Add CSP headers to Netbox
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Legoktm
	Nov 23 2021, 10:59 PM

Description

Following today's security report, netbox would benefit from adding CSP as a hardening measure against potential attacks.

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Netbox: add CSP headers	operations/puppet	production	+3 -0

Customize query in gerrit

Event Timeline

Legoktm created this task.Nov 23 2021, 10:59 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 23 2021, 10:59 PM

Legoktm added a project: netbox.Nov 23 2021, 11:00 PM

Legoktm added a subscriber: Volans.

Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptNov 23 2021, 11:00 PM

I'm not planning to go into all the JS, but as a start Content-Security-Policy: default-src 'self' should prevent loading from other domains.

Volans added a subscriber: jbond.Nov 24 2021, 10:44 AM

Sounds reasonable, +1 from the Security-Team.

I tried to add Header always set Content-Security-Policy "default-src 'self';" to our test instance but got multiple instance of this error:

Content Security Policy: The page’s settings blocked the loading of a resource at data:image/svg+xml,%3Csvg xmlns='http://… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

Not sure what's up with the former, but for the later, there is indeed inline JS, for example: https://github.com/netbox-community/netbox/blob/v3.2.7/netbox/templates/base/base.html#L29

@Legoktm: any recommendation?

@ayounsi - the unsafe-inline source list keyword is probably the easiest way to fix the inline issue. Assuming, of course, that we actually trust all of the inline source used within Netbox, which I assume we would without knowing any further details. And I believe the data: scheme needs to be explicitly added to allow those sources. Also, google's csp evaluator is a nice, handy tool with which to debug various policy configurations: https://csp-evaluator.withgoogle.com/. So something like the following should work:

default-src 'self' 'unsafe-inline';
object-src 'none';
img-src 'self' data:;

Of course, unsafe-inline is indeed fairly unsafe. But the alternatives of using nonces or hashes is quite a bit more involved to implement, especially for upstream code that we do not fully control.

Thanks!
This clears all the errors and afaik is the best we can do without tight Django integration.
Header always set Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; img-src 'self' data:;"

default-src 'self';
style-src 'unsafe-inline' 'self';
script-src 'unsafe-inline' 'self';
img-src 'self' data:;

object-src 'self' (through default-src) is needed for:

Content Security Policy: The page’s settings blocked the loading of a resource at https://netbox-next.wikimedia.org/api/dcim/racks/77/elevation/?face=front&render=svg (“object-src”).

https://gerrit.wikimedia.org/r/c/operations/puppet/+/820645

Deployed. Please re-open if any issues.

sbassett triaged this task as Low priority.Aug 8 2022, 2:37 PM

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Low.

sbassett awarded a token.

Add CSP headers to NetboxClosed, ResolvedPublicSecurityActions

Description

Details

Event Timeline

Add CSP headers to Netbox
Closed, ResolvedPublicSecurity
Actions