DEV Community: 0xdbe The latest articles on DEV Community by 0xdbe (@0xdbe). https://dev.to/0xdbe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F644065%2Fc1c6ab25-e3e2-4daf-9d99-89a7ec2d891d.jpeg DEV Community: 0xdbe https://dev.to/0xdbe en GitHub: signing commit in a workflow 0xdbe Thu, 04 Apr 2024 13:30:43 +0000 https://dev.to/0xdbe/github-signing-commit-in-a-workflow-98p https://dev.to/0xdbe/github-signing-commit-in-a-workflow-98p <p>Committing in your workflow can normally be done using git commands or other actions that perform commits for you.<br> However, if your repository requires commit signing, it is difficult to manage securely a GPG keys and set up GitHub Runner to sign your commit.<br> Fortunately, this can be done through the GitHub GraphQL API.</p> <h2> GraphQL Mutation </h2> <p>Github provides a GraphQL Mutation <a href="https://docs.github.com/en/graphql/reference/mutations#createcommitonbranch">createcommitonbranch</a> which creates a commit.<br> Commits made using this mutation are automatically signed by GitHub and will be marked as verified in the user interface.</p> <p>For better reusability, we can define a GraphQL mutation in a file <code>.github/api/createCommitOnBranch.gql</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">mutation</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="nv">$githubRepository</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!,</span><span class="w"> </span><span class="nv">$branchName</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!,</span><span class="w"> </span><span class="nv">$expectedHeadOid</span><span class="p">:</span><span class="w"> </span><span class="n">GitObjectID</span><span class="p">!</span><span class="w"> </span><span class="nv">$commitMessage</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!</span><span class="w"> </span><span class="nv">$files</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="n">FileAddition</span><span class="p">!]!</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">createCommitOnBranch</span><span class="p">(</span><span class="w"> </span><span class="n">input</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">branch</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">repositoryNameWithOwner</span><span class="p">:</span><span class="w"> </span><span class="nv">$githubRepository</span><span class="p">,</span><span class="w"> </span><span class="n">branchName</span><span class="p">:</span><span class="w"> </span><span class="nv">$branchName</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="n">message</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="n">headline</span><span class="p">:</span><span class="w"> </span><span class="nv">$commitMessage</span><span class="p">},</span><span class="w"> </span><span class="n">fileChanges</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">additions</span><span class="p">:</span><span class="w"> </span><span class="nv">$files</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">expectedHeadOid</span><span class="p">:</span><span class="w"> </span><span class="nv">$expectedHeadOid</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">){</span><span class="w"> </span><span class="n">commit</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">url</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The following input fields must be set when you call this mutation:</p> <ul> <li><code>githubRepository</code></li> <li><code>branchName</code></li> <li><code>expectedHeadOid</code></li> <li><code>commitMessage</code></li> <li><code>files</code></li> </ul> <h2> Usage with gh CLI </h2> <p>The mutation can now be called using <code>gh</code> CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh api graphql <span class="se">\</span> <span class="nt">-F</span> <span class="nv">$githubRepository</span><span class="o">=</span><span class="s2">"owner/repo"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">branchName</span><span class="o">=</span><span class="s2">"main"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">expectedHeadOid</span><span class="o">=</span><span class="si">$(</span>git rev-parse HEAD<span class="si">)</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">commitMessage</span><span class="o">=</span><span class="s2">"chore: commit file"</span> <span class="se">\</span> <span class="nt">-F</span> files[][path]<span class="o">=</span><span class="s2">"README.md"</span> <span class="nt">-F</span> files[][contents]<span class="o">=</span><span class="si">$(</span><span class="nb">base64</span> <span class="nt">-w0</span> README.md<span class="si">)</span> <span class="se">\</span> <span class="nt">-F</span> files[][path]<span class="o">=</span><span class="s2">"HELLO.md"</span> <span class="nt">-F</span> files[][contents]<span class="o">=</span><span class="si">$(</span><span class="nb">base64</span> <span class="nt">-w0</span> HELLO.md<span class="si">)</span> <span class="se">\</span> <span class="nt">-F</span> <span class="s1">'query=@.github/api/createCommitOnBranch.gql'</span> </code></pre> </div> <p>Warning: <code>files</code> is an array of <code>FileAddition</code>, but fortunately, the <code>gh</code> CLI allows defining nested objects in fields.</p> <h2> Usage in a GitHub Workflow </h2> <p>In order to sign a new commit in your workflow, you can add a step to call the mutation using the <code>gh</code> CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">checks</span><span class="pi">:</span> <span class="s">write</span> <span class="na">statuses</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">committing</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">edit file</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "hello" &gt;&gt; README.md</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">commit</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">gh api graphql \</span> <span class="s">-F $githubRepository=$GITHUB_REPOSITORY \</span> <span class="s">-F branchName=$BRANCH \</span> <span class="s">-F expectedHeadOid=$(git rev-parse HEAD) \</span> <span class="s">-F commitMessage="chore: commit file" \</span> <span class="s">-F files[][path]="README.md" -F files[][contents]=$(base64 -w0 README.md) \</span> <span class="s">-F files[][path]="HELLO.md" -F files[][contents]=$(base64 -w0 HELLO.md) \</span> <span class="s">-F 'query=@.github/api/createCommitOnBranch.gql'</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ github.token }}</span> <span class="na">BRANCH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">main"</span> </code></pre> </div> <p>This commit will be signed by <code>github-actions[bot]</code>.</p> security github githubactions javascript Next.js: consequence of Next/Image on your CSP 0xdbe Thu, 04 Apr 2024 13:29:11 +0000 https://dev.to/0xdbe/nextjs-consequence-of-nextimage-on-your-csp-5d6m https://dev.to/0xdbe/nextjs-consequence-of-nextimage-on-your-csp-5d6m <p>The <code>Next/Image</code> component is a crucial part of the Next.js framework, offering image optimization functionalities.<br> However, utilizing this component can have significant implications for Content Security Policy (CSP).</p> <blockquote> <p>This article is documented as an ADR (Architectural Decision Record) because, in my perspective, this represents a crucial security decision.<br> This includes the context of how the decision was made and the consequences of adopting it<br> Feel free to share this ADR with your team members if you find it beneficial.</p> </blockquote> <h2> Issue </h2> <p>To understand the implications of <code>Next/Image</code>, let's examine the following example extracted from the default Next.js template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;Image</span> <span class="na">className=</span><span class="s">"relative dark:drop-shadow-[0_0_0.3rem_#ffffff70] dark:invert"</span> <span class="na">src=</span><span class="s">"/next.svg"</span> <span class="na">alt=</span><span class="s">"Next.js Logo"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>This component generates the following HTML code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">alt=</span><span class="s">"Next.js Logo"</span> <span class="na">style=</span><span class="s">"color:transparent"</span> <span class="na">src=</span><span class="s">"/next.svg"</span> <span class="nt">&gt;</span> </code></pre> </div> <p>As observed, the outcome contains an unsafe inline style used to conceal the <code>alt</code> text.</p> <p>There are another properties translated into inline style by <code>Next/Image</code>.<br> For example, <code>fill</code> property is translated by:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">style=</span><span class="s">"position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;object-fit:contain;color:transparent"</span> <span class="nt">&gt;</span> </code></pre> </div> <h2> Considered Options </h2> <h3> Unsafe Inline </h3> <p>The simplest approach is to allow the <code>unsafe-inline</code> keyword for <code>style-src</code> directive.<br> However, this leaves you vulnerable to CSS injection attacks.</p> <h3> Unsafe Hashes </h3> <p>Since styles for images are predetermined, we can pre-compute hashes for styles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>echo -n "color:transparent" | openssl dgst -sha256 -binary | openssl base64 -A </code></pre> </div> <p>Subsequently, you can append the following content to your CSP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>style-src 'self' 'sha256-zlqnbDt84zf1iSefLU/ImC54isoprH/MRiVZGskwexk=' 'unsafe-hashes' </code></pre> </div> <p>Unfortunately, the <code>unsafe-hashes</code> keyword is necessary to permit hashes for the <code>style</code> attribute.</p> <h3> Remove Style </h3> <p>Even without utilizing any properties that generate inline style, there's only one persistent style attribute that you can't eliminate: <code>color:transparent</code>.</p> <p>To remove the style attribute, it is possible to create a new component called <code>ImageNoStyle</code>, which omits the style attribute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ImageNoStyle.tsx</span> <span class="k">import</span> <span class="nx">NextImage</span><span class="p">,</span> <span class="p">{</span> <span class="nx">getImageProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/image</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ComponentProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">ImageNoStyle</span><span class="p">(</span><span class="nx">props</span><span class="p">:</span> <span class="nx">ComponentProps</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">NextImage</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="nx">nextProps</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getImageProps</span><span class="p">({</span> <span class="p">...</span><span class="nx">props</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">style</span><span class="p">:</span> <span class="nx">_omit</span><span class="p">,</span> <span class="p">...</span><span class="nx">delegated</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">nextProps</span><span class="p">;</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">img</span> <span class="p">{...</span><span class="nx">delegated</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <p>This component uses <code>getImageProps()</code>, available from Next.js 14.1, to generate image properties and omit the style attribute.<br> Then, <code>ImageNoStyle</code> can be used like this with the same properties as <code>NextImage</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;ImageNoStyle</span> <span class="na">className=</span><span class="s">"relative dark:drop-shadow-[0_0_0.3rem_#ffffff70] dark:invert"</span> <span class="na">src=</span><span class="s">"/next.svg"</span> <span class="na">alt=</span><span class="s">"Next.js Logo"</span> <span class="na">width=</span><span class="s">{180}</span> <span class="na">height=</span><span class="s">{37}</span> <span class="na">priority</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>However, it's worth noting that this workaround removes inline style for images.<br> Consequently, this workaround can modify rendering of an existing website.</p> <h3> HTML Tag </h3> <p>The basic HTML <code>&lt;img&gt;</code> tag can be used to embed an image in react component.</p> <h2> Decision </h2> <p>Pending a resolution for issues <a href="https://github.com/vercel/next.js/issues/61388">61388</a> and <a href="https://github.com/vercel/next.js/issues/45184">45184</a>, it's advisable to refrain from using <code>Next/Image</code>.<br> Employing the <code>&lt;img&gt;</code> HTML tag helps maintain a strict CSP (Content Security Policy).</p> <blockquote> <p>This decision is relevant to a new application.<br> For existing applications, the choice may differ, particularly if image optimization is already in use.</p> </blockquote> <h2> Consequence </h2> <p>Opting for the basic <code>&lt;img&gt;</code> HTML tag means foregoing the image optimization features provided by Next.js, as outlined in the <a href="https://nextjs.org/docs/pages/building-your-application/optimizing/images">image optimization</a> documentation.</p> <h2> Links </h2> <ul> <li> <a href="https://github.com/vercel/next.js/discussions/61209">inline style color:transparent in Image #61209</a> on GitHub</li> <li> <a href="https://github.com/vercel/next.js/issues/45184">CSP error when using next/image #45184</a> on GitHub</li> <li> <a href="https://github.com/vercel/next.js/issues/61388">next/Image uses unsafe inline style #61388</a> on GitHub</li> <li><a href="https://nextjs.org/docs/pages/building-your-application/optimizing/images">Image Optimization</a></li> </ul> security nextjs appsec Next.js: Crafting a Strict CSP 0xdbe Thu, 07 Mar 2024 15:56:21 +0000 https://dev.to/0xdbe/nextjs-crafting-a-strict-csp-49lg https://dev.to/0xdbe/nextjs-crafting-a-strict-csp-49lg <p>Next.js lacks many built-in security measures. In fact, it doesn't offer predefined configurations for your Content Security Policy (CSP). Consequently, setting up CSP becomes your responsibility.<br> Let's explore how we can implement a CSP.</p> <h2> Requirements </h2> <p>To ensure a Content Security Policy that aligns with the current standards, we need to meet the following requirements:</p> <ul> <li>must include a nonce because Next.js often utilizes inline scripts, such as those for <a href="https://0xdbe.github.io/NextJS-CSP-AppRouter/">AppRouter</a>.</li> <li>must be delivered through an HTTP Header. Avoid embedding a CSP in a <code>meta</code> tag with <code>http-equiv</code> as it lacks support for crucial features, such as violation reports and frame-ancestors directive.</li> </ul> <h2> Middleware </h2> <p>In Next.js, middleware allows you to execute a function before a request is completed. In our case, a middleware will be used to generate a random nonce and then create HTTP headers before the page renders.</p> <p>Here is the middleware function, which can be adjusted if a middleware chain is used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// file: middleware.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// step 1</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nf">initResponse</span><span class="p">()</span> <span class="c1">// step 2</span> <span class="kd">const</span> <span class="nx">reportUri</span> <span class="o">=</span> <span class="nf">getReportUri</span><span class="p">()</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Report-To</span><span class="dl">'</span><span class="p">,</span> <span class="nf">getReportToHeaderValue</span><span class="p">(</span><span class="nx">reportUri</span><span class="p">)</span> <span class="p">)</span> <span class="c1">// step 3</span> <span class="kd">const</span> <span class="nx">nonce</span> <span class="o">=</span> <span class="nf">getNonce</span><span class="p">()</span> <span class="c1">// step 4</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Content-Security-Policy</span><span class="dl">'</span><span class="p">,</span> <span class="nf">getContentSecurityPolicyHeaderValue</span><span class="p">(</span><span class="nx">nonce</span><span class="p">,</span> <span class="nx">reportUri</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> </code></pre> </div> <h2> Helper functions </h2> <h3> Step 1: Initialize Response </h3> <p>The first step involves initializing the response using the following function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">initResponse</span><span class="p">():</span> <span class="nx">NextResponse</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>Using <code>NextResponse.next()</code> is suitable, in this case, to create an empty response. Although if you're using a chain middleware where the response is already initialized, you might skip this step.</p> <h3> Step 2: Define CSP Violation Reporting </h3> <p>The second step is defining where CSP violation reports will be sent.</p> <p>Here's the function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getReportToHeaderValue</span><span class="p">(</span><span class="nx">reportUri</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">reportTo</span> <span class="o">=</span> <span class="p">{</span> <span class="na">group</span><span class="p">:</span> <span class="dl">'</span><span class="s1">csp</span><span class="dl">'</span><span class="p">,</span> <span class="na">max_age</span><span class="p">:</span> <span class="mi">10886400</span><span class="p">,</span> <span class="c1">//1 day</span> <span class="na">endpoints</span><span class="p">:</span> <span class="p">[{</span> <span class="na">url</span><span class="p">:</span> <span class="nx">reportUri</span> <span class="p">}],</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">reportTo</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Certain providers like Sentry or Datadog offer the capability to collect information on CSP (Content-Security-Policy) violations. Remember, if you're testing violation reports, they won't be sent if you're using <code>localhost</code> hostname or an insecure protocol like <code>http</code>.</p> <h3> Step 3: Generate Nonce </h3> <p>The third step involves generating a random nonce using <code>randomUUID()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getNonce</span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Generate CSP Content </h3> <p>The final step is to generate the content of the CSP, which is perhaps the most intricate task.</p> <p>Here's a function to define the CSP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getContentSecurityPolicyHeaderValue</span><span class="p">(</span> <span class="nx">nonce</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">reportUri</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="c1">// Default CSP for Next.js</span> <span class="kd">const</span> <span class="nx">contentSecurityPolicyDirective</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">base-uri</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">default-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'none'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">frame-ancestors</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'none'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">font-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">form-action</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">frame-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">connect-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">img-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">manifest-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">object-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'none'`</span><span class="p">],</span> <span class="dl">'</span><span class="s1">report-uri</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="nx">reportUri</span><span class="p">],</span> <span class="c1">// for old browsers like Firefox</span> <span class="dl">'</span><span class="s1">report-to</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">csp</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// for modern browsers like Chrome</span> <span class="dl">'</span><span class="s1">script-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`'nonce-</span><span class="p">${</span><span class="nx">nonce</span><span class="p">}</span><span class="s2">'`</span><span class="p">,</span> <span class="s2">`'strict-dynamic'`</span><span class="p">,</span> <span class="c1">// force hashes and nonces over domain host lists</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">style-src</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="s2">`'self'`</span><span class="p">],</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Webpack use eval() in development mode for automatic JS reloading</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">script-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="s2">`'unsafe-eval'`</span><span class="p">)</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_VERCEL_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">preview</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">connect-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://vercel.live</span><span class="dl">'</span><span class="p">)</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">connect-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">wss://*.pusher.com</span><span class="dl">'</span><span class="p">)</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">img-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://vercel.com</span><span class="dl">'</span><span class="p">)</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">font-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://vercel.live</span><span class="dl">'</span><span class="p">)</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">frame-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://vercel.live</span><span class="dl">'</span><span class="p">)</span> <span class="nx">contentSecurityPolicyDirective</span><span class="p">[</span><span class="dl">'</span><span class="s1">style-src</span><span class="dl">'</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://vercel.live</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">contentSecurityPolicyDirective</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">(([</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="s2">`</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">value</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">; </span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>If you need to complete the default CSP, use the push method to add additional sources.</p> <h2> Page Render </h2> <p>Once we have middleware that creates a CSP with a nonce, we need to include this nonce on pages. Every time a page is viewed, a fresh nonce should be generated. This means you must use dynamic rendering to add nonces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// file: app/layout.tsx export const dynamic = 'force-dynamic' </code></pre> </div> <p>With this option, Next.js will be able to insert a random number on the rendered page.</p> <p>To achieve this, Next.js utilizes <a href="https://github.com/vercel/next.js/blob/v14.1.0/packages/next/src/server/app-render/get-script-nonce-from-header.tsx">getScriptNonceFromHeader</a> to extract the nonce from the CSP HTTP header.<br> Then, <a href="https://github.com/vercel/next.js/blob/7744cc91beae7169c264e4a7508ef55256c4ab42/packages/next/src/server/app-render/app-render.tsx">AppRender</a> includes the nonce in all script elements.</p> <p><strong>Warning:</strong> Keep in mind that dynamic rendering can increase hosting costs. For example, on Vercel, page rendering is done as a serverless function.</p> <h2> Conclusion </h2> <p>Next.js is not designed to use a strict Content-Security-Policy, which may discourage many software engineers. I hope this article can help some of them who might be tempted to use the <code>unsafe-inline</code> keyword.</p> <p>If you haven't yet selected a framework for your next secure app, consider avoiding Next.js and opting for a better-suited one, although I haven't identified it yet.</p> <h2> Link </h2> <ul> <li> <a href="https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy">Configuring Content Security Policy</a> from <a href="https://nextjs.org/">nextjs.org</a> </li> <li> <a href="https://content-security-policy.com/examples/meta/">Example a CSP header with a meta tag</a> from <a href="https://content-security-policy.com/">CSP Reference Guide</a> </li> </ul> security appsec nextjs Next.js: consequence of AppRouter on your CSP 0xdbe Thu, 07 Mar 2024 15:26:02 +0000 https://dev.to/0xdbe/nextjs-consequence-of-approuter-on-your-csp-839 https://dev.to/0xdbe/nextjs-consequence-of-approuter-on-your-csp-839 <p>With the integration of AppRouter, Next.js undergoes significant internal changes in component loading and management.<br> Underneath, AppRouter defaults to employing SSR (Server-Side Rendering) and leverages React Server Components (RSC).<br> However, this transition brings about consequential impacts on CSP (Content Security Policy).</p> <blockquote> <p>This article is written down as an ADR (Architectural Decision Record) because, from my point of view, this is an important security decision.<br> This includes the context of how the decision was made and the consequences of adopting the decision.<br> So, if you find it useful, you can share this ADR with your team members, and perhaps it will prove to be an effective strategy.</p> </blockquote> <h2> Issue </h2> <p>All Server Components are loaded using an inline script as depicted below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nb">self</span><span class="p">.</span><span class="nx">__next_f</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span> <span class="p">[</span> <span class="mi">1</span><span class="p">,</span> <span class="dl">"</span><span class="s2">1:HL[ </span><span class="se">\"</span><span class="s2">/_next/static/media/c9a5bc6a7c948fb0-s.p.woff2</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">font</span><span class="se">\"</span><span class="s2">,{</span><span class="se">\"</span><span class="s2">crossOrigin</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">type</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">font/woff2</span><span class="se">\"</span><span class="s2">} ]</span><span class="se">\n</span><span class="s2"> 2:HL[ </span><span class="se">\"</span><span class="s2">/_next/static/css/0a4b1961022ab8f5.css</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">style</span><span class="se">\"</span><span class="s2"> ]</span><span class="se">\n</span><span class="s2"> 0:</span><span class="se">\"</span><span class="s2">$L3</span><span class="se">\"\n</span><span class="s2"> </span><span class="dl">"</span> <span class="p">]</span> <span class="p">)</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>This script invokes <code>self.__next_f.push()</code> with the RSC payload, consisting of serialized HTML content.<br> From a security standpoint, this presents an issue due to the presence of an unsafe inline script.</p> <h2> Considered Options </h2> <h3> Disable AppRouter </h3> <p>With <code>create-next-app</code>, it's always an option to create a Next.js app without AppRouter.<br> When prompted, select <code>No</code> to the following question:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Would you like to use App Router? (recommended) No / Yes </code></pre> </div> <p>This choice replaces the AppRouter with the old PageRouter.<br> However, it's worth noting that this is not recommended by Next.js, as the PageRouter may potentially be deprecated in future releases.</p> <h3> Disable SSR </h3> <p>In order to disable Server Side Rendering, add <code>use client</code> in each component and layout.<br> Unfortunately, this means forfeiting the benefits of SSR.</p> <h3> Use unsafe-inline </h3> <p>The simplest way to make AppRouter work is by adding <code>unsafe-inline</code>.<br> However, this keyword disables protection against XSS (Cross-Site Scripting).</p> <h3> Use nonce </h3> <p>Another option to allow inline script is to use a nonce.<br> A nonce is a unique, random string of characters created for one-time use.</p> <p>This nonce must be inserted in the HTTP Header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>script-src: nonce-1234 </code></pre> </div> <p>And also in the HTML document:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;script nonce="1234"&gt; //... &lt;/script&gt; </code></pre> </div> <h2> Decision </h2> <p>Among the considered options, the only safe solution is to use a CSP with nonce in the <code>script-src</code> directive.<br> While nonces should generally be avoided in a CSP, Next.js doesn't currently provide any secure alternatives, and nonces are the only solution to maintain a strict CSP.</p> <h2> Consequence </h2> <p>In order to generate a random nonce for each request, a static storage solution like Bucket S3 can no longer be used to host a Next.js application.<br> Thus, an application runtime is now required, potentially increasing hosting costs.<br> Additionally, pages including a random nonce cannot be cached through a CDN (Content Delivery Network).</p> <h2> Links </h2> <ul> <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">Cross Site Scripting Prevention Cheat Sheet</a> from <a href="https://cheatsheetseries.owasp.org">OWASP Cheat Sheet Series</a> </li> <li><a href="https://content-security-policy.com/unsafe-inline/">The CSP unsafe-inline Source List Keyword</a></li> <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce">Nonce attribute</a> from <a href="https://developer.mozilla.org">MDN</a> </li> <li> <a href="https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy">Configuring Content Security Policy</a> from <a href="https://nextjs.org/">nextjs.org</a> </li> <li><a href="https://github.com/vercel/next.js/discussions/42170">NEXTJS 13: self.__next_f.push</a></li> <li><a href="https://giuseppegurgone.com/react-server-component-explained">React Server Components, Explained</a></li> </ul> security appsec nextjs GitHub: How To Enable Code Scanning With Semgrep 0xdbe Wed, 09 Nov 2022 12:52:22 +0000 https://dev.to/0xdbe/github-how-to-enable-code-scanning-with-semgrep-501d https://dev.to/0xdbe/github-how-to-enable-code-scanning-with-semgrep-501d <p>Semgrep is an incredible static analysis engine that can be used for finding bugs, detecting vulnerabilities and even for enforcing code standards.<br> Semgrep is a Swiss army knife for static code analysis.</p> <p>This article describes how to automate the discovery of coding vulnerabilities with Semgrep and GitHub Workflows.<br> For this, we will need 2 workflows: full scan and differential scan.</p> <h2> Full scan </h2> <p>The first workflow is dedicated to scan all the codebase of your application and provides a global analysis of the existing.</p> <p>To create this workflow, paste the following content in <code>.github/workflows/semgrep-full.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Semgrep Full Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cron</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">6'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">semgrep-full</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">returntocorp/semgrep</span> <span class="na">steps</span><span class="pi">:</span> <span class="c1"># step 1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">clone application source code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="c1"># step 2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">full scan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">semgrep \</span> <span class="s">--sarif --output report.sarif \</span> <span class="s">--metrics=off \</span> <span class="s">--config="p/default"</span> <span class="c1"># step 3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">save report as pipeline artifact</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">report.sarif</span> <span class="na">path</span><span class="pi">:</span> <span class="s">report.sarif</span> <span class="c1"># step 4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">publish code scanning alerts</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">report.sarif</span> <span class="na">category</span><span class="pi">:</span> <span class="s">semgrep</span> </code></pre> </div> <p>Then, you can manually trigger this workflow to run a first full scan. All findings will be published in the <code>Code Scanning alerts</code> in the <code>Security</code> tab of your GitHub repository.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj6sc8xe1efee5vwmw6u4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj6sc8xe1efee5vwmw6u4.png" alt="Code Scanning Alerts"></a></p> <p>This workflow is also scheduled to run a full scan every Saturday at 1:00 AM. And the result is sync with the <code>Code Scanning Alerts</code> dashboard. New findings are published and fixed findings are automatically closed. This is an immensely cool feature!</p> <blockquote> <p><code>Code Scanning alerts</code> is free for public repositories but organisations must subscribe to <code>GitHub Advanced Security</code> which is a very expensive add-on. If you don't have this option, and you don’t want to subscribe, you can use another security dashboard like Defect Dojo.</p> </blockquote> <p>... and it’s that simple. The first workflow is now operational! </p> <p>Now, you’ll probably discover that you have a lot of findings in your <code>Code Scanning Alerts</code> dashboard. We know that it will not be possible to fix all of them immediately. Fixing those will probably need several weeks of work. That is why this workflow can't block the software pipeline. However, thanks to this workflow, you can follow your progress because, each week, fixed alerts are automatically closed.</p> <p>While waiting for these corrections, you can block all <em>Pull Requests</em> which could add new findings. For that, we can write a second workflow to run a differential scan in order to report only findings in the Pull Requests.</p> <h2> Differential scan </h2> <p>The second workflow is dedicated to analyse Pull Requests.</p> <p>To create this workflow, paste the following content in <code>.github/workflows/semgrep-diff.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Semgrep Differential Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="s">pull_request</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">semgrep-diff</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">returntocorp/semgrep</span> <span class="na">steps</span><span class="pi">:</span> <span class="c1"># step 1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">clone application source code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># step 2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">differential scan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">semgrep scan \</span> <span class="s">--error \</span> <span class="s">--metrics=off \</span> <span class="s">--baseline-commit ${{ github.event.pull_request.base.sha }} \</span> <span class="s">--config="p/default"</span> </code></pre> </div> <p>Under the hood, Semgrep performs two scans: one on the Pull Request and another on the existing codebase before the Pull Request. Therefore, only new findings are reported.</p> <p>Now, you can protect your default branch <code>main</code> in your repository <code>settings</code>, by adding <code>semgrep-diff</code> in <code>Require status checks to pass before merging</code>.<br> By the way, you can also check <code>Do not allow bypassing the above settings</code> to prevent Semgrep bypass.<br> After that, it will not be possible to merge thes Pull Requests with new findings:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzrx86g9daplxnzwdl03v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzrx86g9daplxnzwdl03v.png" alt="Pull Request Failed"></a></p> <h2> Wrap-Up </h2> <p>Congratulations! You have setup Semgrep on your GitHub repository with two workflows:</p> <ul> <li>A workflow to perform a full scan on the existing codebase</li> <li>A workflow to perform a differential scan on Pull Request</li> </ul> <p>Using Semgrep with GitHub this way provides more flexibility. As you can see, you can enable code scanning without having to fix all of the findings on your existing codebase.</p> <p>Take the time to assess the risks of each finding in order to prioritise them. In the meantime, you will be sure that there will be no additional findings in your repository, and you can even change the rules without freezing any developments.</p> security appsec github Spring Boot: Prevent Log Injection Attacks With Logback 0xdbe Sun, 13 Mar 2022 20:46:46 +0000 https://dev.to/0xdbe/spring-boot-prevent-log-injection-attacks-with-logback-m71 https://dev.to/0xdbe/spring-boot-prevent-log-injection-attacks-with-logback-m71 <p>Log Injection is an attack that has been known to everyone for years.<br> Despite the fact that any application can record logs from user input, for too long many of us had forgotten about the dangers.<br> But the recently discovered vulnerabilities concerning log4j2 have reminded us of the importance of preventing log injection attacks.<br> This article describes one concrete way - albeit not the only way - to prevent log injection attacks in a Spring Boot application using Logback.</p> <blockquote> <p>This article is written down as an ADR (Architectural Decision Record) because, from my point of view, this is an important security decision.<br> This includes the context of how the decision was made and the consequences of adopting the decision.<br> So, if you find it useful, you can share this ADR with your team members, and perhaps it will prove to be an effective strategy.</p> </blockquote> <h2> Context </h2> <p>By default, a Spring Boot application uses Logback as a logging framework, and it does this with SLF4J as the interface between the application and the logging framework.</p> <p>In this way, an application can easily log anything in two steps:</p> <ul> <li>Create a logger with <code>LoggerFactory.getLogger()</code> </li> <li>Log event with <code>logger.debug()</code> (where <code>debug</code> is the log level)</li> </ul> <p>Here is an example that can be found in a simple greeting controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">getClass</span><span class="o">());</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">index</span><span class="o">(</span><span class="nd">@RequestParam</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"name"</span><span class="o">,</span> <span class="n">defaultValue</span> <span class="o">=</span> <span class="s">"World"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">name</span><span class="o">)</span> <span class="o">{</span> <span class="n">logger</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Hello {}"</span><span class="o">,</span> <span class="n">name</span><span class="o">);</span> <span class="k">return</span> <span class="s">"Hello "</span> <span class="o">+</span> <span class="n">name</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>As you can see, this controller takes the username as the input and then logs it.</p> <p>Consequently, due to this controller logging data from user input, this application is vulnerable to log injection.</p> <h2> Attack </h2> <p>Primarily, log injection allows an attacker to forge log entries; this is what we call "log forging.” The easiest way is to forge a new log entry using CRLF injection. </p> <p>CRLF injection involves inserting two control characters called <code>Carriage Return</code> (<code>%0d</code> or <code>\r</code>) and <code>Line Feed</code> (<code>%0a</code> or <code>\n</code>).</p> <p>Here is an example of an CRLF injection on our greeting controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8080/<span class="se">\?</span>name<span class="se">\=</span>Marty%0d%0aYou%20have%20been%20pwned </code></pre> </div> <p>This request results in the logging of two separate entries in the logger.<br> This could be annoying when later doing log analysis because there would be additional incorrect log entries.</p> <p>However, despite being primarily used to forge entries, sometimes, log injection attacks can also be used to inject malicious code that could then be executed either by the logging framework (like log4j2) or later in the logging pipeline.</p> <p>So, it is vital to prevent log injection attacks with a suitable defensive solution.</p> <h2> Considered options </h2> <p>There are many ways to prevent log injection attacks, such as:</p> <ul> <li><p><strong>Input validation</strong> involves checking that user inputs are in the expected format (mail, date, price, value from a list, ...). This is a good thing! However, for some types of data (like comments), input validation is too difficult and would not be very effective. Of course, you can keep going with input validation, but this is not enough to secure an application.</p></li> <li><p><strong>Input filtering</strong> involves stripping out unsafe characters. This is well-intentioned, but sometimes mangles perfectly good input. For example, if the filtering function strips the <code>''</code>, someone like <code>O'Conor</code> becomes <code>OConor</code>. Something that I doubt they would appreciate.</p></li> </ul> <p>These solutions are not acceptable if you want to build secure software.</p> <h2> Decision </h2> <p>The best way to prevent log injection is <em>output encoding</em>.<br> It is really easy to do with Logback!</p> <p>Here is the configuration file <code>logback.xml</code> to encode logs using <code>json</code> layout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;appender</span> <span class="na">name=</span><span class="s">"console"</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.ConsoleAppender"</span><span class="nt">&gt;</span> <span class="nt">&lt;encoder</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.encoder.LayoutWrappingEncoder"</span><span class="nt">&gt;</span> <span class="nt">&lt;layout</span> <span class="na">class=</span><span class="s">"ch.qos.logback.contrib.json.classic.JsonLayout"</span><span class="nt">&gt;</span> <span class="nt">&lt;jsonFormatter</span> <span class="na">class=</span><span class="s">"ch.qos.logback.contrib.jackson.JacksonJsonFormatter"</span><span class="nt">/&gt;</span> <span class="nt">&lt;appendLineSeparator&gt;</span>true<span class="nt">&lt;/appendLineSeparator&gt;</span> <span class="nt">&lt;/layout&gt;</span> <span class="nt">&lt;/encoder&gt;</span> <span class="nt">&lt;/appender&gt;</span> <span class="nt">&lt;root</span> <span class="na">level=</span><span class="s">"info"</span><span class="nt">&gt;</span> <span class="nt">&lt;appender-ref</span> <span class="na">ref=</span><span class="s">"console"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/root&gt;</span> <span class="nt">&lt;/configuration&gt;</span> </code></pre> </div> <p>And here is the dependencies required by Logback to support JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">dependencies</span> <span class="o">{</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback.contrib:logback-json-classic:0.1.5'</span> <span class="n">implementation</span> <span class="s1">'ch.qos.logback.contrib:logback-jackson:0.1.5'</span> <span class="o">}</span> </code></pre> </div> <p>With this configuration, each log entry is wrapped up in a JSON object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="s2">"1643015604000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="s2">"DEBUG"</span><span class="p">,</span><span class="w"> </span><span class="nl">"thread"</span><span class="p">:</span><span class="s2">"http-nio-8080-exec-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"logger"</span><span class="p">:</span><span class="s2">"net.example.logging.HelloController"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="s2">"Hello Marty</span><span class="se">\r\n</span><span class="s2">You have been pwned"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="s2">"default"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>As you can see, special characters, like CRLF, are escaped.<br> This will be the same for quotation marks which will be encoded by <code>\"</code>.</p> <h2> Consequences </h2> <p>From this point onwards, this application is no longer vulnerable to log injection anymore.<br> However, there are consequences to consider.</p> <h3> Unreadable logs </h3> <p>Since each log entry is wrapped up in a JSON object, it becomes difficult to use logs with simple tools like <code>cat</code>, <code>tail</code> or <code>grep</code>.<br> So, a log management system, such as ELK (Elasticsearch, Logstash and Kibana), is mandatory.</p> <p>However, it is still possible to have several configurations using Spring Profile in <code>logback-spring.xml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;springProfile</span> <span class="na">name=</span><span class="s">"!local"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Configuration with JSON Layout --&gt;</span> <span class="nt">&lt;/springProfile&gt;</span> <span class="nt">&lt;springProfile</span> <span class="na">name=</span><span class="s">"local"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Configuration with Pattern Layout --&gt;</span>. <span class="nt">&lt;/springProfile&gt;</span> <span class="nt">&lt;/configuration&gt;</span> </code></pre> </div> <p>In this case, Spring Boot Application uses the default pattern layout when it starts locally.<br> Thus making logs easier to read for developers.</p> <h3> Sensitive Data </h3> <p>Keep in mind that this <code>JSON Layout</code> doesn't mask sensitive data in log entries.<br> A custom layout will still be required to mask sensitive line PII. </p> security appsec spring Angular Security - Serve application locally over HTTPS 0xdbe Thu, 09 Sep 2021 00:00:00 +0000 https://dev.to/0xdbe/angular-security-serve-application-locally-over-https-3dj https://dev.to/0xdbe/angular-security-serve-application-locally-over-https-3dj <p>When you develop an Angular application, you will come to a point where you need to serve it on localhost over HTTPS. This is often the case if you need to interact with an identity provider such as Facebook, Auth0, ... And by the way, testing locally with HTTPS could be useful to detect mixed content issues that can break a production HTTPS website.</p> <p>This article will walk you through setting Angular to use locally-trusted development certificate with <code>mkcert</code>. This is an easy way to expose an application over HTTPS without security warnings and you don't worry too much about OpenSSL.</p> <h2> Install mkcert </h2> <p><a href="https://github.com/FiloSottile/mkcert">mkcert</a> is a simple tool for making locally-trusted development certificates.<br> This tool is written by Filippo Valsorda, Cryptographer and Go security leader. Follow instructions on <a href="https://github.com/FiloSottile/mkcert#installation">https://github.com/FiloSottile/mkcert#installation</a> to install this tool.</p> <h2> Create local certificate authority </h2> <p>Run this command to create a new local certificate authority (CA):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mkcert <span class="nt">-install</span> </code></pre> </div> <p>This command did the following:</p> <ul> <li>Generate CA certificate and its key, and store them in an application data folder in the user home, such as <code>~/.local/share/mkcert/</code> </li> <li>Add this new certificate authority in trust stores (system, Firefox, Chrome, ...). So, all certificates issue with this CA will be trusted by your browser</li> </ul> <p>Be aware that the <code>rootCA-key.pem</code> file that <code>mkcert</code> automatically generates gives complete power to intercept secure requests from your machine. So, do not share it to stay safe against MITM (Man-in-the-middle) attack.</p> <h2> Get certificate </h2> <p>Run the following commands from Angular project directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>tls mkcert <span class="se">\</span> <span class="nt">-cert-file</span> ./tls/localhost-cert.pem <span class="se">\</span> <span class="nt">-key-file</span> ./tls/localhost-key.pem <span class="se">\</span> <span class="nt">-ecdsa</span> <span class="se">\</span> localhost 127.0.0.1 ::1 </code></pre> </div> <p>This certificate will expire in 3 months. In order to make renewal easier, we can create a shortcut for this command in <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run cert &amp; ng serve"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cert"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mkdir -p ./tls &amp; mkcert -cert-file ./tls/localhost-cert.pem -key-file ./tls/localhost-key.pem -ecdsa localhost 127.0.0.1 ::1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Thus, you get a new certificate each time you start your application</p> <p>Don't forget to add <code>tls/*</code>in <code>.gitignore</code> to prevent publication of your private key.</p> <h2> Serve application </h2> <p>In order to serve Angular application securely, add <code>ssl</code>, <code>sslCert</code> and <code>sslKey</code> options to <code>serve</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ng serve <span class="se">\</span> <span class="nt">--ssl</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--sslCert</span><span class="o">=</span>./tls/localhost-cert.pem <span class="se">\</span> <span class="nt">--sslKey</span><span class="o">=</span>./tls/localhost-key.pem </code></pre> </div> <p>To avoid to write these options each time that we want to run this app over HTTPS, we can set them in the <code>angular.json</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"serve"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"builder"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@angular-devkit/build-angular:dev-server"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ssl"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"sslCert"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tls/localhost-cert.pem"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sslKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tls/localhost-key.pem"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Like so, you can easily serve your app by using <code>npm start</code> and then, browse <a href="https://localhost:4200/">https://localhost:4200/</a> without security warning. But keep in mind that this could be used only for local development, not for production.</p> security appsec angular Angular Security - Disable Inline Critical CSS 0xdbe Mon, 06 Sep 2021 20:11:22 +0000 https://dev.to/0xdbe/angular-security-disable-inline-critical-css-2n9g https://dev.to/0xdbe/angular-security-disable-inline-critical-css-2n9g <p>Improving load time is crucial for the success of your application. One way to reduce this load time is to optimize the CSS loading but it is quite tricky, because CSS files are render-blocking. This means that the browser must download and parse these files before starting to render the web page.</p> <p>That's why Angular provides CSS optimization in order to reduce this render-blocking delay, and at the same time, to improve the First Contentful Paint (FCP). This optimization involves first inlining critical CSS and delaying the loading of non-critical CSS.</p> <p>This article describes what's wrong with this optimization and how to disable it to keep a strict CSP (Content Security Policy).</p> <h2> What's wrong? </h2> <p>Inline Critical CSS is an optimization that impacts our CSP (Content Security Policy):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>style-src-elem 'unsafe-inline'; // For Inlining critical CSS script-src 'unsafe-inline'; // For Delaying non-critical CSS </code></pre> </div> <p>To understand why it is necessary, let's take a look at these practices.</p> <h3> Inlining critical CSS </h3> <p>During the build process, Angular extracts first all CSS resources that block the rendering. Once critical CSS are extracted, Angular inlines them directly in the <code>index.html</code> file. In order to authorize inline CSS, we have to add the following content in our CSP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>style-src-elem 'unsafe-inline'; </code></pre> </div> <p>With this configuration, our CSP is not able to block <a href="https://www.netsparker.com/blog/web-security/private-data-stolen-exploiting-css-injection/">CSS injections</a> anymore. This problem is not new since inline CSS is used by Angular for Component Style. So, inlining critical CSS should not further affect our CSP.</p> <h3> Delaying non-critical CSS </h3> <p>After inlining critical CSS, the rest can be postponed. However, HTML and CSS don't support asynchronous loading for CSS files. To circumvent this issue, there is an Angular trick to load non-critical CSS asynchronously using <code>media</code> attribute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"styles.1d6c8a3b8017c43eaeda.css"</span> <span class="na">media=</span><span class="s">"print"</span> <span class="na">onload=</span><span class="s">"this.media='all'"</span><span class="nt">&gt;</span> </code></pre> </div> <p>Media type (<code>print</code>) doesn’t match the current environment, so the browser decides that it is less important and loads the stylesheet asynchronously, without delaying the page rendering. On load, we change media type so that the stylesheet gets applied to screens. In order to authorize event handlers that run inline script, we have to include the following content in our CSP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>script-src 'unsafe-inline'; </code></pre> </div> <p>This configuration almost defeats the purpose of CSP, thus we could be exposed to XSS attacks.</p> <h2> How to fix this? </h2> <p>For security purposes, inline critical CSS must be disabled to keep a strict CSP.</p> <p>Inline critical CSS is a new optimization introduced in Angular 11.1. However it was disabled by default. This optimization is now enabled by default in v12 and you have to set <code>inlineCritical</code> to <code>false</code> in <code>angular.json</code> for each configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"configurations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"production"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"optimization"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"styles"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"minify"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"inlineCritical"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"fonts"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With this configuration, Angular includes CSS as before:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"styles.css"</span><span class="nt">&gt;</span> </code></pre> </div> <p>And we don't have to weaken our CSP!</p> security appsec angular