Nextcloud beta to RC web-updater CSP issue

[xf-]

Steps to reproduce

1. Go to admin area and click "Open Updater"
2. Loads the Updater and replaces the current content of the page but with initial CSP still in place.
   default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-BLUBB';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src https://office.catchit.xyz
3. Error in console about eval
   Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

Expected behaviour

No CSP issue

Actual behaviour

Without execution of loaded JS the "Start update" button does nothing.

Server configuration

Web server: Nginx

PHP version: 7.3

Nextcloud version: (see Nextcloud admin page) 15.0.0 beta 2

Edit: Maybe a duplicate of #12497 - searched for CSP and eval and found nothing.

[MichaIng]

Same here with Apache + PHP7.2.

[xf-]

@MichaIng yes after writing the issue the github search included a link to the issue (because your comment was related). I searched and also looked into milestone (is a blocker for me) and found nothing. The problem is no new page is loaded (Take a look at URL) = old URL and <script> tag with inline script is eval code in CSP. (Server is unrelated as long the CSP header is added.)

Ugly temp solutions:

• Remove the header via webserver
• Allow via Browser Addon or Browser argument CSP
• Modify the source and add eval to CSP - will be removed in update process.

Clean Solution:

• Update via CLI
• Open https://nextcloud.path/updater/ use the command to generate a secret and add it to your config (or update the existing one). Now you can use the key to unlock the updater and it will work (New URL without CSP header)

[MichaIng]

@xf-
Jep, makes sense.

Will stay on Beta 2 for now, to test fix on code basis 😉.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8330 (Nextcloud Documentation Issue), #10427 (Nextcloud 14.0.0 Beta 1 web update error), #11202 (Nextcloud 14 Upgrade issue. ), #10677 (Nextcloud 14.0.0 beta 3 updater "ocm-provider" extra file), and #12497 (Update with updater from Nextcloud 15 Beta 1 to Beta 2 not possible).

[xf-]

@MichaIng i added a second clean way.
@nextcloud i never got beta 1 - updated said always up to date. Never worked with new Vue router stuff.

[rullzer]

Ai. Yes we might need to losen the CSP for the updater page

[xf-]

Update itself has no CSP. Because you stay on admin/overview the CSP of admin/overview breaks the updater. Maybe open a new tab or reopen the site should fix it and avoid the Vue router with old CSP.

[MorrisJobke]

I will look into this tomorrow. Thanks for the feedback. We totally missed this one.

[MorrisJobke]

This is due to an eval() in the updater notification app:

server/apps/updatenotification/src/components/root.vue

Line 270 in e7d5651

eval(this.text || this.textContent || this.innerHTML || '');

@rullzer @nickvergessen What to do here? Should we try to add the script elements inline via HTML tags? Or should we whitelist eval on the page once an update is detected?

[MorrisJobke]

Should we try to add the script elements inline via HTML tags?

I tested and it doesn't work. There is another creepy way: parse the <script> tags, send them to the server as "here serve this on the next request I will issue" and then insert a "<script src="/apps/updaternoticiations/serveCachedJS.js">" which then serves the previously cached JS. Sounds totally wrong but would be an intermediate workaround. Another option: pass the secret as GET parameter and instead of loading the updater inline, you query /updater/?secret=ABC and the updater checks for this GET parameter and does the form submit then on it's own. This is then more self contained and the better option IMO. Is there any problem with this approach? Any bad thing with exposing the secret somehow?