Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP causes images not to load from AWS S3 and Google Avatar #14664

Open
2 tasks done
tompson opened this issue Apr 30, 2024 · 1 comment
Open
2 tasks done

CSP causes images not to load from AWS S3 and Google Avatar #14664

tompson opened this issue Apr 30, 2024 · 1 comment

Comments

@tompson
Copy link

tompson commented Apr 30, 2024

Debug mode

Describe the bug

We are using S3 Buckets for storing uploaded images but they are not loaded in the browser because the URL violates the CSP

https://our-snipeit-public.s3.eu-west-1.amazonaws.com/assets/asset-image-asdafsdf.jpeg

Also Google User Avatars are not loaded because the violate the CSP

https://lh3.googleusercontent.com/a/ACg8ocJ6zs9J_VbdONsjPJHQWWsakG-XO1qpl30DAtG5fqR42_-XsaqI=s96-c

The current CSP header is:

default-src 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self';object-src 'none';font-src 'self' data:;img-src 'self' data: https://assets.example.com https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com;img-src 'self' data:

Reproduction steps

  1. Use S3 for storing images
  2. Use Google for SSO

Expected behavior

images should be loaded from those external services and blocked by CSP

Screenshots

No response

Snipe-IT Version

6.3.4

Operating System

Ubuntu, Docker

Web Server

Traefik

PHP Version

that of docker image snipe/snipe-it:v6.3.4

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response
@snipe
Copy link
Owner

snipe commented May 16, 2024

II'm not really sure of the best way to account for that. Maybe add an env var for additional CSP urls.

snipe-it/app/Presenters/UserPresenter.php

Lines 429 to 438 in 0d4f132

if ($this->avatar) {
// Check if it's a google avatar or some external avatar
if (Str::startsWith($this->avatar, ['http://', 'https://'])) {
return $this->avatar;
}
// Otherwise assume it's an uploaded image
return Storage::disk('public')->url('avatars/'.e($this->avatar));
}

We can't just accept anything, or it would defeat the purpose of the CSP in the first place.

We do account for the public AWS URL tho.

snipe-it/app/Http/Middleware/SecurityHeaders.php

Line 91 in 0d4f132

$csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';

snipe added a commit that referenced this issue May 16, 2024
@snipe
Fixed #14664 - allow additional urls in env for CSP
ca1555d 
Signed-off-by: snipe <[email protected]>
snipe added a commit that referenced this issue May 16, 2024
@snipe
Merge pull request #14731 from snipe/features/csp_env
e5c358a 
Fixed #14664 - allow additional urls in env for CSP
@snipe snipe mentioned this issue May 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tompson @snipe