src/lib/htmshell.c cebb22e349ef7292cb4deea3d9addf6c2c88c95f

cebb22e349ef7292cb4deea3d9addf6c2c88c95f
galt
  Thu Aug 10 20:32:28 2023 -0700
Fixing a devilish way hackers have found to exploit bugs in javascript libraries at public sites. By including multiple bugs from multiple libraries that they insert into your page, this allows them to loads anything from those sites. We have to change the policy to only list specific files actuallly needed and not be lazy and just whitelist the entire domain. This was a lot of work to though every line of the policy, do grep searches, combine the results and double check it all. refs #31954, #31855

diff --git src/lib/htmshell.c src/lib/htmshell.c
index bf39ebf..6f00097 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -956,51 +956,85 @@
 dyStringAppend(policy, "default-src *;");
 
 /* more secure method not used yet 
 dyStringAppend(policy, "default-src 'self';");
 
 dyStringAppend(policy, "  child-src 'self';");
 */
 
 dyStringAppend(policy, " script-src 'self' blob:");
 // Trick for backwards compatibility with browsers that understand CSP1 but not nonces (CSP2).
 dyStringAppend(policy, " 'unsafe-inline'");
 // For browsers that DO understand nonces and CSP2, they ignore 'unsafe-inline' in script if nonce is present.
 char *noncePolicy=getNoncePolicy();
 dyStringPrintf(policy, " %s", noncePolicy);
 freeMem(noncePolicy);
-dyStringAppend(policy, " code.jquery.com");          // used by hgIntegrator jsHelper and others
-dyStringAppend(policy, " www.google-analytics.com"); // used by google analytics
-dyStringAppend(policy, " www.googletagmanager.com"); // used by google tag manager (new version of analytics)
+
+/* Rules for adding 3rd party javascript libraries to the CSP policy:
+ 1. Do not include the http:// or https:// from the beginning of the URL
+ 2. Keep the domain on through the rest of the path through to the .js ending.
+ 3. Delete any parameters from the end that rare CGI URLs have like ?somvar=someval 
+ 4. For security reasons, do not add just a domain, because hackers have found ways to 
+     dynamically insert into the page script tags that load other buggy libraries hosted at the same public site 
+     that they can combine to do XSS javascript injection which we want to avoid.
+*/
+
+// used by hgIntegrator jsHelper and others
+dyStringAppend(policy, " code.jquery.com/jquery-1.9.1.min.js");
+dyStringAppend(policy, " code.jquery.com/jquery-1.12.3.min.js");
+dyStringAppend(policy, " code.jquery.com/ui/1.10.3/jquery-ui.min.js");
+dyStringAppend(policy, " code.jquery.com/ui/1.11.0/jquery-ui.min.js");
+dyStringAppend(policy, " code.jquery.com/ui/1.12.1/jquery-ui.js");
+
+// used by google analytics
+dyStringAppend(policy, " www.google-analytics.com/analytics.js");
+
+// used by google tag manager (new version of analytics)
+dyStringAppend(policy, " www.googletagmanager.com/gtag/js");
+
 // cirm cdw lib and web browse
 dyStringAppend(policy, " www.samsarin.com/project/dagre-d3/latest/dagre-d3.js");
+
+dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/bowser/1.6.1/bowser.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/d3/3.4.4/d3.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jquery/1.12.1/jquery.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jstree/3.2.1/jstree.min.js");
-dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/bowser/1.6.1/bowser.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jstree/3.3.4/jstree.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jstree/3.3.7/jstree.min.js");
-dyStringAppend(policy, " login.persona.org/include.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js");
+
+dyStringAppend(policy, " login.persona.org/include.js");
+
 // expMatrix
-dyStringAppend(policy, " ajax.googleapis.com");
-dyStringAppend(policy, " maxcdn.bootstrapcdn.com");
+dyStringAppend(policy, " ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js");
+dyStringAppend(policy, " ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js");
+dyStringAppend(policy, " ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js");
+dyStringAppend(policy, " ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js");
+dyStringAppend(policy, " ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js");
+dyStringAppend(policy, " maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js");
+dyStringAppend(policy, " maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js");
+dyStringAppend(policy, " maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.js");
+dyStringAppend(policy, " maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js");
+dyStringAppend(policy, " maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js");
+
 dyStringAppend(policy, " d3js.org/d3.v3.min.js");
+
 // jsHelper
-dyStringAppend(policy, " cdn.datatables.net");
+dyStringAppend(policy, " cdn.datatables.net/1.10.12/js/jquery.dataTables.min.js");
+
 // shephered js for tutorial overlay
-dyStringAppend(policy, " cdn.jsdelivr.net");
+dyStringAppend(policy, " cdn.jsdelivr.net/npm/shepherd.js@11.0.1/dist/js/shepherd.min.js");
 dyStringAppend(policy, " www.google.com/recaptcha/api.js");
 
 dyStringAppend(policy, ";");
 
 
 dyStringAppend(policy, " style-src * 'unsafe-inline';");
 
 /* more secure method not used yet 
 dyStringAppend(policy, " style-src 'self' 'unsafe-inline'");
 dyStringAppend(policy, " code.jquery.com");          // used by hgIntegrator
 dyStringAppend(policy, " netdna.bootstrapcdn.com");  // used by hgIntegrator
 dyStringAppend(policy, " fonts.googleapis.com");    // used by hgGateway
 dyStringAppend(policy, " maxcdn.bootstrapcdn.com"); // used by hgGateway
 dyStringAppend(policy, ";");
 */