From bdbba929d04bc04037987c56b4cd59cfacaf1ba3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
<1005065+DeepDiver1975@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:10:35 +0200
Subject: [PATCH] feat: add CSP and other security related headers in the oCIS
proxy service (#8777)
* feat: add CSP and other security related headers in the oCIS proxy service
* fix: consolidate security related headers - drop middleware.Secure
* fix: use github.com/DeepDiver1975/secure
* fix: acceptance tests
* feat: support env var replacements in csp.yaml
---
.golangci.yml | 1 +
changelog/unreleased/csp.md | 5 +
.../examples/ocis_wopi/config/ocis/csp.yaml | 35 ++
.../examples/ocis_wopi/docker-compose.yml | 2 +
go.mod | 4 +
go.sum | 4 +
ocis-pkg/middleware/header.go | 19 -
ocis-pkg/service/debug/service.go | 1 -
services/graph/pkg/server/http/server.go | 1 -
services/idp/pkg/server/http/server.go | 1 -
.../invitations/pkg/server/http/server.go | 1 -
services/ocs/pkg/server/http/server.go | 1 -
services/proxy/pkg/command/server.go | 6 +
services/proxy/pkg/config/config.go | 3 +-
services/proxy/pkg/config/csp.go | 13 +
services/proxy/pkg/config/csp.yaml | 31 ++
.../pkg/config/defaults/defaultconfig.go | 1 +
services/proxy/pkg/middleware/security.go | 61 +++
services/settings/pkg/server/http/server.go | 1 -
services/sse/pkg/server/http/server.go | 1 -
services/thumbnails/pkg/server/http/server.go | 1 -
services/userlog/pkg/server/http/server.go | 1 -
services/web/pkg/middleware/silentrefresh.go | 1 -
services/web/pkg/server/http/server.go | 1 -
services/webdav/pkg/server/http/server.go | 1 -
services/webfinger/pkg/server/http/server.go | 1 -
.../downloadFile.feature | 4 +-
.../apiWebdavOperations/downloadFile.feature | 2 +-
vendor/github.com/a8m/envsubst/.travis.yml | 7 +
vendor/github.com/a8m/envsubst/LICENSE | 21 +
vendor/github.com/a8m/envsubst/README.md | 107 ++++
vendor/github.com/a8m/envsubst/envsubst.go | 74 +++
vendor/github.com/a8m/envsubst/parse/env.go | 27 +
vendor/github.com/a8m/envsubst/parse/lex.go | 269 +++++++++
vendor/github.com/a8m/envsubst/parse/node.go | 107 ++++
vendor/github.com/a8m/envsubst/parse/parse.go | 189 +++++++
vendor/github.com/unrolled/secure/.gitignore | 27 +
.../github.com/unrolled/secure/.golangci.yaml | 36 ++
vendor/github.com/unrolled/secure/LICENSE | 20 +
vendor/github.com/unrolled/secure/Makefile | 14 +
vendor/github.com/unrolled/secure/README.md | 424 ++++++++++++++
vendor/github.com/unrolled/secure/csp.go | 45 ++
.../unrolled/secure/cspbuilder/builder.go | 116 ++++
.../secure/cspbuilder/directive_builder.go | 154 ++++++
vendor/github.com/unrolled/secure/doc.go | 26 +
vendor/github.com/unrolled/secure/secure.go | 517 ++++++++++++++++++
vendor/modules.txt | 9 +
47 files changed, 2357 insertions(+), 36 deletions(-)
create mode 100644 changelog/unreleased/csp.md
create mode 100644 deployments/examples/ocis_wopi/config/ocis/csp.yaml
create mode 100644 services/proxy/pkg/config/csp.go
create mode 100644 services/proxy/pkg/config/csp.yaml
create mode 100644 services/proxy/pkg/middleware/security.go
create mode 100644 vendor/github.com/a8m/envsubst/.travis.yml
create mode 100644 vendor/github.com/a8m/envsubst/LICENSE
create mode 100644 vendor/github.com/a8m/envsubst/README.md
create mode 100644 vendor/github.com/a8m/envsubst/envsubst.go
create mode 100644 vendor/github.com/a8m/envsubst/parse/env.go
create mode 100644 vendor/github.com/a8m/envsubst/parse/lex.go
create mode 100644 vendor/github.com/a8m/envsubst/parse/node.go
create mode 100644 vendor/github.com/a8m/envsubst/parse/parse.go
create mode 100644 vendor/github.com/unrolled/secure/.gitignore
create mode 100644 vendor/github.com/unrolled/secure/.golangci.yaml
create mode 100644 vendor/github.com/unrolled/secure/LICENSE
create mode 100644 vendor/github.com/unrolled/secure/Makefile
create mode 100644 vendor/github.com/unrolled/secure/README.md
create mode 100644 vendor/github.com/unrolled/secure/csp.go
create mode 100644 vendor/github.com/unrolled/secure/cspbuilder/builder.go
create mode 100644 vendor/github.com/unrolled/secure/cspbuilder/directive_builder.go
create mode 100644 vendor/github.com/unrolled/secure/doc.go
create mode 100644 vendor/github.com/unrolled/secure/secure.go
diff --git a/.golangci.yml b/.golangci.yml
index 8ed29e0343..af560657a5 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -49,6 +49,7 @@ linters-settings:
replace-allow-list:
- github.com/studio-b12/gowebdav
- github.com/egirna/icap-client
+ - github.com/unrolled/secure
interfacebloat:
max: 15
diff --git a/changelog/unreleased/csp.md b/changelog/unreleased/csp.md
new file mode 100644
index 0000000000..a25f8fe503
--- /dev/null
+++ b/changelog/unreleased/csp.md
@@ -0,0 +1,5 @@
+Enhancement: Add CSP and other security related headers to oCIS
+
+General hardening of oCIS
+
+https://github.com/owncloud/ocis/pull/8777
diff --git a/deployments/examples/ocis_wopi/config/ocis/csp.yaml b/deployments/examples/ocis_wopi/config/ocis/csp.yaml
new file mode 100644
index 0000000000..518f906f14
--- /dev/null
+++ b/deployments/examples/ocis_wopi/config/ocis/csp.yaml
@@ -0,0 +1,35 @@
+directives:
+ child-src:
+ - '''self'''
+ connect-src:
+ - '''self'''
+ default-src:
+ - '''none'''
+ font-src:
+ - '''self'''
+ frame-ancestors:
+ - '''none'''
+ frame-src:
+ - '''self'''
+ - 'https://embed.diagrams.net/'
+ - 'https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/'
+ - 'https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/'
+ img-src:
+ - '''self'''
+ - 'data:'
+ - 'blob:'
+ - 'https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/'
+ - 'https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/'
+ manifest-src:
+ - '''self'''
+ media-src:
+ - '''self'''
+ object-src:
+ - '''self'''
+ - 'blob:'
+ script-src:
+ - '''self'''
+ - '''unsafe-inline'''
+ style-src:
+ - '''self'''
+ - '''unsafe-inline'''
diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml
index 00a41ee1f8..f9ce508b48 100644
--- a/deployments/examples/ocis_wopi/docker-compose.yml
+++ b/deployments/examples/ocis_wopi/docker-compose.yml
@@ -88,8 +88,10 @@ services:
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
+ PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
volumes:
- ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
+ - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
- ./config/ocis/${COMPANION_WEB_CONFIG_FILE_NAME:-web.yaml}:/etc/ocis/web.yaml
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
diff --git a/go.mod b/go.mod
index a8bbb6b5c4..b7b5372cae 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
github.com/Masterminds/semver v1.5.0
github.com/MicahParks/keyfunc v1.9.0
github.com/Nerzal/gocloak/v13 v13.9.0
+ github.com/a8m/envsubst v1.4.2
github.com/bbalet/stopwords v1.0.0
github.com/blevesearch/bleve/v2 v2.4.0
github.com/cenkalti/backoff v2.2.1+incompatible
@@ -86,6 +87,7 @@ require (
github.com/thejerf/suture/v4 v4.0.5
github.com/tidwall/gjson v1.17.1
github.com/tus/tusd v1.13.0
+ github.com/unrolled/secure v1.14.0
github.com/urfave/cli/v2 v2.27.1
github.com/xhit/go-simple-mail/v2 v2.16.0
go-micro.dev/v4 v4.10.2
@@ -355,6 +357,8 @@ replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20
replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf
+replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb
+
// exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3
// see https://github.com/mattn/go-sqlite3/issues/965 for more details
exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
diff --git a/go.sum b/go.sum
index 3701d0d1f9..355d58d8ee 100644
--- a/go.sum
+++ b/go.sum
@@ -798,6 +798,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk=
github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb h1:Ugrv7ivJ035zunmhmGEBSXL76tyxRNH5XaBSQUTqf38=
+github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/KimMachineGun/automemlimit v0.6.0 h1:p/BXkH+K40Hax+PuWWPQ478hPjsp9h1CPDhLlA3Z37E=
github.com/KimMachineGun/automemlimit v0.6.0/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY=
@@ -824,6 +826,8 @@ github.com/RoaringBitmap/roaring v1.2.3 h1:yqreLINqIrX22ErkKI0vY47/ivtJr6n+kMhVO
github.com/RoaringBitmap/roaring v1.2.3/go.mod h1:plvDsJQpxOC5bw8LRteu/MLWHsHez/3y6cubLI4/1yE=
github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
+github.com/a8m/envsubst v1.4.2 h1:4yWIHXOLEJHQEFd4UjrWDrYeYlV7ncFWJOCBRLOZHQg=
+github.com/a8m/envsubst v1.4.2/go.mod h1:MVUTQNGQ3tsjOOtKCNd+fl8RzhsXcDvvAEzkhGtlsbY=
github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6 h1:ws0yvsikTQdmheKINP16tBzAHdttrHwbz/q3Fgl9X1Y=
github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
diff --git a/ocis-pkg/middleware/header.go b/ocis-pkg/middleware/header.go
index 9db2908148..2e82d65931 100644
--- a/ocis-pkg/middleware/header.go
+++ b/ocis-pkg/middleware/header.go
@@ -38,22 +38,3 @@ func Cors(opts ...cors.Option) func(http.Handler) http.Handler {
AllowCredentials: options.AllowCredentials,
})
}
-
-// Secure writes required access headers to all requests.
-func Secure(next http.Handler) http.Handler {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- // Indicates whether the browser is allowed to render this page in a ,