Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use static config validation with built in widgets to pass CSP without unsafe-eval #6106

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Use static config validation with built in widgets to pass CSP without unsafe-eval #6106

wants to merge 21 commits into from
+19,995 −2

Conversation

taras
Copy link

@taras taras commented Jan 7, 2022
edited
Loading

Closes #2138

Summary

Follow up to our proposal in #2138 (comment) to introduce static config validation that allows Netlify CMS to run in environments where Content Security Policy (CSP) prevents runtime code eval with unsafe-eval rule.

This PR introduces a number of changes to make this work,

  1. Upgraded ajv package to 8.8.2 & ajv-keywords to 5.0.0 in netlify-cms-core workspace
  2. Added ajv-cli as a dependency to netlify-cms-core
  3. Validation schema necessary to validate all of the built in widgets was extracted to packages/netlify-cms-core/config.schema.json
  4. Added write-validate-schema to package.json of netlify-cms-core which uses ajv CLI command to generate package/netlify-cms-core/src/constants/staticValidateConfig.js
  5. package/netlify-cms-core/validation-rules/{instanceof.js,uniqueItemProprties.js} created with support for ajv@8 which is not supported in ajv-keywords
  6. validateConfig function modified to check if there are any custom widgets with custom schema. When no custom schemas are present, NetlifyCMS config validation defaults to use staticValidateConfig.js instead of dynamic validation
  7. Removed ajv-errors because errorMessage keyword is not used in the schema

Test plan

Refactored configSchema.spec.js to run tests for dynamic and static validation.

TODO

  • TypeScript needs to be upgraded because AJV 8 uses TypeScript 4 which includes definitions that can not pass tsc --noEmit.

Checklist

Please add a x inside each checkbox:

  • I have read the contribution guidelines.
  • Code is formatted via running yarn format.
  • Tests are passing via running yarn test.
  • The status checks are successful (continuous integration). Those can be seen below.

A picture of a cute animal (not mandatory but encouraged)

Picture of my husky at the Pacific Ocean

6AF1FF80-CB8D-49DA-BA33-73D27642CC1D_1_105_c

@taras taras requested a review from a team January 7, 2022 21:25
dagda1 and others added 19 commits January 7, 2022 13:31
@dagda1 @taras
fix(csp): change validateConfig to implicity opt in or out of dynamic…
8d109ea 
… ajv validation (decaporg#2138)
@dagda1 @taras
chore(csp): add writeValidate
1b66c62
@dagda1 @taras
chore(csp): rollback ajv versions
e54c8e1
@taras
fix(csp): immutably set fields and ensure fields are unique
d3f369a
@taras
chore(csp): fix lint errors
f4e47bf
@taras
chore(csp): include all ajv flags in compile
fe9e6ba
@taras
chore(csp): removed ajv-errors because it's not used
93d4038
@taras
chore(csp): efore upgraing to AJV 8
7b90637
@taras
chore(csp): one static test is passing
6d46ef9
@taras
chore(csp): estore tests back to original
035b6b8
@taras
chore(csp): fix indentation
33c6e03
@taras
fix(csp): fixed instanceof validation tests
a6b93a7
@taras
chore(csp): uniqueItemProperties tests are passing
231914c
@taras
chore(csp): all static validation tests are passing
1c94360
@taras
chore(csp): activated tests for dynamic validation
7c4ac02
@taras
chore(csp): do some clean up
463f650
@taras
chore(csp): add instructions to the readme about static validation
25c09c6
@taras
chore(csp): fix prettier formatting
c0a9fba
@taras
chore(csp): remove nohoist
b06567d
@taras taras force-pushed the dynamic-or-static-ajv-validation branch from 61c31e0 to b06567d Compare January 7, 2022 21:35
@taras
Copy link
Author

taras commented Jan 7, 2022

@erezrokah this PR is going to be blocked by the fact that ajv@8 uses TypeScript 4+ and has syntax in type definition files that is not supported by TypeScript 3 used by this project. As a result, tests pass but type check fails. I'm not sure what to do with this because it's out of scope of this particular issue.

@erezrokah erezrokah added the type: feature code contributing to the implementation of a feature and/or user facing functionality label Jan 10, 2022
@taras taras changed the title Introducing static config validation to overcome allow running where unsafe-eval is disallowed Use static config validation with built in schema validation to pass CSP without unsafe-eval Jan 10, 2022
@taras taras changed the title Use static config validation with built in schema validation to pass CSP without unsafe-eval Use static config validation with built in widgets to pass CSP without unsafe-eval Jan 10, 2022
@taras taras mentioned this pull request Jan 10, 2022
Closed
4 tasks
@erezrokah erezrokah assigned ehmicky and erezrokah and unassigned ehmicky Jan 11, 2022
@martinjagodic
Copy link
Member

@taras are you still interested in moving this forward?

@martinjagodic martinjagodic requested a review from a team as a code owner August 29, 2024 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type: feature code contributing to the implementation of a feature and/or user facing functionality
Projects
None yet
Milestone
No milestone
5 participants
@taras @martinjagodic @ehmicky @erezrokah @dagda1