Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial code parts for CSP implementation for sentry and self-hosted #47980

Merged
merged 8 commits into from
May 3, 2023
Merged

Initial code parts for CSP implementation for sentry and self-hosted #47980

merged 8 commits into from
May 3, 2023

Conversation

oioki
Copy link
Member

@oioki oioki commented Apr 26, 2023
edited
Loading

This PR was deployed then reverted. See #48507 for the new attempt.

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Apr 26, 2023
@codecov
Copy link

codecov bot commented Apr 27, 2023
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@62d95f5). Click here to learn what that means.
The diff coverage is 91.30%.

Additional details and impacted files 
@@            Coverage Diff            @@
##             master   #47980   +/-   ##
=========================================
  Coverage          ?   76.26%           
=========================================
  Files             ?     4775           
  Lines             ?   201355           
  Branches          ?    11515           
=========================================
  Hits              ?   153568           
  Misses            ?    47532           
  Partials          ?      255
Impacted Files Coverage Δ
src/sentry/conf/server.py 93.51% <85.71%> (ø)
src/sentry/integrations/jira/views/base.py 100.00% <100.00%> (ø)

@oioki oioki requested review from markstory and mdtro April 27, 2023 14:25
@oioki oioki marked this pull request as ready for review April 27, 2023 14:26
@oioki oioki requested a review from a team as a code owner April 27, 2023 14:26
markstory
markstory reviewed Apr 28, 2023
View reviewed changes
src/sentry/conf/server.py Outdated
@@ -301,6 +301,7 @@ def env(
# response modifying middleware reset the Content-Length header.
# This is because CommonMiddleware Sets the Content-Length header for non-streaming responses.
MIDDLEWARE = (
"csp.middleware.CSPMiddleware",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you done any testing on how this will interact with the CSP header middleware we have in getsentry? Having one way to do CSP in both would be nice.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I am planning to swap custom implementation with django-csp in getsentry.

src/sentry/conf/server.py
"'self'",
]
CSP_FRAME_ANCESTORS = [
"'none'",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few integrations that need to frame sentry (jira).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a special case, implemented here with the new middleware:
11a5d72

Sanity check:

$ curl -si 'localhost:8000/extensions/jira/issue/ABC-123/' | grep -i content-security
content-security-policy-report-only: connect-src 'self' ws://127.0.0.1:8000; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; default-src 'none'; frame-ancestors 'self' http://localhost:8000; base-uri 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob: data: https://secure.gravatar.com

$ curl -si 'localhost:8000/extensions/jira/issue/ABC-123/?xdm_e=https%3A%2F%2Ftest.atlassian.net' | grep -i content-security
content-security-policy-report-only: connect-src 'self' ws://127.0.0.1:8000; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; default-src 'none'; frame-ancestors 'self' https://test.atlassian.net http://localhost:8000; base-uri 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob: data: https://secure.gravatar.com

src/sentry/conf/server.py
"data:",
]
CSP_CONNECT_SRC = [
"'self'",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you'll need some atlassian domains in here for the jira integrations.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was violation by connect-cdn.atl-paas.net, added it to script-src:
34e1dfe
This view has to have a dynamic CSP (based on the xdm_e parameter), so the standard approach with django-csp decorators does not work.

@chadwhitacre chadwhitacre mentioned this pull request Apr 28, 2023
Closed
@oioki oioki requested a review from a team May 2, 2023 14:04
markstory
markstory approved these changes May 2, 2023
View reviewed changes
Copy link
Member

@markstory markstory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. The new middleware is default to off which will avoid disrupting saas.

@oioki oioki changed the title Minimal CSP implementation for sentry and self-hosted Initial code parts for CSP implementation for sentry and self-hosted May 2, 2023
@oioki oioki merged commit 2a14492 into master May 3, 2023
@oioki oioki deleted the feat/django-csp branch May 3, 2023 08:53
@oioki oioki added the Trigger: Revert Add to a merged PR to revert it (skips CI) label May 3, 2023
@getsentry-bot
Copy link
Contributor

PR reverted: d5c1595

getsentry-bot added a commit that referenced this pull request May 3, 2023
@getsentry-bot @oioki
Revert "Initial code parts for CSP implementation for sentry and self…
d5c1595 
…-hosted (#47980)"

This reverts commit 2a14492.

Co-authored-by: oioki <1127549+oioki@users.noreply.github.com>
@oioki oioki restored the feat/django-csp branch May 3, 2023 15:49
@oioki oioki mentioned this pull request May 4, 2023
Merged
oioki added a commit that referenced this pull request May 5, 2023
@oioki
Initial code parts for CSP implementation for sentry and self-hosted (#…
6fbc19f 
…48507)

Another attempt of #47980 (which
was reverted due to bugs).

This PR adds some preliminary code for adding a
`Content-Security-Policy-Report-Only` header with minimal required
permissions (at least I could not find any violations on `sentry
devserver` and self-hosted).
- The CSP middleware is disabled (commented in the `MIDDLEWARE`)
- There is no report collecting enabled by default (`CSP_REPORT_URI` is
not set), the intent is to customize it depending on the use case.
@oioki oioki mentioned this pull request May 8, 2023
Merged
oioki added a commit that referenced this pull request May 8, 2023
@oioki
Initial code parts for CSP implementation for sentry and self-hosted (#…
4ba5bb7 
…48699)

Another attempt of #47980 and
#48507 (which were reverted due
to bugs).

This PR adds some preliminary code for adding a
Content-Security-Policy-Report-Only header with minimal required
permissions (at least I could not find any violations on sentry
devserver and self-hosted).

The CSP middleware is disabled (commented in the MIDDLEWARE)
There is no report collecting enabled by default (CSP_REPORT_URI is not
set), the intent is to customize it depending on the use case.
@hubertdeng123 hubertdeng123 mentioned this pull request May 9, 2023
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@markstory markstory markstory approved these changes

@mdtro mdtro Awaiting requested review from mdtro

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components Trigger: Revert Add to a merged PR to revert it (skips CI)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@oioki @getsentry-bot @markstory