From 1d1f09f4d518a051efdad926698ae636273f3faa Mon Sep 17 00:00:00 2001 From: Alex Braz Date: Wed, 15 Jan 2025 14:27:28 -0300 Subject: [PATCH] [VULN-598] [2WI-027] Weakened CSP --- .env.local.test | 1 + .github/workflows/deploy_MainNet_UI.yml | 1 + .github/workflows/deploy_TestNet_UI.yml | 1 + .../workflows/deploy_staging_MainNet_UI.yml | 1 + .../workflows/deploy_staging_TestNet_UI.yml | 1 + src/App.vue | 2 +- src/common/types/environment-variables.ts | 27 ++++++++++--------- src/main.ts | 1 + 8 files changed, 22 insertions(+), 13 deletions(-) diff --git a/.env.local.test b/.env.local.test index eeb81b5a..f9f8c0ec 100644 --- a/.env.local.test +++ b/.env.local.test @@ -30,3 +30,4 @@ NODE_ENV=test VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 +VUE_APP_CSP=https://staging.lps.tekscapital.com diff --git a/.github/workflows/deploy_MainNet_UI.yml b/.github/workflows/deploy_MainNet_UI.yml index fc62cd98..feb9b252 100644 --- a/.github/workflows/deploy_MainNet_UI.yml +++ b/.github/workflows/deploy_MainNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/.github/workflows/deploy_TestNet_UI.yml b/.github/workflows/deploy_TestNet_UI.yml index 95804c7e..c9ebcfb4 100644 --- a/.github/workflows/deploy_TestNet_UI.yml +++ b/.github/workflows/deploy_TestNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://staging.lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/.github/workflows/deploy_staging_MainNet_UI.yml b/.github/workflows/deploy_staging_MainNet_UI.yml index d3327aca..97fea87e 100644 --- a/.github/workflows/deploy_staging_MainNet_UI.yml +++ b/.github/workflows/deploy_staging_MainNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/.github/workflows/deploy_staging_TestNet_UI.yml b/.github/workflows/deploy_staging_TestNet_UI.yml index b92a88be..27664684 100644 --- a/.github/workflows/deploy_staging_TestNet_UI.yml +++ b/.github/workflows/deploy_staging_TestNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=20 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://staging.lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/src/App.vue b/src/App.vue index 70fe0f6c..5e639e1d 100644 --- a/src/App.vue +++ b/src/App.vue @@ -48,7 +48,7 @@ export default { script-src 'self' 'nonce-${vuetifyNonce}' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline' https://script.hotjar.com https://www.clarity.ms/s/* https://static.hotjar.com https://*.hotjar.com https://*.hotjar.io https://api.coingecko.com/ https://*.clarity.ms https://www.clarity.ms/ https://www.gstatic.com/ https://www.google.com/recaptcha/; img-src data: https:; - connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} https://lps.tekscapital.com https://testnet.lps.tekscapital.com https://staging.lps.tekscapital.com https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ; + connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} ${envVariables.cspConfiguration} https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ; object-src 'none'; frame-src https://connect.trezor.io https://www.google.com/; worker-src 'none'; diff --git a/src/common/types/environment-variables.ts b/src/common/types/environment-variables.ts index 0c191606..dac5f893 100644 --- a/src/common/types/environment-variables.ts +++ b/src/common/types/environment-variables.ts @@ -28,18 +28,6 @@ export class EnvironmentVariables { public debugMode: boolean; - public minFeeSatPerByte: { - fast: number; - average: number; - slow: number; - }; - - public miningSpeedBlock: { - fast: number; - average: number; - slow: number; - }; - public burnDustValue: number; public lbcAddress: string; @@ -54,6 +42,20 @@ export class EnvironmentVariables { public flyoverProviderId: number; + public cspConfiguration: string; + + public minFeeSatPerByte: { + fast: number; + average: number; + slow: number; + }; + + public miningSpeedBlock: { + fast: number; + average: number; + slow: number; + }; + // eslint-disable-next-line @typescript-eslint/no-explicit-any constructor(defaultValues: any = {}) { this.vueAppCoin = process.env.VUE_APP_COIN || defaultValues.vueAppCoin; @@ -104,6 +106,7 @@ export class EnvironmentVariables { || defaultValues.grecaptchaTime; this.flyoverProviderId = Number(process.env.VUE_APP_FLYOVER_PROVIDER_ID) || defaultValues.flyoverProviderId; + this.cspConfiguration = process.env.VUE_APP_CSP || defaultValues.cspConfiguration; } public get chainId(): number { diff --git a/src/main.ts b/src/main.ts index 49d212ef..26be019e 100644 --- a/src/main.ts +++ b/src/main.ts @@ -34,6 +34,7 @@ const defaultEnvironmentVariables = { flyoverPegoutDiffPercentage: 2, flyoverProviderId: 2, grecaptchaTime: constants.RECAPTCHA_NEW_TOKEN_TIME, + cspConfiguration: 'https://testnet.lps.tekscapital.com https://staging.lps.tekscapital.com', }; EnvironmentAccessorService.initializeEnvironmentVariables(defaultEnvironmentVariables);