From 788fe74859b1fa491053d1fcd8bb32f42e7898b6 Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Mon, 22 Apr 2024 12:41:06 -0700 Subject: Remove XSS prevention code This feature was created for a time before webpack had a built in proxy, and to debug the UI required setting specific flags. The webpack proxy solves this problem in a much better way, by proxying everything. This commit is one piece in the solving a use after free bug. Removing this allows us to no longer have to cache the origin header [1], which is only used in this mode. Tested: Code compiles. [1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850 Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3 Signed-off-by: Ed Tanous --- config/bmcweb_config.h.in | 3 --- config/meson.build | 2 -- include/cors_preflight.hpp | 19 -------------- include/security_headers.hpp | 60 +++++++++++--------------------------------- meson_options.txt | 7 ------ src/webserver_run.cpp | 6 ----- 6 files changed, 14 insertions(+), 83 deletions(-) delete mode 100644 include/cors_preflight.hpp diff --git a/config/bmcweb_config.h.in b/config/bmcweb_config.h.in index d3b174c470..a8ae29ef91 100644 --- a/config/bmcweb_config.h.in +++ b/config/bmcweb_config.h.in @@ -4,9 +4,6 @@ #include // clang-format off -constexpr const int bmcwebInsecureDisableXssPrevention = - @BMCWEB_INSECURE_DISABLE_XSS_PREVENTION@; - constexpr const bool bmcwebInsecureEnableQueryParams = @BMCWEB_INSECURE_ENABLE_QUERY_PARAMS@ == 1; constexpr const size_t bmcwebHttpReqBodyLimitMb = @BMCWEB_HTTP_REQ_BODY_LIMIT_MB@; diff --git a/config/meson.build b/config/meson.build index 1c6f78a999..26c9bd4b3a 100644 --- a/config/meson.build +++ b/config/meson.build @@ -2,8 +2,6 @@ conf_data = configuration_data() conf_data.set('BMCWEB_HTTP_REQ_BODY_LIMIT_MB', get_option('http-body-limit')) -xss_enabled = get_option('insecure-disable-xss') -conf_data.set10('BMCWEB_INSECURE_DISABLE_XSS_PREVENTION', xss_enabled.allowed()) enable_redfish_query = get_option('insecure-enable-redfish-query') conf_data.set10('BMCWEB_INSECURE_ENABLE_QUERY_PARAMS', enable_redfish_query.allowed()) # enable_redfish_aggregation = get_option('redfish-aggregation') diff --git a/include/cors_preflight.hpp b/include/cors_preflight.hpp deleted file mode 100644 index b7272229b1..0000000000 --- a/include/cors_preflight.hpp +++ /dev/null @@ -1,19 +0,0 @@ -#pragma once - -#include "app.hpp" -#include "http_request.hpp" -#include "http_response.hpp" - -namespace cors_preflight -{ -inline void requestRoutes(App& app) -{ - BMCWEB_ROUTE(app, "") - .methods(boost::beast::http::verb::options)( - [](const crow::Request& /*req*/, - const std::shared_ptr&, const std::string&) { - // An empty body handler that simply returns the headers bmcweb - // uses This allows browsers to do their CORS preflight checks - }); -} -} // namespace cors_preflight diff --git a/include/security_headers.hpp b/include/security_headers.hpp index a9c3fc419a..c0855f439d 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -58,51 +58,19 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); - if (bmcwebInsecureDisableXssPrevention == 0) - { - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src 'self' data:; " - "font-src 'self'; " - "style-src 'self'; " - "script-src 'self'; " - "connect-src 'self' wss:; " - "form-action 'none'; " - "frame-ancestors 'none'; " - "object-src 'none'; " - "base-uri 'none' "); - // The KVM currently needs to load images from base64 encoded - // strings. img-src 'self' data: is used to allow that. - // https://stackoverflow.com/questions/18447970/content-security-polic - // y-data-not-working-for-base64-images-in-chrome-28 - } - else - { - // If XSS is disabled, we need to allow loading from addresses - // other than self, as the BMC will be hosted elsewhere. - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src * data:; " - "font-src *; " - "style-src *; " - "script-src *; " - "connect-src *; " - "form-action *; " - "frame-ancestors *; " - "object-src *; " - "base-uri *"); - - std::string_view origin = req.getHeaderValue("Origin"); - res.addHeader(bf::access_control_allow_origin, origin); - res.addHeader(bf::access_control_allow_methods, "GET, " - "POST, " - "PUT, " - "PATCH, " - "DELETE"); - res.addHeader(bf::access_control_allow_credentials, "true"); - res.addHeader(bf::access_control_allow_headers, "Origin, " - "Content-Type, " - "Accept, " - "Cookie, " - "X-XSRF-TOKEN"); - } + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src 'self' data:; " + "font-src 'self'; " + "style-src 'self'; " + "script-src 'self'; " + "connect-src 'self' wss:; " + "form-action 'none'; " + "frame-ancestors 'none'; " + "object-src 'none'; " + "base-uri 'none' "); + // The KVM currently needs to load images from base64 encoded + // strings. img-src 'self' data: is used to allow that. + // https://stackoverflow.com/questions/18447970/content-security-polic + // y-data-not-working-for-base64-images-in-chrome-28 } } diff --git a/meson_options.txt b/meson_options.txt index 39a410bc08..d10d1b3dde 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -315,13 +315,6 @@ option( Should be set to false for production systems.''' ) -option( - 'insecure-disable-xss', - type: 'feature', - value: 'disabled', - description: 'Disable XSS preventions' -) - option( 'insecure-tftp-update', type: 'feature', diff --git a/src/webserver_run.cpp b/src/webserver_run.cpp index bb037232aa..f02ead96b9 100644 --- a/src/webserver_run.cpp +++ b/src/webserver_run.cpp @@ -3,7 +3,6 @@ #include "bmcweb_config.h" #include "app.hpp" -#include "cors_preflight.hpp" #include "dbus_monitor.hpp" #include "dbus_singleton.hpp" #include "event_service_manager.hpp" @@ -81,11 +80,6 @@ int run() crow::google_api::requestRoutes(app); #endif - if (bmcwebInsecureDisableXssPrevention != 0) - { - cors_preflight::requestRoutes(app); - } - crow::login_routes::requestRoutes(app); #ifdef BMCWEB_ENABLE_VM_NBDPROXY -- cgit v1.2.3