fix: Open csp-images to allow external (#1835)

External images are required for the README parts of templates. Only allowing https right now
2025-07-06 15:41:45 +00:00 · 2022-05-27 09:59:13 -05:00
parent 7a5c8734ee
commit a409a34819
4 changed files with 47 additions and 3 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -101,7 +101,6 @@ func New(options *Options) *API {
 				Message: "Route not found.",
 			})
 		})
-
 		r.Use(
 			// Specific routes can specify smaller limits.
 			httpmw.RateLimitPerMinute(options.APIRateLimit),
@ -112,6 +111,9 @@ func New(options *Options) *API {
 				Message: "👋",
 			})
 		})
+		// All CSP errors will be logged
+		r.Post("/csp/reports", api.logReportCSPViolations)
+
 		r.Route("/buildinfo", func(r chi.Router) {
 			r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
 				httpapi.Write(rw, http.StatusOK, codersdk.BuildInfoResponse{
--- a/coderd/coderd_test.go
+++ b/coderd/coderd_test.go
@ -119,6 +119,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"POST:/api/v2/users/login":      {NoAuthorize: true},
 		"POST:/api/v2/users/logout":     {NoAuthorize: true},
 		"GET:/api/v2/users/authmethods": {NoAuthorize: true},
+		"POST:/api/v2/csp/reports":      {NoAuthorize: true},

 		// Has it's own auth
 		"GET:/api/v2/users/oauth2/github/callback": {NoAuthorize: true},
--- a/coderd/csp.go
+++ b/coderd/csp.go
@ -0,0 +1,38 @@
+package coderd
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/coder/coder/coderd/httpapi"
+
+	"cdr.dev/slog"
+)
+
+type cspViolation struct {
+	Report map[string]interface{} `json:"csp-report"`
+}
+
+// logReportCSPViolations will log all reported csp violations.
+func (api *API) logReportCSPViolations(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	var v cspViolation
+
+	dec := json.NewDecoder(r.Body)
+	err := dec.Decode(&v)
+	if err != nil {
+		api.Logger.Warn(ctx, "csp violation", slog.Error(err))
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "failed to read body",
+		})
+		return
+	}
+
+	fields := make([]slog.Field, 0, len(v.Report))
+	for k, v := range v.Report {
+		fields = append(fields, slog.F(k, v))
+	}
+	api.Logger.Warn(ctx, "csp violation", fields...)
+
+	httpapi.Write(rw, http.StatusOK, "ok")
+}