From 98b03b5a967d180ebbde582744965870a0ce2c05 Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 13 Nov 2024 09:36:09 -0600 Subject: [PATCH] Add wasm to content security policy for web ssh terminal (#48849) Without this, wasm modules imported by xtermjs cannot function. This follows the same policy as web desktop sessions --- lib/httplib/httpheaders.go | 6 +++++- lib/httplib/httplib_test.go | 17 +++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go index 9a62c8eb2703e..ddc36c71fb18f 100644 --- a/lib/httplib/httpheaders.go +++ b/lib/httplib/httpheaders.go @@ -188,6 +188,10 @@ var desktopSessionRe = regexp.MustCompile(`^/web/cluster/[^/]+/desktops/[^/]+/[^ // which is a route to a desktop recording that uses WASM. var recordingRe = regexp.MustCompile(`^/web/cluster/[^/]+/session/[^/]+$`) +// regex for the ssh terminal endpoint /web/cluster/:clusterId/console/node/:sid/:login +// which is a route to a ssh session that uses WASM. +var sshSessionRe = regexp.MustCompile(`^/web/cluster/[^/]+/console/node/[^/]+/[^/]+$`) + var indexCSPStringCache *cspCache = newCSPCache() func getIndexContentSecurityPolicyString(cfg proto.Features, urlPath string) string { @@ -197,7 +201,7 @@ func getIndexContentSecurityPolicyString(cfg proto.Features, urlPath string) str } // Nothing found in cache, calculate regex and result - withWasm := desktopSessionRe.MatchString(urlPath) || recordingRe.MatchString(urlPath) + withWasm := desktopSessionRe.MatchString(urlPath) || recordingRe.MatchString(urlPath) || sshSessionRe.MatchString(urlPath) cspString := GetContentSecurityPolicyString( getIndexContentSecurityPolicy(withWasm), ) diff --git a/lib/httplib/httplib_test.go b/lib/httplib/httplib_test.go index ef7adc063da41..33fce42ecb976 100644 --- a/lib/httplib/httplib_test.go +++ b/lib/httplib/httplib_test.go @@ -327,6 +327,23 @@ func TestSetIndexContentSecurityPolicy(t *testing.T) { "connect-src": "'self' wss:", }, }, + { + name: "for web ssh session (with wasm)", + features: proto.Features{}, + urlPath: "/web/cluster/:clusterId/console/node/:sessionId/:username", + expectedCspVals: map[string]string{ + "default-src": "'self'", + "base-uri": "'self'", + "form-action": "'self'", + "frame-ancestors": "'none'", + "object-src": "'none'", + "script-src": "'self' 'wasm-unsafe-eval'", + "style-src": "'self' 'unsafe-inline'", + "img-src": "'self' data: blob:", + "font-src": "'self' data:", + "connect-src": "'self' wss:", + }, + }, { name: "for cloud based usage & desktop session, with wasm", features: proto.Features{Cloud: true, IsUsageBased: true, IsStripeManaged: true},