Solved unsafe inline bug

2025-05-18 18:50:32 +02:00 · 2025-05-15 10:04:34 +02:00 · 2025-05-15 10:04:34 +02:00 · 6b7314baac
commit 6b7314baac
parent 779c60ef20
7 changed files with 28 additions and 9 deletions
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@ -97,8 +97,11 @@ class FilterModule(object):

            for directive in directives:
                tokens = ["'self'"]
+                
                # unsafe-eval / unsafe-inline flags
-                tokens += self.get_csp_flags(applications, application_id, directive)
+                flags = self.get_csp_flags(applications, application_id, directive)
+                tokens += flags
+
                # Matomo integration
                if (
                    self.is_feature_enabled(applications, matomo_feature_name, application_id)
@ -107,11 +110,15 @@ class FilterModule(object):
                    matomo_domain = domains.get('matomo')
                    if matomo_domain:
                        tokens.append(f"{web_protocol}://{matomo_domain}")
+
                # whitelist
                tokens += self.get_csp_whitelist(applications, application_id, directive)
-                # inline hashes from config
-                for snippet in self.get_csp_inline_content(applications, application_id, directive):
-                    tokens.append(self.get_csp_hash(snippet))
+
+                # only add hashes if 'unsafe-inline' is NOT in flags
+                if "'unsafe-inline'" not in flags:
+                    for snippet in self.get_csp_inline_content(applications, application_id, directive):
+                        tokens.append(self.get_csp_hash(snippet))
+
                parts.append(f"{directive} {' '.join(tokens)};")

            # static img-src
--- a/roles/backup-docker-to-local/tasks/main.yml
+++ b/roles/backup-docker-to-local/tasks/main.yml
@ -14,6 +14,7 @@
 - name: Set fact for backup_docker_to_local_folder
  set_fact:
    backup_docker_to_local_folder: "{{ pkgmgr_output.stdout }}/"
+  changed_when: false
  when: run_once_backup_docker_to_local is not defined

 - name: configure backup-docker-to-local-everything.cymais.service
--- a/roles/cleanup-failed-docker-backups/tasks/main.yml
+++ b/roles/cleanup-failed-docker-backups/tasks/main.yml
@ -14,6 +14,7 @@
 - name: Set fact for backup_docker_to_local_cleanup_script
  set_fact:
    backup_docker_to_local_cleanup_script: "{{ pkgmgr_output.stdout.rstrip('/') ~ '/cleanup-all.sh' }}"
+  changed_when: false
  when: run_once_cleanup_failed_docker_backups is not defined

 - name: configure cleanup-failed-docker-backups.cymais.service
--- a/roles/nginx-https-get-cert/tasks/main.yml
+++ b/roles/nginx-https-get-cert/tasks/main.yml
@ -24,10 +24,12 @@
    debug: "{{ enable_debug | default(false) }}"
  register: cert_folder_result
  delegate_to: "{{ inventory_hostname }}"
+  changed_when: false

 - name: Set fact
  set_fact:
    ssl_cert_folder: "{{ cert_folder_result.folder }}"
+  changed_when: false

 - name: Ensure ssl_cert_folder is set
  fail:
--- a/roles/nginx-modifier-matomo/tasks/main.yml
+++ b/roles/nginx-modifier-matomo/tasks/main.yml
@ -25,6 +25,7 @@
  set_fact:
    matomo_site_id: "{{ site_check.json[0].idsite }}"
  when: "(site_check.json | length) > 0"
+  changed_when: false

 - name: Add site to Matomo and get ID if not exists
  uri:
@ -42,6 +43,7 @@
  set_fact:
    matomo_site_id: "{{ add_site.json.value }}"
  when: "matomo_site_id is not defined or matomo_site_id is none"
+  changed_when: false

 - name: Set the Matomo tracking code from a template file
  set_fact:
--- a/roles/nginx-redirect-domains/tasks/redirect-domain.yml
+++ b/roles/nginx-redirect-domains/tasks/redirect-domain.yml
@ -2,7 +2,7 @@
  include_role: 
    name: nginx-https-get-cert

- name: configure nginx redirect configurations
+- name: "Deploying NGINX redirect configuration for {{ domain }}"
  template:
    src:  redirect.domain.nginx.conf.j2
    dest: "{{ nginx.directories.http.servers }}{{ domain }}.conf"
--- a/tests/unit/test_csp_filters.py
+++ b/tests/unit/test_csp_filters.py
@ -122,14 +122,20 @@ class TestCspFilters(unittest.TestCase):
            # passing a non-decodable object
            self.filter.get_csp_hash(None)

-    def test_build_csp_header_includes_hashes(self):
+    def test_build_csp_header_includes_hashes_only_if_no_unsafe_inline(self):
+        """
+        script-src has unsafe-inline = False -> hash should be included
+        style-src has unsafe-inline = True  -> hash should NOT be included
+        """
        header = self.filter.build_csp_header(self.apps, 'app1', self.domains, web_protocol='https')
-        # check that the script-src directive includes our inline hash
+
+        # script-src includes hash because 'unsafe-inline' is False
        script_hash = self.filter.get_csp_hash("console.log('hello');")
        self.assertIn(script_hash, header)
-        # check that the style-src directive includes its inline hash
+
+        # style-src does NOT include hash because 'unsafe-inline' is True
        style_hash = self.filter.get_csp_hash("body { background: #fff; }")
-        self.assertIn(style_hash, header)
+        self.assertNotIn(style_hash, header)

 if __name__ == '__main__':
    unittest.main()