diff --git a/.env.template b/.env.template index 5b40bc3c9..b699e5b2c 100644 --- a/.env.template +++ b/.env.template @@ -49,3 +49,7 @@ HTTPS_PORT=443 # Optional: configure web user login session lifetime (in seconds) # SESSION_LIFETIME= + +# Optional: configure the per-worker database pool size +# DB_POOL_SIZE= + diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7dadc3002..65930d5fb 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,10 +36,12 @@ jobs: submodules: recursive - uses: actions/setup-node@v4 with: - node-version: 22.21.0 + node-version: 22.21.1 - run: cd test/nginx && npm clean-install - run: cd test/nginx && npm run lint - - run: cd test/nginx && ./run-tests.sh + - run: cd test/nginx && ./setup-tests.sh + - run: cd test/nginx && npm run test:nginx + - run: cd test/nginx && ./gixy.sh - if: always() run: cd test/nginx && docker compose -f nginx.test.docker-compose.yml logs --no-log-prefix nginx diff --git a/client b/client index 351f3b92a..bd1be4661 160000 --- a/client +++ b/client @@ -1 +1 @@ -Subproject commit 351f3b92a9e2e2cdbd1e05f2a2137055afa3473b +Subproject commit bd1be46611410f2c1f441b154f4d625b27e093c5 diff --git a/docker-compose.yml b/docker-compose.yml index b39dc3421..b5a953204 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,7 +27,7 @@ services: POSTGRES_PASSWORD: odk POSTGRES_DB: odk mail: - image: "registry.gitlab.com/egos-tech/smtp:1.1.1" + image: "registry.gitlab.com/egos-tech/smtp:1.1.5" volumes: - ./files/mail/rsa.private:/etc/exim4/dkim.key.temp:ro environment: @@ -55,6 +55,7 @@ services: - DB_HOST=${DB_HOST:-postgres14} - DB_USER=${DB_USER:-odk} - DB_PASSWORD=${DB_PASSWORD:-odk} + - DB_POOL_SIZE=${DB_POOL_SIZE:-10} - DB_NAME=${DB_NAME:-odk} - DB_SSL=${DB_SSL:-null} - EMAIL_FROM=${EMAIL_FROM:-no-reply@$DOMAIN} @@ -137,7 +138,7 @@ services: - SUPPORT_EMAIL=${SYSADMIN_EMAIL} - HTTPS_PORT=${HTTPS_PORT:-443} enketo_redis_main: - image: redis:7.4.6 + image: redis:7.4.7 volumes: - ./files/enketo/redis-enketo-main.conf:/usr/local/etc/redis/redis.conf:ro - enketo_redis_main:/data @@ -146,7 +147,7 @@ services: - /usr/local/etc/redis/redis.conf restart: always enketo_redis_cache: - image: redis:7.4.6 + image: redis:7.4.7 volumes: - ./files/enketo/redis-enketo-cache.conf:/usr/local/etc/redis/redis.conf:ro - enketo_redis_cache:/data diff --git a/files/nginx/backend.conf b/files/nginx/backend.conf new file mode 100644 index 000000000..a79eaa2c6 --- /dev/null +++ b/files/nginx/backend.conf @@ -0,0 +1,8 @@ +proxy_set_header X-Forwarded-Proto $scheme; +proxy_pass http://service:8383; +proxy_redirect off; + +# buffer requests, but not responses, so streaming out works. +proxy_request_buffering on; +proxy_buffering off; +proxy_read_timeout 2m; diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 171f1306d..6ab6e0ce6 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -1,5 +1,6 @@ server { listen 443 default_server ssl; + server_tokens off; ssl_certificate /etc/nginx/ssl/nginx.default.crt; ssl_certificate_key /etc/nginx/ssl/nginx.default.key; @@ -74,6 +75,18 @@ map $arg_st $redirect_single_prefix { default "/new${is_args}${args}${qp_deliminator}single=true"; } +# Use 'none' per directive instead of falling back to default-src to make CSP violation reports more specific +# Note: using $request_uri here remains safe while percent-encodings are not +# normalised in frontend URLs. Tracked at https://github.com/getodk/central/issues/1532 +map $request_uri $central_frontend_csp { + # Web Forms CSP for /f/... and /projects/.../forms/... routes + ~^/(?:f/[^/]+(?:/.*)?|projects/\d+/forms/[^/]+/(?:(?:draft/)?(?:preview|submissions/new(?:/offline)?)|submissions/[^/]+/edit)(?:/)?)(?:\?.*)?$ + "default-src 'none'; connect-src 'self' https:; font-src 'self' data:; frame-src 'none'; img-src blob: https:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src blob:; report-uri /csp-report"; + + default + "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src data: https:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; worker-src blob:; report-uri /csp-report"; +} + server { listen 443 ssl; http2 on; @@ -130,8 +143,7 @@ server { } # To read single submission cookies location = /-/single/check-submitted { - alias /usr/share/nginx/html/blank.html; - default_type text/html; + try_files $uri @blank.html; } # For that iframe to work, we'll need another path prefix (enketo-passthrough) under which we can @@ -146,38 +158,49 @@ server { # More lax CSP for enketo-express: # Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy + # Use 'none' per directive instead of falling back to default-src to make CSP violation reports more specific + proxy_hide_header Content-Security-Policy-Report-Only; add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/ https://translate.google.com https://translate.googleapis.com; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/ https://tile.openstreetmap.org/ https://translate.google.com; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'unsafe-inline'; report-uri /csp-report"; - # - # Rules set to 'none' here would fallback to default-src if excluded. - # They are included here to ease interpretation of violation reports. include /usr/share/odk/nginx/common-headers.conf; } # End of Enketo Configuration. + location ~ ^/v\d+/oidc/callback$ { + include /usr/share/odk/nginx/common-headers.conf; + include /usr/share/odk/nginx/backend.conf; + } + location ~ ^/v\d { - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://service:8383; - proxy_redirect off; + proxy_hide_header Content-Security-Policy-Report-Only; + add_header Content-Security-Policy-Report-Only "default-src 'none'; report-uri /csp-report"; - # buffer requests, but not responses, so streaming out works. - proxy_request_buffering on; - proxy_buffering off; - proxy_read_timeout 2m; + include /usr/share/odk/nginx/common-headers.conf; + include /usr/share/odk/nginx/backend.conf; + } + + location @blank.html { + root /usr/share/nginx/html; + try_files /blank.html =404; + + add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src https://translate.google.com https://translate.googleapis.com; img-src https://translate.google.com; report-uri /csp-report"; + include /usr/share/odk/nginx/common-headers.conf; + } + location = /blank.html { + try_files $uri @blank.html; } location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; - # Rules set to 'none' here would fallback to default-src if excluded. - # They are included here to ease interpretation of violation reports. - add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report"; + add_header Content-Security-Policy-Report-Only "$central_frontend_csp"; include /usr/share/odk/nginx/common-headers.conf; } location /csp-report { proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; + proxy_ssl_server_name on; } } diff --git a/files/nginx/redirector.conf b/files/nginx/redirector.conf index ba56723ff..91262fb98 100644 --- a/files/nginx/redirector.conf +++ b/files/nginx/redirector.conf @@ -1,9 +1,11 @@ +# Be VERY careful modifying this file - it is modified BY LINE NUMBER in setup-odk.sh server { # Listen on plain old HTTP and catch all requests so they can be redirected # to HTTPS instead. listen 80 reuseport; listen [::]:80 reuseport; server_name ${DOMAIN}; + server_tokens off; # Anything requesting this particular URL should be served content from # Certbot's folder so the HTTP-01 ACME challenges can be completed for the @@ -23,6 +25,7 @@ server { server { listen 80 default_server; listen [::]:80 default_server; + server_tokens off; return 421; } diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh index fca108010..407fdb3c7 100755 --- a/files/nginx/setup-odk.sh +++ b/files/nginx/setup-odk.sh @@ -63,7 +63,7 @@ else echo "starting nginx for upstream ssl..." else # remove letsencrypt challenge reply, but keep 80 to 443 redirection - perl -i -ne 'print if $. < 7 || $. > 14' /etc/nginx/conf.d/redirector.conf + perl -i -ne 'print if $. < 9 || $. > 16' /etc/nginx/conf.d/redirector.conf echo "starting nginx for custom ssl and self-signed certs..." fi exec nginx -g "daemon off;" diff --git a/files/service/config.json.template b/files/service/config.json.template index 40211a589..1c6ff4daa 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -5,7 +5,8 @@ "user": "${DB_USER}", "password": "${DB_PASSWORD}", "database": "${DB_NAME}", - "ssl": ${DB_SSL} + "ssl": ${DB_SSL}, + "maximumPoolSize": ${DB_POOL_SIZE} }, "email": { "serviceAccount": "${EMAIL_FROM}", diff --git a/nginx.dockerfile b/nginx.dockerfile index 8fd6c5392..1db8f3f39 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,4 +1,4 @@ -FROM node:22.21.0-slim AS intermediate +FROM node:22.21.1-slim AS intermediate RUN apt-get update \ && apt-get install -y --no-install-recommends \ @@ -32,6 +32,7 @@ COPY files/nginx/setup-odk.sh \ /scripts/ COPY files/nginx/redirector.conf /usr/share/odk/nginx/ +COPY files/nginx/backend.conf /usr/share/odk/nginx/ COPY files/nginx/common-headers.conf /usr/share/odk/nginx/ COPY files/nginx/robots.txt /usr/share/nginx/html COPY --from=intermediate client/dist/ /usr/share/nginx/html diff --git a/postgres14.dockerfile b/postgres14.dockerfile index 4ed29b7a0..69ed4b503 100644 --- a/postgres14.dockerfile +++ b/postgres14.dockerfile @@ -1,4 +1,4 @@ -FROM postgres:14.10 +FROM postgres:14.20 COPY files/postgres14/start-postgres.sh /usr/local/bin/ diff --git a/secrets.dockerfile b/secrets.dockerfile index 094d6a827..fb4ee7288 100644 --- a/secrets.dockerfile +++ b/secrets.dockerfile @@ -1,3 +1,3 @@ -FROM node:22.21.0-slim +FROM node:22.21.1-slim COPY files/enketo/generate-secrets.sh ./ diff --git a/server b/server index 773912958..97981e969 160000 --- a/server +++ b/server @@ -1 +1 @@ -Subproject commit 7739129581f690a7fd51eca436d2f37bf544b7a7 +Subproject commit 97981e9694f392e5b3df90a2d28c6f7d3aefef17 diff --git a/service.dockerfile b/service.dockerfile index 49ed80303..a11da0a72 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -ARG node_version=22.21.0 +ARG node_version=22.21.1 diff --git a/test/nginx/gixy.sh b/test/nginx/gixy.sh new file mode 100755 index 000000000..ed9583e4a --- /dev/null +++ b/test/nginx/gixy.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +set -o pipefail +shopt -s inherit_errexit + +log() { echo >&2 "[$(basename "$0")] $*"; } + +docker_compose() { + docker compose --file nginx.test.docker-compose.yml "$@" +} + +log "Linting nginx config with gixy-ng..." +# gixy-ng is a maintained fork of gixy: https://github.com/dvershinin/gixy +# For version updates, see: https://pypi.org/project/gixy-ng/#history +docker_compose exec nginx bash -euc ' + apt update + apt install -y python3-venv + python3 -m venv .venv + . .venv/bin/activate + pip install gixy-ng==0.2.12 + gixy -lll +' + +log "Completed OK." diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index cf89779b5..38d5ba618 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -9,6 +9,10 @@ const app = express(); app.use((req, res, next) => { console.log(new Date(), req.method, req.originalUrl); + + // always set CSP header to detect (or allow) leaks from backend through to the client + res.set('Content-Security-Policy-Report-Only', 'default-src NOTE:FROM-BACKEND'); + next(); }); diff --git a/test/nginx/mock-http-server/package-lock.json b/test/nginx/mock-http-server/package-lock.json index 4ea664a1c..5ee0c6ae9 100644 --- a/test/nginx/mock-http-server/package-lock.json +++ b/test/nginx/mock-http-server/package-lock.json @@ -22,28 +22,34 @@ } }, "node_modules/body-parser": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", - "integrity": "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==", + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.1.tgz", + "integrity": "sha512-nfDwkulwiZYQIGwxdy0RUmowMhKcFVcYXUU7m4QlKYim1rUtg83xm2yjZ40QjDuc291AJjjeSc9b++AWHSgSHw==", + "license": "MIT", "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", - "debug": "^4.4.0", + "debug": "^4.4.3", "http-errors": "^2.0.0", - "iconv-lite": "^0.6.3", + "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.0", - "raw-body": "^3.0.0", - "type-is": "^2.0.0" + "raw-body": "^3.0.1", + "type-is": "^2.0.1" }, "engines": { "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -111,9 +117,10 @@ } }, "node_modules/debug": { - "version": "4.4.0", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", - "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", "dependencies": { "ms": "^2.1.3" }, @@ -350,29 +357,39 @@ } }, "node_modules/http-errors": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz", - "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", + "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", + "license": "MIT", "dependencies": { - "depd": "2.0.0", - "inherits": "2.0.4", - "setprototypeof": "1.2.0", - "statuses": "2.0.1", - "toidentifier": "1.0.1" + "depd": "~2.0.0", + "inherits": "~2.0.4", + "setprototypeof": "~1.2.0", + "statuses": "~2.0.2", + "toidentifier": "~1.0.1" }, "engines": { "node": ">= 0.8" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/iconv-lite": { - "version": "0.6.3", - "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", - "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "version": "0.7.0", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.0.tgz", + "integrity": "sha512-cf6L2Ds3h57VVmkZe+Pn+5APsT7FpqJtEhhieDCvrE2MK5Qk9MyffgQyuxQTm6BChfeZNtcOLHp9IcWRVcIcBQ==", + "license": "MIT", "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" }, "engines": { "node": ">=0.10.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/inherits": { @@ -533,17 +550,18 @@ } }, "node_modules/raw-body": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.0.tgz", - "integrity": "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==", + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz", + "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==", + "license": "MIT", "dependencies": { - "bytes": "3.1.2", - "http-errors": "2.0.0", - "iconv-lite": "0.6.3", - "unpipe": "1.0.0" + "bytes": "~3.1.2", + "http-errors": "~2.0.1", + "iconv-lite": "~0.7.0", + "unpipe": "~1.0.0" }, "engines": { - "node": ">= 0.8" + "node": ">= 0.10" } }, "node_modules/router": { @@ -583,7 +601,8 @@ "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", - "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" }, "node_modules/send": { "version": "1.2.0", @@ -694,9 +713,10 @@ } }, "node_modules/statuses": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", - "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==", + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", + "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -726,6 +746,7 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", "engines": { "node": ">= 0.8" } diff --git a/test/nginx/mock-http-service.dockerfile b/test/nginx/mock-http-service.dockerfile index de9783e3b..82c8b75f7 100644 --- a/test/nginx/mock-http-service.dockerfile +++ b/test/nginx/mock-http-service.dockerfile @@ -1,4 +1,4 @@ -FROM node:22.21.0-slim +FROM node:22.21.1-slim WORKDIR /workspace diff --git a/test/nginx/mock-sentry.dockerfile b/test/nginx/mock-sentry.dockerfile new file mode 100644 index 000000000..6675524c3 --- /dev/null +++ b/test/nginx/mock-sentry.dockerfile @@ -0,0 +1,12 @@ +FROM node:22.21.1-slim + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + openssl \ + && rm -rf /var/lib/apt/lists/* + +WORKDIR /workspace + +COPY ./mock-sentry . +RUN npm clean-install +ENTRYPOINT ["npm", "run", "start"] diff --git a/test/nginx/mock-sentry/.gitignore b/test/nginx/mock-sentry/.gitignore new file mode 100644 index 000000000..2ccbe4656 --- /dev/null +++ b/test/nginx/mock-sentry/.gitignore @@ -0,0 +1 @@ +/node_modules/ diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js new file mode 100644 index 000000000..19777953f --- /dev/null +++ b/test/nginx/mock-sentry/index.js @@ -0,0 +1,114 @@ +const { execSync } = require('node:child_process'); +const { readFileSync } = require('node:fs'); +const { createServer } = require('node:https'); +const { createSecureContext } = require('node:tls'); + + +const express = require('express'); + +const port = process.env.PORT || 443; +const httpsHost = process.env.HTTPS_HOST; +const log = (...args) => console.log('[mock-sentry]', ...args); + +const events = []; +const logErrorEvent = error => { + log('ERROR', error); + events.push({ error }); +}; + +const app = express(); +app.use(express.json()); +app.get('/event-log', (req, res) => res.json(events)); +app.get('/reset', (req, res) => { + events.length = 0; + res.json('OK'); +}); +app.use('/api', (req, res, next) => { + log(new Date(), req.method, req.originalUrl); + + if(!req.socket.encrypted) fatalError('req.socket.encrypted was falsy'); + + const certificate = req.socket.getCertificate(); + if(!certificate) fatalError('No certificate found at all.'); + + const { CN } = certificate.subject; + if(CN !== httpsHost) { + logErrorEvent(`Server cert had unexpected CN: '${CN}'`); + // try to simulate an SNI / connection error + return req.socket.destroy(); + } + + next(); +}); +app.get('/api/check-cert', (req, res) => res.send('OK')); +app.post('/api/example-sentry-project/security/', (req, res) => { + const { sentry_key } = req.query; + if(sentry_key !== 'example-sentry-key') { + logErrorEvent(`Bad sentry API key received: '${sentry_key}'`); + return res.sendStatus(403); + } + + events.push({ report:req.body }); + + res.send('OK'); +}); + +const server = (() => { + if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); + + const encoding = 'utf8'; + + const creds = commonName => { + const keyPath = `${commonName}-key.pem`; + const certPath = `${commonName}-cert.pem`; + + execSync( + [ + 'openssl', + 'req -x509', + '-nodes', + '-days 365', + '-newkey rsa:2048', + `-keyout ${keyPath}`, + `-out ${certPath}`, + `-subj /CN=${commonName}`, + ].join(' '), + { encoding }, + ); + + return { + key: readFileSync(keyPath, { encoding }), + cert: readFileSync(certPath, { encoding }), + }; + }; + + const goodCreds = creds(httpsHost); + + const opts = { + ...creds('default'), + // SNICallback is called IFF the client sends an SNI extension in the TLS handshake. + // See: https://nodejs.org/api/tls.html#tlscreateserveroptions-secureconnectionlistener + SNICallback: (servername, cb) => { + if(servername !== httpsHost) { + const error = `SNICallback: rejecting unexpected servername: ${servername}`; + logErrorEvent(error); + return cb(new Error(error)); + } + cb(null, createSecureContext(goodCreds)); + }, + }; + + return createServer(opts, app); +})(); + +server.listen(port, () => { + log(`Listening with HTTPS on port: ${port}`); +}); + +function fatalError(description) { + log(` + !!! ${description} + !!! This is completely unexpected. Server will be terminated immediately. + `); + process.exit(1); +} diff --git a/test/nginx/mock-sentry/package-lock.json b/test/nginx/mock-sentry/package-lock.json new file mode 100644 index 000000000..5ee0c6ae9 --- /dev/null +++ b/test/nginx/mock-sentry/package-lock.json @@ -0,0 +1,768 @@ +{ + "name": "mock-http-server", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "mock-http-server", + "dependencies": { + "express": "^5.1.0" + } + }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/body-parser": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.1.tgz", + "integrity": "sha512-nfDwkulwiZYQIGwxdy0RUmowMhKcFVcYXUU7m4QlKYim1rUtg83xm2yjZ40QjDuc291AJjjeSc9b++AWHSgSHw==", + "license": "MIT", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^1.0.5", + "debug": "^4.4.3", + "http-errors": "^2.0.0", + "iconv-lite": "^0.7.0", + "on-finished": "^2.4.1", + "qs": "^6.14.0", + "raw-body": "^3.0.1", + "type-is": "^2.0.1" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/call-bind-apply-helpers": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", + "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", + "dependencies": { + "es-errors": "^1.3.0", + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/call-bound": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz", + "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "get-intrinsic": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/content-disposition": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", + "integrity": "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==", + "dependencies": { + "safe-buffer": "5.2.1" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie": { + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/dunder-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz", + "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", + "dependencies": { + "call-bind-apply-helpers": "^1.0.1", + "es-errors": "^1.3.0", + "gopd": "^1.2.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" + }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/es-define-property": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz", + "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-errors": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", + "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-object-atoms": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz", + "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==", + "dependencies": { + "es-errors": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==" + }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/express/-/express-5.1.0.tgz", + "integrity": "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==", + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.0", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/finalhandler": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", + "integrity": "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-intrinsic": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz", + "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "es-define-property": "^1.0.1", + "es-errors": "^1.3.0", + "es-object-atoms": "^1.1.1", + "function-bind": "^1.1.2", + "get-proto": "^1.0.1", + "gopd": "^1.2.0", + "has-symbols": "^1.1.0", + "hasown": "^2.0.2", + "math-intrinsics": "^1.1.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz", + "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", + "dependencies": { + "dunder-proto": "^1.0.1", + "es-object-atoms": "^1.0.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/gopd": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", + "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/has-symbols": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", + "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/http-errors": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", + "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", + "license": "MIT", + "dependencies": { + "depd": "~2.0.0", + "inherits": "~2.0.4", + "setprototypeof": "~1.2.0", + "statuses": "~2.0.2", + "toidentifier": "~1.0.1" + }, + "engines": { + "node": ">= 0.8" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/iconv-lite": { + "version": "0.7.0", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.0.tgz", + "integrity": "sha512-cf6L2Ds3h57VVmkZe+Pn+5APsT7FpqJtEhhieDCvrE2MK5Qk9MyffgQyuxQTm6BChfeZNtcOLHp9IcWRVcIcBQ==", + "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==" + }, + "node_modules/math-intrinsics": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz", + "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/path-to-regexp": { + "version": "8.2.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz", + "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==", + "engines": { + "node": ">=16" + } + }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/qs": { + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz", + "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==", + "license": "MIT", + "dependencies": { + "bytes": "~3.1.2", + "http-errors": "~2.0.1", + "iconv-lite": "~0.7.0", + "unpipe": "~1.0.0" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" + }, + "node_modules/send": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", + "integrity": "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==", + "dependencies": { + "debug": "^4.3.5", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "mime-types": "^3.0.1", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/serve-static": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.0.tgz", + "integrity": "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==" + }, + "node_modules/side-channel": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", + "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3", + "side-channel-list": "^1.0.0", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", + "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/statuses": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", + "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/type-is": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", + "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==", + "dependencies": { + "content-type": "^1.0.5", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + } + } +} diff --git a/test/nginx/mock-sentry/package.json b/test/nginx/mock-sentry/package.json new file mode 100644 index 000000000..25ab1da6d --- /dev/null +++ b/test/nginx/mock-sentry/package.json @@ -0,0 +1,9 @@ +{ + "name": "mock-http-server", + "scripts": { + "start": "node index.js" + }, + "dependencies": { + "express": "^5.1.0" + } +} diff --git a/test/nginx/nginx.test.docker-compose.yml b/test/nginx/nginx.test.docker-compose.yml index 0eb23a133..36e2dfdda 100644 --- a/test/nginx/nginx.test.docker-compose.yml +++ b/test/nginx/nginx.test.docker-compose.yml @@ -13,6 +13,16 @@ services: - "8383:8383" environment: - PORT=8383 + sentry-mock: + build: + dockerfile: mock-sentry.dockerfile + ports: + # Sentry port is not currently configurable in nginx config, so use default HTTPS port + - "443:443" + environment: + - MODE=https + - HTTPS_HOST=o-fake-dsn.ingest.sentry.io + - PORT=443 nginx: build: context: ../.. @@ -22,10 +32,13 @@ services: depends_on: - service - enketo + - sentry-mock + extra_hosts: + - o-fake-dsn.ingest.sentry.io:host-gateway environment: - DOMAIN=odk-nginx.example.test - SENTRY_KEY=example-sentry-key - - SENTRY_ORG_SUBDOMAIN=example-sentry-org-subdomain + - SENTRY_ORG_SUBDOMAIN=o-fake-dsn - SENTRY_PROJECT=example-sentry-project - SSL_TYPE=selfsign - OIDC_ENABLED=false diff --git a/test/nginx/package-lock.json b/test/nginx/package-lock.json index 999cd3a54..dcf7a7593 100644 --- a/test/nginx/package-lock.json +++ b/test/nginx/package-lock.json @@ -7,6 +7,7 @@ "name": "odk-central-tests", "dependencies": { "chai": "^5.2.0", + "deep-equal-in-any-order": "^2.1.0", "eslint": "^9.28.0", "mocha": "^11.6.0" } @@ -534,6 +535,16 @@ "node": ">=6" } }, + "node_modules/deep-equal-in-any-order": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/deep-equal-in-any-order/-/deep-equal-in-any-order-2.1.0.tgz", + "integrity": "sha512-9FklcFjcehm1yBWiOYtmazJOiMbT+v81Kq6nThIuXbWLWIZMX3ZI+QoLf7wCi0T8XzTAXf6XqEdEyVrjZkhbGA==", + "license": "MIT", + "dependencies": { + "lodash.mapvalues": "^4.6.0", + "sort-any": "^2.0.0" + } + }, "node_modules/deep-is": { "version": "0.1.4", "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz", @@ -805,9 +816,10 @@ } }, "node_modules/glob": { - "version": "10.4.5", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", - "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", + "version": "10.5.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz", + "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==", + "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", @@ -981,9 +993,10 @@ } }, "node_modules/js-yaml": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", - "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", + "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "license": "MIT", "dependencies": { "argparse": "^2.0.1" }, @@ -1040,6 +1053,18 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "license": "MIT" + }, + "node_modules/lodash.mapvalues": { + "version": "4.6.0", + "resolved": "https://registry.npmjs.org/lodash.mapvalues/-/lodash.mapvalues-4.6.0.tgz", + "integrity": "sha512-JPFqXFeZQ7BfS00H58kClY7SPVeHertPE0lNuCyZ26/XlN8TvakYD7b9bGyNmXbT/D3BbtPAAmq90gPWqLkxlQ==", + "license": "MIT" + }, "node_modules/lodash.merge": { "version": "4.6.2", "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", @@ -1383,6 +1408,15 @@ "url": "https://github.com/sponsors/isaacs" } }, + "node_modules/sort-any": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/sort-any/-/sort-any-2.0.0.tgz", + "integrity": "sha512-T9JoiDewQEmWcnmPn/s9h/PH9t3d/LSWi0RgVmXSuDYeZXTZOZ1/wrK2PHaptuR1VXe3clLLt0pD6sgVOwjNEA==", + "license": "MIT", + "dependencies": { + "lodash": "^4.17.21" + } + }, "node_modules/string-width": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", diff --git a/test/nginx/package.json b/test/nginx/package.json index 820affbb2..e9b6bbd0e 100644 --- a/test/nginx/package.json +++ b/test/nginx/package.json @@ -7,10 +7,11 @@ }, "dependencies": { "chai": "^5.2.0", + "deep-equal-in-any-order": "^2.1.0", "eslint": "^9.28.0", "mocha": "^11.6.0" }, "volta": { - "node": "22.21.0" + "node": "22.21.1" } } diff --git a/test/nginx/run-tests.sh b/test/nginx/setup-tests.sh similarity index 98% rename from test/nginx/run-tests.sh rename to test/nginx/setup-tests.sh index 1a923c81c..241a07d53 100755 --- a/test/nginx/run-tests.sh +++ b/test/nginx/setup-tests.sh @@ -37,6 +37,4 @@ wait_for_http_response 5 localhost:8005/health 200 log "Waiting for nginx..." wait_for_http_response 5 localhost:9000 421 -npm run test:nginx - log "Completed OK." diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 07207a4e8..e015f27a5 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -1,42 +1,73 @@ +const https = require('node:https'); const tls = require('node:tls'); const { Readable } = require('stream'); -const { assert } = require('chai'); + +const deepEqualInAnyOrder = require('deep-equal-in-any-order'); +const chai = require('chai'); +chai.use(deepEqualInAnyOrder); +const { assert } = chai; const none = `'none'`; const self = `'self'`; const unsafeInline = `'unsafe-inline'`; +const wasmUnsafeEval = `'wasm-unsafe-eval'`; + +const asArray = val => { + if (val == null) return []; + if (Array.isArray(val)) return val; + return [val]; +}; +const allowGoogleTranslate = ({ 'connect-src':connectSrc, 'img-src':imgSrc, ...others }) => { + connectSrc = asArray(connectSrc); + if(!connectSrc.includes('https:')) connectSrc.push( + 'https://translate.google.com', + 'https://translate.googleapis.com', + ); + + imgSrc = asArray(imgSrc); + if(!imgSrc.includes('https:')) imgSrc.push( + 'https://translate.google.com', + ); + + return { ...others, 'connect-src':connectSrc, 'img-src':imgSrc }; +}; + const contentSecurityPolicies = { - 'restrictive': { - 'default-src': none, - 'connect-src': [ - 'https://translate.google.com', - 'https://translate.googleapis.com', - ], - 'img-src': 'https://translate.google.com', - 'report-uri': '/csp-report', + 'backend-unmodified': { + 'default-src': 'NOTE:FROM-BACKEND', }, - 'central-frontend': { + 'central-frontend': allowGoogleTranslate({ 'default-src': none, 'connect-src': [ self, - 'https://translate.google.com', - 'https://translate.googleapis.com', ], 'font-src': self, 'frame-src': [ self, 'https://getodk.github.io/central/news.html', ], - 'img-src': '* data:', + 'img-src': [ + 'data:', + 'https:', + ], 'manifest-src': none, 'media-src': none, 'object-src': none, 'script-src': self, 'style-src': self, 'style-src-attr': unsafeInline, + 'worker-src': 'blob:', 'report-uri': '/csp-report', + }), + 'disallow-all': { + 'default-src': none, + 'report-uri': '/csp-report', }, - enketo: { + 'disallow-all-except-standard-plugins': allowGoogleTranslate({ + 'default-src': none, + 'report-uri': '/csp-report', + }), + enketo: allowGoogleTranslate({ 'default-src': none, 'connect-src': [ self, @@ -46,8 +77,6 @@ const contentSecurityPolicies = { 'https://maps.gstatic.com/mapfiles/', 'https://fonts.gstatic.com/', 'https://fonts.googleapis.com/', - 'https://translate.google.com', - 'https://translate.googleapis.com', ], 'font-src': [ self, @@ -63,7 +92,6 @@ const contentSecurityPolicies = { 'https://maps.gstatic.com/mapfiles/', 'https://maps.googleapis.com/maps/', 'https://tile.openstreetmap.org/', - 'https://translate.google.com', ], 'manifest-src': none, 'media-src': [ @@ -86,7 +114,38 @@ const contentSecurityPolicies = { ], 'style-src-attr': unsafeInline, 'report-uri': '/csp-report', - }, + }), + 'web-forms': allowGoogleTranslate({ + 'default-src': none, + 'connect-src': [ + self, + 'https:', + ], + 'font-src': [ + self, + 'data:', + ], + 'frame-src': none, + 'img-src': [ + 'blob:', + 'https:', + ], + 'manifest-src': none, + 'media-src': none, + 'object-src': none, + 'script-src': [ + self, + wasmUnsafeEval, + ], + 'style-src': [ + self, + unsafeInline, + ], + 'worker-src': [ + 'blob:' + ], + 'report-uri': '/csp-report', + }), }; describe('nginx config', () => { @@ -182,7 +241,6 @@ describe('nginx config', () => { [ [ '/index.html', /
<\/div>/ ], [ '/version.txt', /^versions:/ ], - [ '/blank.html', /^\n$/ ], [ '/favicon.ico', /^\n$/ ], ].forEach(([ path, expectedContent ]) => { it(`${path} file should serve expected content`, async () => { @@ -316,15 +374,23 @@ describe('nginx config', () => { }); }); - it('should serve blank page on /-/single/check-submitted', async () => { - // when - const res = await fetchHttps('/-/single/check-submitted'); + describe('blank.html', () => { + [ + '/blank.html', + '/-/single/check-submitted', + ].forEach(path => { + it(`should serve blank page on ${path}`, async () => { + // when + const res = await fetchHttps(path); - // then - assert.equal(res.status, 200); - assert.isEmpty((await res.text()).trim()); - assertSecurityHeaders(res, { csp:'restrictive' }); - await assertEnketoReceivedNoRequests(); + // then + assert.equal(res.status, 200); + assert.isEmpty((await res.text()).trim()); + assert.equal(res.headers.get('Content-Type'), 'text/html'); + assertSecurityHeaders(res, { csp:'disallow-all-except-standard-plugins' }); + await assertEnketoReceivedNoRequests(); + }); + }); }); it('/v1/... should forward to backend', async () => { @@ -334,19 +400,29 @@ describe('nginx config', () => { // then assert.equal(res.status, 200); assert.equal(await res.text(), 'OK'); - assertSecurityHeaders(res, { csp:'restrictive' }); + assertSecurityHeaders(res, { csp:'disallow-all' }); // and await assertBackendReceived( { method:'GET', path:'/v1/some/central-backend/path' }, ); }); + it('/oidc/callback should serve Content-Security-Policy from backend', async () => { + // when + const res = await fetchHttps('/v1/oidc/callback'); + + // then + assert.equal(res.status, 200); + assert.equal(await res.text(), 'OK'); + assertSecurityHeaders(res, { csp:'backend-unmodified' }); + }); + it('should set x-forwarded-proto header to "https"', async () => { // when const res = await fetchHttps('/v1/reflect-headers'); // then assert.equal(res.status, 200); - assertSecurityHeaders(res, { csp:'restrictive' }); + assertSecurityHeaders(res, { csp:'disallow-all' }); // when const body = await res.json(); @@ -364,7 +440,7 @@ describe('nginx config', () => { // then assert.equal(res.status, 200); // and - assertSecurityHeaders(res, { csp:'restrictive' }); + assertSecurityHeaders(res, { csp:'disallow-all' }); // when const body = await res.json(); @@ -372,6 +448,94 @@ describe('nginx config', () => { assert.equal(body['x-forwarded-proto'], 'https'); }); + describe('web-forms Content-Security-Policy special handling', () => { + // See https://github.com/getodk/central/pull/1467 for relevant paths + [ + '/projects/1/forms/some_xml_form_id/submissions/new', + '/projects/1/forms/some_xml_form_id/submissions/new/', + '/projects/1/forms/some_xml_form_id/submissions/new?fake=true&query=false¶m=2', + '/projects/1/forms/some_xml_form_id/submissions/new/?fake=true&query=false¶m=2', + '/projects/1/forms/some_xml_form_id/submissions/new/offline', + '/projects/1/forms/some_xml_form_id/submissions/new/offline/', + '/projects/1/forms/some_xml_form_id/submissions/00000000-0000-0000-0000-000000000000/edit', + '/projects/1/forms/some_xml_form_id/submissions/00000000-0000-0000-0000-000000000000/edit/', + '/projects/1/forms/some_xml_form_id/preview', + '/projects/1/forms/some_xml_form_id/preview/', + '/projects/1/forms/some_xml_form_id/draft/submissions/new', + '/projects/1/forms/some_xml_form_id/draft/submissions/new/', + '/projects/1/forms/some_xml_form_id/draft/submissions/new/offline', + '/projects/1/forms/some_xml_form_id/draft/submissions/new/offline/', + '/projects/1/forms/some_xml_form_id/draft/preview', + '/projects/1/forms/some_xml_form_id/draft/preview/', + '/f/anything', + '/f/anything/', + '/f/SCUZtGUjC7fgL2O1AXqqG8YN8Jdkthi?st=vcm7tFeqEFR1Itrmjq50KEFSrK$osbXrtu', + '/f/SCUZtGUjC7fgL2O1AXqqG8YN8Jdkthi/?st=vcm7tFeqEFR1Itrmjq50KEFSrK$osbXrtu', + + // invalid submission ID - currently not checking for valid UUIDs + '/projects/1/forms/some_xml_form_id/submissions/any-old-nonsense/edit', + '/projects/1/forms/some_xml_form_id/submissions/any-old-nonsense/edit/', + + // longer project id, shorter form ID + '/projects/99999/forms/_/submissions/new', + '/projects/99999/forms/_/submissions/new/', + ].forEach(path => { + it(`should add specific Content Security Policy restrictions for webforms path: ${path}`, async () => { + // when + const res = await fetchHttps(path); + + // then + assert.equal(res.status, 200); + assert.equal(await res.text(), '
\n'); + assertSecurityHeaders(res, { csp:'web-forms' }); + }); + }); + + [ + '/projects/1/forms/MarkdownExamples', // no /preview + '/projects/1/forms/preview/perview', // misspelt preview + '/projects/3/forms/preview', // form named "preview", but not the actual preview path + + // invalid project ids + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/submissions/new', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/submissions/new/', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/submissions/00000000-0000-0000-0000-000000000000/edit', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/submissions/00000000-0000-0000-0000-000000000000/edit/', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/preview', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/preview/', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/draft/submissions/new', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/draft/submissions/new/', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/draft/preview', + '/projects/1-not-just-a-number-1/forms/some_xml_form_id/draft/preview/', + + // missing project id + '/projects//forms/some_xml_form_id/submissions/new', + '/projects//forms/some_xml_form_id/submissions/new/', + + // missing form id + '/projects/1/forms//preview', + '/projects/1/forms//preview/', + + // missing submission ID + '/projects/1/forms/some_xml_form_id/submissions//edit', + '/projects/1/forms/some_xml_form_id/submissions//edit/', + + // all /f/* should be valid + '/f', + '/f/', + ].forEach(path => { + it(`should serve standard frontend Content Security Policy for fake webforms path: ${path}`, async () => { + // when + const res = await fetchHttps(path); + + // then + assert.equal(res.status, 200); + assert.equal(await res.text(), '
\n'); + assertSecurityHeaders(res, { csp:'central-frontend' }); + }); + }); + }); + it('should reject HTTP requests with incorrect host header supplied', async () => { // when const res = await fetchHttp('/', { headers:{ host:'bad.example.com' } }); @@ -579,6 +743,118 @@ describe('nginx config', () => { }); }); }); + + describe('CSP reports', () => { + beforeEach(() => Promise.all([ + resetSentryMock(), + ])); + + it('POST /csp-report should forward requests to Sentry', async () => { + // when + const res = await fetchHttps('/csp-report', { + method: 'POST', + headers: { 'Content-Type':'application/json' }, + body: JSON.stringify({ example:1 }), + }); + + // then + assert.equal(res.status, 200); + assert.equal(await res.text(), 'OK'); + // and + await assertSentryReceived({ report:{ example:1 } }); + }); + + describe('Sentry behaviour with unexpected SNI values', () => { + // These tests are a control to demonstrate that the local fake Sentry is + // behaving similarly to sentry.io, which rejects requests which do not + // include a Server Name Indiciation (SNI) extension during TLS/HTTPS. + // We also test for an unexpected value in the SNI extension. + // See: https://en.wikipedia.org/wiki/Server_Name_Indication + + it('should accept requests with correct SNI host', async () => { + // when + await requestSentryMock({ servername:'o-fake-dsn.ingest.sentry.io' }); + + // then + // No error was thrown :¬) + }); + + it('should reject requests without SNI host', async () => { + // given + let caught; + + // when + try { + await requestSentryMock({ servername:'' }); + } catch(err) { + caught = err; + } + + // then + assert.isOk(caught); + assert.equal(caught.code, 'ECONNRESET'); + // and + await assertSentryReceived({ error:`Server cert had unexpected CN: 'default'` }); + }); + + [ 'bad.example.test' ].forEach(servername => { + it(`should reject requests with SNI host: "${servername}"`, async () => { + // given + let caught; + + // when + try { + await requestSentryMock({ servername }); + } catch(err) { + caught = err; + } + + // then + assert.isOk(caught); + assert.equal(caught.code, 'ECONNRESET'); + // and + await assertSentryReceived({ error:`SNICallback: rejecting unexpected servername: ${servername}` }); + }); + }); + }); + + async function resetSentryMock() { + const res = await requestSentryMock({ path:'/reset' }); + assert.equal(res.status, 200); + } + + async function assertSentryReceived(...expectedRequests) { + const { status, body } = await requestSentryMock({ path:'/event-log' }); + assert.equal(status, 200); + assert.deepEqual(expectedRequests, JSON.parse(body)); + } + + // This function makes DIRECT requests to sentry-mock. IRL these requests + // would be performed by nginx when a client POSTs to /csp-report. This + // function is for used in test setup/assertions, except when confirming the + // behaviour of the mock Sentry implementation. + function requestSentryMock(opts) { + // servername: SNI extension value - https://nodejs.org/api/https.html#new-agentoptions + const { + path = '/api/check-cert', + servername = 'o-fake-dsn.ingest.sentry.io', + } = opts; + + return new Promise((resolve, reject) => { + const req = https.request( + { path, servername }, + res => { + let body = ''; + res.on('data', data => body += data); + res.on('end', () => resolve({ status:res.statusCode, body })); + res.on('error', reject); + }, + ); + req.on('error', reject); + req.end(); + }); + } + }); }); function fetchHttp(path, options) { @@ -726,5 +1002,5 @@ function assertSecurityHeaders(res, { csp }) { const expectedCsp = contentSecurityPolicies[csp]; if(!expectedCsp) assert.fail(`Tried to match unknown CSP '${csp}'`); const actualCsp = res.headers.get('Content-Security-Policy-Report-Only'); - assert.deepEqual(actualCsp.split('; '), Object.entries(expectedCsp).map(([ k, v ]) => `${k} ${Array.isArray(v) ? v.join(' ') : v}`)); + assert.deepEqualInAnyOrder(actualCsp.split('; '), Object.entries(expectedCsp).map(([ k, v ]) => `${k} ${Array.isArray(v) ? v.join(' ') : v}`)); }