Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: ♻️ ContentSecurityPolicy as an object #1312

Merged
merged 3 commits into from
Oct 3, 2023
Merged

refactor: ♻️ ContentSecurityPolicy as an object #1312

merged 3 commits into from
Oct 3, 2023

Conversation

matthieujacq
Copy link
Contributor

@matthieujacq matthieujacq commented Oct 3, 2023
edited

Description

Improve developper experience with CSP by turning the csp into object instead of a large string.

Developped in TDD with the following test

import { describe, expect } from "vitest";
process.env.NEXT_PUBLIC_SUPABASE_URL = "XXX";
process.env.NEXT_PUBLIC_BACKEND_URL = "YYY";

const OldContentSecurityPolicy =
  `default-src 'self' https://fonts.googleapis.com ${process.env.NEXT_PUBLIC_SUPABASE_URL} https://api.june.so https://www.quivr.app/;
 connect-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL} ${process.env.NEXT_PUBLIC_BACKEND_URL} https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals;
 img-src 'self' https://www.gravatar.com data:;
 media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com;
 script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/;
 frame-ancestors 'none';
 style-src 'unsafe-inline' https://www.quivr.app/;`.replace(/\n/g, "");

const ContentSecurityPolicy = {
  "default-src": [
    "'self'",
    "https://fonts.googleapis.com",
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    "https://api.june.so",
    "https://www.quivr.app/",
  ],
  "connect-src": [
    "'self'",
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    process.env.NEXT_PUBLIC_BACKEND_URL,
    "https://api.june.so",
    "https://api.openai.com",
    "https://cdn.growthbook.io",
    "https://vitals.vercel-insights.com/v1/vitals",
  ],
  "img-src": ["'self'", "https://www.gravatar.com", "data:"],
  "media-src": [
    "'self'",
    "https://user-images.githubusercontent.com",
    "https://www.quivr.app/",
    "https://quivr-cms.s3.eu-west-3.amazonaws.com",
  ],
  "script-src": [
    "'unsafe-inline'",
    "'unsafe-eval'",
    "https://va.vercel-scripts.com/",
    "https://www.quivr.app/",
    "https://www.google-analytics.com/",
  ],
  "frame-ancestors": ["'none'"],
  "style-src": ["'unsafe-inline'", "https://www.quivr.app/"],
};

const cspString = Object.entries(ContentSecurityPolicy)
  .map(([key, values]) => `${key} ${values.join(" ")};`)
  .join(" ");

describe("Test Csp", () => {
  expect(cspString).toEqual(OldContentSecurityPolicy);
});

External checks

Syntax validity checked with : https://csp-evaluator.withgoogle.com/

@matthieujacq matthieujacq self-assigned this Oct 3, 2023
@matthieujacq matthieujacq temporarily deployed to preview October 3, 2023 13:49 — with GitHub Actions Inactive
@dosubot dosubot bot added the area: frontend Related to frontend functionality or under the /frontend directory label Oct 3, 2023
@vercel
Copy link

vercel bot commented Oct 3, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 3, 2023 2:17pm
quivr-strapi ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 3, 2023 2:17pm
quivrapp ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 3, 2023 2:17pm

@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2023
edited

Risk Level 2 - /home/runner/work/quivr/quivr/frontend/next.config.js

The code changes seem to be mostly about adding a Content Security Policy (CSP) and updating the security headers. This is generally a good practice for improving the security of the application. However, there are a few points to consider:

  1. Use of 'unsafe-inline' and 'unsafe-eval' in script-src: This can expose the application to cross-site scripting (XSS) attacks. If possible, try to avoid using them. If it's necessary, make sure to sanitize any user inputs and outputs.

  2. Exposure of environment variables: The code is using environment variables directly in the CSP. This could potentially expose sensitive information. It would be better to use a configuration file or a secrets manager.

  3. Hardcoding URLs: The URLs are hardcoded in the CSP. This could make the code difficult to maintain, especially if the URLs change frequently. Consider using environment variables or a configuration file for these URLs.

Here's an example of how you could refactor the CSP:

const CSP_URLS = process.env.CSP_URLS ? process.env.CSP_URLS.split(',') : [];

const ContentSecurityPolicy = {
  \"default-src\": [
    \"'self'\",
    ...CSP_URLS,
  ],
  // rest of the CSP...
};

This way, you can manage the URLs from the environment variables.

🔒🚫🔧

Powered by Code Review GPT

@matthieujacq matthieujacq temporarily deployed to preview October 3, 2023 13:58 — with GitHub Actions Inactive
@matthieujacq matthieujacq marked this pull request as ready for review October 3, 2023 13:58
@matthieujacq matthieujacq temporarily deployed to preview October 3, 2023 14:13 — with GitHub Actions Inactive
@mamadoudicko mamadoudicko merged commit ed358c7 into main Oct 3, 2023
8 of 10 checks passed
@StanGirard StanGirard mentioned this pull request Oct 3, 2023
Merged
mamadoudicko pushed a commit that referenced this pull request Oct 3, 2023
@matthieujacq @mamadoudicko
refactor: ♻️ ContentSecurityPolicy as an object (#1312)
b4e9037 
* ♻️  ContentSecurityPolicy as an object

* CSP: Remove redundant operation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mamadoudicko mamadoudicko mamadoudicko approved these changes

Assignees

@matthieujacq matthieujacq

Labels
area: frontend Related to frontend functionality or under the /frontend directory
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@matthieujacq @mamadoudicko