Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add integrity hash on swagger-ui inline scripts #2667

Closed
1 task done
tafaust opened this issue Oct 20, 2023 · 5 comments
Closed
1 task done

Add integrity hash on swagger-ui inline scripts #2667

tafaust opened this issue Oct 20, 2023 · 5 comments
Labels

Comments

@tafaust
Copy link

tafaust commented Oct 20, 2023

Is there an existing issue that is already proposing this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe it

I enabled CSP in my apps and I have issues with the redirect from /oauth2-redirect.html within my OIDC flow in swagger-ui for my non-prod workflows. My current workaround looks like this:

  let helmetOptions: Readonly<HelmetOptions> = {
    contentSecurityPolicy: {
      directives: {
        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
        'default-src': ["'self'", 'token issuer url'],
        'script-src': ["'self'"],
        'connect-src': ["'self'", 'token issuer url'],
      },
    },
  };
  if (config.getOrThrow<string>('NODE_ENV') !== 'production') {
    helmetOptions = {
      contentSecurityPolicy: {
        directives: {
          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
          'default-src': ["'self'", 'token issuer url'],
          'script-src': ["'self'", "'unsafe-inline'"],
          'connect-src': ["'self'", 'token issuer url'],
        },
      },
      crossOriginOpenerPolicy: {
        policy: 'unsafe-none',
      },
    };
  }

  app.use(helmet(helmetOptions));

Describe the solution you'd like

I'd like to have the integrity attribute on the script tags as described in https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity.

<script src="<% baseUrl %>swagger-ui-bundle.js"> </script>
<script src="<% baseUrl %>swagger-ui-standalone-preset.js"> </script>
<script src="<% baseUrl %>swagger-ui-init.js"> </script>

Teachability, documentation, adoption, migration strategy

Users can use it as follows in their code when using CSP:

  let helmetOptions: Readonly<HelmetOptions> = {
    contentSecurityPolicy: {
      directives: {
        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
        'default-src': ["'self'", 'token issuer url'],
        'script-src': ["'self'", "'shaXXX-XXXXXXXXXXXXXX...'"],
        'connect-src': ["'self'", 'token issuer url'],
      },
    },
    crossOriginOpenerPolicy: {
      policy: 'unsafe-none',
    },
  };
  app.use(helmet(helmetOptions));

where shaXXX-XXXXXXXXXXXXXX... resembles the integrity hash from the oauth2-redirect.html.

What is the motivation / use case for changing the behavior?

As mentioned above, I want to use CSP headers and the swagger-ui is giving me a hard time with the inline scripts without the integrity hash that could be whitelisted in CSP.

@kamilmysliwiec
Copy link
Member

Would you like to create a PR for this issue?

@tafaust
Copy link
Author

tafaust commented Oct 26, 2023

@kamilmysliwiec Yeah, do you want me to hardcode (= kind of a burden when the https://github.com/nestjs/swagger/blob/master/package.json#L31 dependency is upgraded) or dynamically compute the integrity (adds a new dependency https://github.com/zkat/ssri#from-data)?

@kamilmysliwiec
Copy link
Member

I'd rather steer clear of adding more external dependencies to this package

@tafaust
Copy link
Author

tafaust commented Oct 29, 2023

@kamilmysliwiec May I have some preliminary feedback on #2680 before writing tests?

I am particularly interested about your thoughts for this commit b29efb0 which breaks one of the E2E tests.

I also did not find the swagger-ui-init.js to compute the checksum
(checked this repo and https://github.com/swagger-api/swagger-ui/tree/master/dist).

@tafaust tafaust mentioned this issue Oct 29, 2023
12 tasks
@kamilmysliwiec
Copy link
Member

Let's track this here #2680

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants