Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable CSP in all environments (local/preview/prod) #1334

Merged
merged 3 commits into from
Oct 5, 2023
Merged

feat: enable CSP in all environments (local/preview/prod) #1334

merged 3 commits into from
Oct 5, 2023

Conversation

matthieujacq
Copy link
Contributor

@matthieujacq matthieujacq commented Oct 5, 2023
edited
Loading

Description

Enable CSP in all environments (local/preview/prod).

Relies on NEXT_PUBLIC_ENV env variable, which should be 'local'|'preview'|'prod'

Comparison of old and new CSP values (tested locally)

Before

CSP (for prod only)

default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://www.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://www.quivr.app/;

After

Prod CSP (iso with before)

default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://www.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://www.quivr.app/;

Preview CSP

default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://preview.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://preview.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://preview.quivr.app/;

Local CSP

default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so http://localhost:3000 http://localhost:3001; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ http://localhost:3000 http://localhost:3001 https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' http://localhost:3000 http://localhost:3001;

🧪 External checks

Syntax checked with https://csp-evaluator.withgoogle.com/ (for the 3 environments).

@dosubot dosubot bot added the area: frontend Related to frontend functionality or under the /frontend directory label Oct 5, 2023
@matthieujacq matthieujacq temporarily deployed to preview October 5, 2023 09:14 — with GitHub Actions Inactive
@vercel
Copy link

vercel bot commented Oct 5, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 5, 2023 0:42am
quivr-strapi ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 5, 2023 0:42am
quivrapp ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 5, 2023 0:42am

@matthieujacq matthieujacq temporarily deployed to preview October 5, 2023 09:15 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

github-actions bot commented Oct 5, 2023
edited
Loading

Risk Level 3 - /home/runner/work/quivr/quivr/frontend/next.config.js

  1. The use of 'unsafe-inline' and 'unsafe-eval' in the script-src and style-src directives of the Content Security Policy (CSP) can expose the application to Cross-Site Scripting (XSS) attacks. Consider removing these if possible and use nonce or hash values for inline scripts and styles. For example:
\"script-src\": [
  \"'nonce-2726c7f26c'\",
  \"https://va.vercel-scripts.com/\",
  //...
],
\"style-src\": [
  \"'nonce-2726c7f26c'\",
  //...
],

  1. The CSP is being built dynamically based on the environment. This could potentially lead to misconfigurations if not handled properly. Ensure that the environment-specific CSP values are correctly defined and do not introduce any security risks.

  2. The SENTRY_DSN environment variable is being checked but there is no error handling if it is not defined. Consider adding error handling or a default value to prevent potential issues.

🔒📄🚫

Powered by Code Review GPT

@matthieujacq matthieujacq temporarily deployed to preview October 5, 2023 12:18 — with GitHub Actions Inactive
@matthieujacq matthieujacq temporarily deployed to preview October 5, 2023 12:38 — with GitHub Actions Inactive
@matthieujacq matthieujacq marked this pull request as ready for review October 5, 2023 12:39
@matthieujacq matthieujacq merged commit d0e363e into main Oct 5, 2023
8 checks passed
@StanGirard StanGirard mentioned this pull request Oct 5, 2023
Merged
masao-classcat pushed a commit to masao-classcat/quivr that referenced this pull request Oct 7, 2023
@classcat-air
Revert "feat: enable CSP in all environments (local/preview/prod) (Qu…
b17030e 
…ivrHQ#1334)"

This reverts commit d0e363e.
gozineb pushed a commit that referenced this pull request Oct 9, 2023
@StanGirard
chore(main): release 0.0.89 (#1339)
bbf5e12 
🤖 I have created a release *beep* *boop*
---


## 0.0.89 (2023-10-09)

## What's Changed
* feat: enable CSP in all environments (local/preview/prod) by
@matthieujacq in #1334
* feat: enhance user page UI by @nguernse in
#1319
* feat: update onboarding steps by @mamadoudicko in
#1337
* feat: add onboarding_a column to onboarding table by @mamadoudicko in
#1340
* fix(question): fixed with user_settings by @StanGirard in
#1349
* FIX tables.sql - missing ; breaks SQL queries. by @stanrb in
#1348
* feat: ⚙️🐞 configure debugger for the backend by @matthieujacq in
#1345
* test: add chat e2e tests by @mamadoudicko in
#1344
* feat: configure CSP for self-hosting and multiple ports in dev mode by
@matthieujacq in #1364

## New Contributors
* @stanrb made their first contribution in
#1348

**Full Changelog**:
v0.0.88...v0.0.89

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
coolCatalyst added a commit to coolCatalyst/quivr that referenced this pull request Jun 1, 2024
@coolCatalyst
chore(main): release 0.0.89 (#1339)
7fd935d 
🤖 I have created a release *beep* *boop*
---


## 0.0.89 (2023-10-09)

## What's Changed
* feat: enable CSP in all environments (local/preview/prod) by
@matthieujacq in QuivrHQ/quivr#1334
* feat: enhance user page UI by @nguernse in
QuivrHQ/quivr#1319
* feat: update onboarding steps by @mamadoudicko in
QuivrHQ/quivr#1337
* feat: add onboarding_a column to onboarding table by @mamadoudicko in
QuivrHQ/quivr#1340
* fix(question): fixed with user_settings by @StanGirard in
QuivrHQ/quivr#1349
* FIX tables.sql - missing ; breaks SQL queries. by @stanrb in
QuivrHQ/quivr#1348
* feat: ⚙️🐞 configure debugger for the backend by @matthieujacq in
QuivrHQ/quivr#1345
* test: add chat e2e tests by @mamadoudicko in
QuivrHQ/quivr#1344
* feat: configure CSP for self-hosting and multiple ports in dev mode by
@matthieujacq in QuivrHQ/quivr#1364

## New Contributors
* @stanrb made their first contribution in
QuivrHQ/quivr#1348

**Full Changelog**:
QuivrHQ/quivr@v0.0.88...v0.0.89

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gozineb gozineb gozineb approved these changes

Assignees

@matthieujacq matthieujacq

@gozineb gozineb

Labels
area: frontend Related to frontend functionality or under the /frontend directory
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matthieujacq @gozineb