Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validator: No longer warns about CSP #1506

Closed
erosman opened this issue Sep 3, 2017 · 23 comments
Closed

Validator: No longer warns about CSP #1506

erosman opened this issue Sep 3, 2017 · 23 comments
Assignees
@EnTeQuAk
Milestone
2017.09.14

Comments

@erosman
Copy link
Contributor

erosman commented Sep 3, 2017

Since the latest push, the validator no longer warns about CSP.

Example:
https://addons.mozilla.org/editors/review/850282/
@EnTeQuAk
Copy link
Contributor

EnTeQuAk commented Sep 4, 2017
edited
Loading

As far as I know we explicitly enabled them again since that matches current add-on policies.

See https://github.com/mozilla/addons-linter/blob/master/tests/parsers/test.manifestjson.js#L423-L426

Also… to verify issues faster and give more proper responses it'd be wonderful if you could add a little bit more detail - e.g what rules weren't warned about but you expected them to etc.

Closing as this is expected and not a bug.

@EnTeQuAk EnTeQuAk closed this as completed Sep 4, 2017
@erosman
Copy link
Contributor Author

erosman commented Sep 5, 2017
edited
Loading

The issue should have been apparent by testing the link I gave in my report.

Example addon:
https://addons.mozilla.org/editors/review/850282/

Validator: No mention of CSP
https://addons.mozilla.org/en-US/developers/addon/talking-webb/file/714747/validation

manifest.json
https://addons.mozilla.org/en-US/firefox/files/browse/714747/file/manifest.json#top

Issue
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",

Problem:
Validator No longer warns about existence of CSP and unsafe-eval

I have my own scripts that picks up CSP and unsafe-eval but others may miss it. As the example clearly shows, the validator did not pick up the potential security risk of CSP & unsafe-eval

Closing as this is expected and not a bug.

I didn't understand. Is it expected to miss unsafe-eval in CSP in validator?

@EnTeQuAk
Copy link
Contributor

EnTeQuAk commented Sep 5, 2017

Is it expected to miss unsafe-eval in CSP in validator?

As far as I know it's more that there are valid cases where it might make sense. Summoning @wagnerand

@wagnerand
Copy link
Member

wagnerand commented Sep 5, 2017
edited
Loading

I just re-read the pull request discussions. The reason, I asked for this (in #1434 (review)) was that unsafe-eval is not strictly forbidden.

That said, @erosman is probably right in that we might want to add a warning for unsafe-eval (note that we can ignore unsafe-inline, since it's unsupported as I learned in the meantime). But that warning should be about eval and is unrelated to remote script execution, which is what that patch was about (https://github.com/mozilla/addons-linter/pull/1434/files#diff-abf32190003257adb7218839b0bce1ffR52).

@wagnerand wagnerand reopened this Sep 5, 2017
@kewisch
Copy link

kewisch commented Sep 5, 2017

Can you share more details on why unsafe-inline is unimportant? AIUI, if there is code that manages to inject DOM elements from a remote source, this could also be a script tag, which unsafe-inline will prevent. Sure, this may not be as common, but as the workaround is just making that script a separate file I don't see why we should relax this rule.

@wagnerand
Copy link
Member

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/content_security_policy says that unsafe-inline is entirely unsupported.

@EnTeQuAk
Copy link
Contributor

EnTeQuAk commented Sep 6, 2017

@wagnerand we don't have any way of saying that unsafe-inline is unsupported, so maybe flagging it might be worth doing too now that we aim to flag unsafe-eval too? Especially once it get's supported?

@wagnerand
Copy link
Member

@EnTeQuAk I am inclined to say we just ignore unsafe-inline.

Also, let me find out whether we plan on supporting it at some point.

@wagnerand
Copy link
Member

According to @kmaglione, we don't plan on supporting it.

EnTeQuAk added a commit that referenced this issue Sep 6, 2017
@EnTeQuAk
Add CSP warning for unsafe-eval.
3b3ce7a 
Fixes #1506
@ghost ghost assigned EnTeQuAk Sep 6, 2017
@ghost ghost added state:in_progress and removed triaged labels Sep 6, 2017
@EnTeQuAk EnTeQuAk mentioned this issue Sep 6, 2017
Merged
EnTeQuAk added a commit that referenced this issue Sep 6, 2017
@EnTeQuAk
First version of detecting minified code.
7113da2 
Refs #1506
@erosman
Copy link
Contributor Author

erosman commented Sep 7, 2017

Another example

https://addons.mozilla.org/editors/review/851577/
https://addons.mozilla.org/en-US/firefox/files/browse/717300/file/manifest.json#top
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

EnTeQuAk added a commit that referenced this issue Sep 8, 2017
@EnTeQuAk
Add CSP warning for unsafe-eval. (#1524)
e223b1a 
* Add CSP warning for unsafe-eval.

Fixes #1506

* Add more detailed error message for unsafe-eval

* Add missing rules.md entry
@ghost ghost removed the state:pull_request_ready label Sep 8, 2017
@ValentinaPC
Copy link

ValentinaPC commented Sep 8, 2017
edited
Loading

Verified this on AMO-dev FF55(Win 7).
@EnTeQuAk : If I understood correctly well we should show a warning for unsafe-eval as in the example provided above, but we don't. I misunderstood?
Attaching used webextension.
eval in CSP.zip

@erosman
Copy link
Contributor Author

erosman commented Sep 8, 2017
edited
Loading

If I understood well we should show a warning for unsefe-eval as in the example provided above, but we don't. I misunderstood?

There used to be a warning about CSP, regardless of its content.
For example here:
https://addons.mozilla.org/en-US/developers/addon/preview-app-v2/file/704122/validation

Of course, that warning was not always needed since CSP in itself is not a problem.

From what I understand, the validator was updated to only show a warning when CSP exists AND it contains unsefe-eval, URL, etc.

The updated validator now misses the CSP altogether as shown in the examples.

@ValentinaPC
Copy link

ValentinaPC commented Sep 8, 2017
edited
Loading

From what I understand, the validator was updated to only show a warning when CSP exists AND it contains unsefe-eval, URL, etc.

The updated validator now misses the CSP altogether as shown in the examples.

Just to be sure....

CSP - no unsave eval => warning
csp_-_no_eval

CSP - with unsave eval => no warning
csp-eval

Are ok?

@wagnerand wagnerand reopened this Sep 8, 2017
@wagnerand
Copy link
Member

wagnerand commented Sep 8, 2017
edited
Loading

Doesn't seem right to me.

The linter should raise a warning (respectively) for

  1. Using a CSP that allows remote scripts, for example: script-src https:;
  2. Using a CSP that allows eval, for example: script-src 'self' 'unsafe-eval';

So, the CSP script-src https: 'unsafe-eval'; should raise two warnings.

@wagnerand
Copy link
Member

Also, this works for me locally using the file from #1506 (comment).

 ./bin/addons-linter ~/Downloads/eval.in.CSP.zip
Validation Summary:

errors          0
notices         0
warnings        1

WARNINGS:

Code                       Message                                            Description                                                                                       File            Line   Column
MANIFEST_CSP_UNSAFE_EVAL   Using 'eval' has strong security and performance   In most cases the same result can be achieved differently, therefore it is generally prohibited   manifest.json
                           implications.

@ValentinaPC Did you test on -dev? This isn't on -dev yet.

@EnTeQuAk
Copy link
Contributor

EnTeQuAk commented Sep 8, 2017

I'll update the issue once this is on dev, I'll probably release a new version Monday morning.

@ValentinaPC
Copy link

@EnTeQuAk : not yet on -dev? Thanks!

@EnTeQuAk
Copy link
Contributor

Ah, I forgot this issue. It is now, got a release yesterday. It's on -dev and -stage.

@EnTeQuAk EnTeQuAk added this to the 2017.09.14 milestone Sep 13, 2017
@ValentinaPC
Copy link

ValentinaPC commented Sep 13, 2017
edited
Loading

I see no warning at validation and a warning in the report page. Is this ok?
1
report

Used the same extension as before.

@wagnerand
Copy link
Member

Yeah, I can confirm that. @EnTeQuAk do you have time to look into this?

@ValentinaPC
Copy link

Also, when I use both options in the form:
"content_security_policy": "script-src 'self' 'unsafe-eval' https://example.com; object-src 'self'"
I receive 1 warning at validation and 2 warnings in the report page.
If I reverse the order and use the form:
"content_security_policy": "script-src 'self' https://example.com; 'unsafe-eval' object-src 'self'"
I receive 1 warning validation and 1 warning in the report page

@EnTeQuAk
Copy link
Contributor

EnTeQuAk commented Sep 13, 2017 via email

@EnTeQuAk
Copy link
Contributor

@ValentinaPC @wagnerand yeah, I can confirm that and it looks similar (or even a duplicate) to #1547

I'll use #1547 to track this and work on it there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EnTeQuAk EnTeQuAk

Labels
None yet
Projects
None yet
Milestone
2017.09.14
Development

No branches or pull requests
5 participants
@EnTeQuAk @kewisch @wagnerand @erosman @ValentinaPC