freelawproject / bigcases2

The sequel to Big Cases Bot
Other
16 stars 12 forks source link

CSP violation: Blocked 'script' from 'eval:' #316

Open sentry-io[bot] opened 1 year ago

sentry-io[bot] commented 1 year ago

Sentry Issue: BIGCASES2-1G

{"csp-report":{"effective_directive":"script-src","blocked_uri":"eval","document_uri":"https://bots.law/","original_policy":"connect-src 'self' https://plausible.io/; script-src 'self' storage.bots.law https://plausible.io/ https://hcaptcha.com/; default-src 'self' storage.bots.law https://newassets.hcaptcha.com/; report-uri https://o399720.ingest.sentry.io/api/4504573893738496/security/?sentry_key=55e2a29e6b964e768eeebf0a368af7cd","referrer":"","status_code":200,"violated_directive":"script-src","line_number":3,"column_number":155,"script_sample":"","disposition":"enforce"}}

Blocked 'script' from 'eval:'
mlissner commented 1 year ago

Another CSP violation...eval on the homepage, I think?

Is this going to be better for @cweider or @ERosendo to hunt down? How far do you want to take this part of things, Chad?

cweider commented 1 year ago

There’s a good chance that it is from <a href="javascript:void(0)" that I see in case-form.html (though I’d expect that error to have a https://bots.law/add-cases/ URI). I see no easy way to get a channel list for my account, so @ERosendo – you’d be the best to take it.

Another potential is htmx, which has fallen a little bit in my estimation, seeing that it allows unrestricted evaluation of Javascript through its attributes (recreating problems of onClick). It has a configuration, allowEval, that disables it, but it’s not much of a fix – it just means that an exception is thrown earlier and does not create a security report. At a glance, I don’t see any uses that would trigger it. Nonetheless, it’d be a good place to look.

mlissner commented 1 year ago

The htmx docs say:

allowEval:true - boolean: allows the use of eval-like functionality in htmx, to enable hx-vars, trigger conditions & script tag evaluation. Can be set to false for CSP compatibility

Assuming we don't need it, maybe we set that to false and see if it fixes it?

it just means that an exception is thrown earlier and does not create a security report

I guess you're referring to maybeeval?

That seems kind of oK? What were you hoping it'd do?

cweider commented 1 year ago

Assuming we don't need it, maybe we set that to false and see if it fixes it?

If we have functionality that that relies on htmx’s use of eval, chances are that it will be broken regardless of the setting; allowEval: false is, largely, a cosmetic change. And so, before disallowing eval, it would be good to exercise bots.law’s htmx usage and try to find the issue (if any) first.

That seems kind of oK? What were you hoping it'd do?

Oh, I was thinking that rather than eval they’d not have the functionality at all (!), or a sandboxed scripting environment – a long time ago, for similar behavior, I had to create a regular subset of Javascript that could be used on element attributes and interpreted without causing security disasters.

cweider commented 1 year ago

@ERosendo – Worth mentioning that it is possible, even likely, that bots.law isn’t causing this! it could be a rogue plugin.