that referenced this pull request Mar 4, 2024
@jloleysens @semd
[HTTP] Fix CSP config merge behaviour (elastic#177728)
ee80fa4
fkanout pushed a commit to fkanout/kibana that referenced this pull request Mar 4, 2024
@jloleysens @fkanout
[HTTP] Fix CSP config merge behaviour (elastic#177728)
4ef650a
@TinaHeiligers TinaHeiligers mentioned this pull request Mar 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@afharo afharo afharo approved these changes

Assignees

@jloleysens jloleysens

Labels
backport:skip This commit does not require backporting Feature:http Feature:Security/CSP Platform Security - Content Security Policy release_note:skip Skip the PR/issue when compiling release notes Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.14.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jloleysens @elasticmachine @kibana-ci @afharo @kibanamachine