From 3d5f28f79097c3c4b58a45fdb7de40cff432acb9 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 4 Dec 2020 12:39:19 -0500
Subject: [PATCH] Introduce a strict Content-Security-Policy

---
 Makefile                                              | 2 +-
 awx/settings/defaults.py                              | 1 +
 awx/ui/context_processors.py                          | 8 ++++++++
 awx/ui_next/public/index.html                         | 2 ++
 awx/ui_next/src/index.jsx                             | 1 +
 awx/ui_next/src/nonce.js                              | 5 +++++
 installer/roles/kubernetes/templates/configmap.yml.j2 | 2 --
 installer/roles/local_docker/templates/nginx.conf.j2  | 2 --
 tools/docker-compose/nginx.vh.default.conf            | 4 ----
 9 files changed, 18 insertions(+), 9 deletions(-)
 create mode 100644 awx/ui/context_processors.py
 create mode 100644 awx/ui_next/src/nonce.js

diff --git a/Makefile b/Makefile
index 6a7d4af5a5..15aba30dea 100644
--- a/Makefile
+++ b/Makefile
@@ -474,7 +474,7 @@ ui-release: ui-devel
 ui-devel: awx/ui_next/node_modules
 	$(NPM_BIN) --prefix awx/ui_next run extract-strings
 	$(NPM_BIN) --prefix awx/ui_next run compile-strings
-	$(NPM_BIN) --prefix awx/ui_next run build
+	INLINE_RUNTIME_CHUNK=false $(NPM_BIN) --prefix awx/ui_next run build
 	git checkout awx/ui_next/src/locales
 	mkdir -p awx/public/static/css
 	mkdir -p awx/public/static/js
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 6204486456..d47277eaed 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -248,6 +248,7 @@ TEMPLATES = [
                 'django.template.context_processors.static',
                 'django.template.context_processors.tz',
                 'django.contrib.messages.context_processors.messages',
+                'awx.ui.context_processors.csp',
                 'social_django.context_processors.backends',
                 'social_django.context_processors.login_redirect',
             ],
diff --git a/awx/ui/context_processors.py b/awx/ui/context_processors.py
new file mode 100644
index 0000000000..87c071c285
--- /dev/null
+++ b/awx/ui/context_processors.py
@@ -0,0 +1,8 @@
+import base64
+import os
+
+
+def csp(request):
+    return {
+        'csp_nonce': base64.encodebytes(os.urandom(32)).decode().rstrip(),
+    }
diff --git a/awx/ui_next/public/index.html b/awx/ui_next/public/index.html
index 2d7ff373b7..510accb63e 100644
--- a/awx/ui_next/public/index.html
+++ b/awx/ui_next/public/index.html
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
+    <script nonce="{{csp_nonce}}" type="text/javascript">window.NONCE_ID = '{{csp_nonce}}';</script>
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="theme-color" content="#000000" />
@@ -8,6 +9,7 @@
       name="description"
       content="AWX"
     />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'nonce-{{csp_nonce}}' *.pendo.io; script-src 'self' 'nonce-{{csp_nonce}}' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/">
     <title>AWX</title>
   </head>
   <body>
diff --git a/awx/ui_next/src/index.jsx b/awx/ui_next/src/index.jsx
index ad616077ef..a5203370ab 100644
--- a/awx/ui_next/src/index.jsx
+++ b/awx/ui_next/src/index.jsx
@@ -1,5 +1,6 @@
 import React from 'react';
 import ReactDOM from 'react-dom';
+import './nonce';
 import '@patternfly/react-core/dist/styles/base.css';
 import App from './App';
 import { BrandName } from './variables';
diff --git a/awx/ui_next/src/nonce.js b/awx/ui_next/src/nonce.js
new file mode 100644
index 0000000000..81fed45c6d
--- /dev/null
+++ b/awx/ui_next/src/nonce.js
@@ -0,0 +1,5 @@
+/* global __webpack_nonce__ */ // eslint-disable-line no-unused-vars
+
+// CSP: Set a special variable to add `nonce` attributes to all styles/script tags
+// See https://github.com/webpack/webpack/pull/3210
+__webpack_nonce__ = window.NONCE_ID; // eslint-disable-line no-global-assign, camelcase
diff --git a/installer/roles/kubernetes/templates/configmap.yml.j2 b/installer/roles/kubernetes/templates/configmap.yml.j2
index b7553811c1..b239b96783 100644
--- a/installer/roles/kubernetes/templates/configmap.yml.j2
+++ b/installer/roles/kubernetes/templates/configmap.yml.j2
@@ -69,8 +69,6 @@ data:
 
             # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
             add_header Strict-Transport-Security max-age=15768000;
-            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-            add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
diff --git a/installer/roles/local_docker/templates/nginx.conf.j2 b/installer/roles/local_docker/templates/nginx.conf.j2
index 0c93510bc9..327b59a2fe 100644
--- a/installer/roles/local_docker/templates/nginx.conf.j2
+++ b/installer/roles/local_docker/templates/nginx.conf.j2
@@ -67,8 +67,6 @@ http {
 
         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
-        add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-        add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
         # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
         add_header X-Frame-Options "DENY";
diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf
index ff7f604b5e..73a4d1cd8d 100644
--- a/tools/docker-compose/nginx.vh.default.conf
+++ b/tools/docker-compose/nginx.vh.default.conf
@@ -22,8 +22,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-    add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
     location /static/ {
         root /awx_devel;
@@ -84,8 +82,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-    add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
     location /static/ {
         root /awx_devel;