Page MenuHomePhabricator

Add CSP headers to Netbox
Closed, ResolvedPublicSecurity

Description

Following today's security report, netbox would benefit from adding CSP as a hardening measure against potential attacks.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

I'm not planning to go into all the JS, but as a start Content-Security-Policy: default-src 'self' should prevent loading from other domains.

sbassett added a subscriber: sbassett.

Sounds reasonable, +1 from the Security-Team.

I tried to add Header always set Content-Security-Policy "default-src 'self';" to our test instance but got multiple instance of this error:

Content Security Policy: The page’s settings blocked the loading of a resource at data:image/svg+xml,%3Csvg xmlns='http://… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

Not sure what's up with the former, but for the later, there is indeed inline JS, for example: https://github.com/netbox-community/netbox/blob/v3.2.7/netbox/templates/base/base.html#L29

@Legoktm: any recommendation?

@ayounsi - the unsafe-inline source list keyword is probably the easiest way to fix the inline issue. Assuming, of course, that we actually trust all of the inline source used within Netbox, which I assume we would without knowing any further details. And I believe the data: scheme needs to be explicitly added to allow those sources. Also, google's csp evaluator is a nice, handy tool with which to debug various policy configurations: https://csp-evaluator.withgoogle.com/. So something like the following should work:

default-src 'self' 'unsafe-inline';
object-src 'none';
img-src 'self' data:;

Of course, unsafe-inline is indeed fairly unsafe. But the alternatives of using nonces or hashes is quite a bit more involved to implement, especially for upstream code that we do not fully control.

Thanks!
This clears all the errors and afaik is the best we can do without tight Django integration.
Header always set Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; img-src 'self' data:;"

default-src 'self';
style-src 'unsafe-inline' 'self';
script-src 'unsafe-inline' 'self';
img-src 'self' data:;

object-src 'self' (through default-src) is needed for:

Content Security Policy: The page’s settings blocked the loading of a resource at https://netbox-next.wikimedia.org/api/dcim/racks/77/elevation/?face=front&render=svg (“object-src”).

ayounsi claimed this task.

Deployed. Please re-open if any issues.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett awarded a token.