Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use static config validation with built in widgets to pass CSP without unsafe-eval #6106

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
+19,995 −2
Open

Use static config validation with built in widgets to pass CSP without unsafe-eval #6106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
8d109ea
fix(csp): change validateConfig to implicity opt in or out of dynamic…
dagda1 Dec 22, 2021
1b66c62
chore(csp): add writeValidate
dagda1 Jan 3, 2022
e54c8e1
chore(csp): rollback ajv versions
dagda1 Jan 3, 2022
d3f369a
fix(csp): immutably set fields and ensure fields are unique
taras Jan 3, 2022
f4e47bf
chore(csp): fix lint errors
taras Jan 3, 2022
fe9e6ba
chore(csp): include all ajv flags in compile
taras Jan 4, 2022
93d4038
chore(csp): removed ajv-errors because it's not used
taras Jan 4, 2022
7b90637
chore(csp): efore upgraing to AJV 8
taras Jan 6, 2022
6d46ef9
chore(csp): one static test is passing
taras Jan 6, 2022
035b6b8
chore(csp): estore tests back to original
taras Jan 6, 2022
33c6e03
chore(csp): fix indentation
taras Jan 6, 2022
a6b93a7
fix(csp): fixed instanceof validation tests
taras Jan 6, 2022
231914c
chore(csp): uniqueItemProperties tests are passing
taras Jan 6, 2022
1c94360
chore(csp): all static validation tests are passing
taras Jan 6, 2022
7c4ac02
chore(csp): activated tests for dynamic validation
taras Jan 7, 2022
463f650
chore(csp): do some clean up
taras Jan 7, 2022
25c09c6
chore(csp): add instructions to the readme about static validation
taras Jan 7, 2022
c0a9fba
chore(csp): fix prettier formatting
taras Jan 7, 2022
b06567d
chore(csp): remove nohoist
taras Jan 7, 2022
81af329
chore(csp): restore accidentally updated file
taras Jan 7, 2022
8a7990c
Merge branch 'main' into dynamic-or-static-ajv-validation
martinjagodic Aug 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,8 @@
"browserify": "^17.0.0",
"buffer": "^6.0.3",
"emotion": "^11.0.0",
"eslint-config-prettier": "^8.0.0",
"eslint-plugin-babel": "^5.3.0",
"eslint-config-prettier": "^8.3.0",
"eslint-plugin-babel": "^5.3.1",
"globby": "^12.0.0",
"imports-loader": "^4.0.1",
"lerna": "^8.0.2",
Expand Down
10 changes: 10 additions & 0 deletions packages/decap-cms-core/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,13 @@ We haven't created a README for this package yet, but you can:
site](https://www.decapcms.org) for more info.
2. Reach out to the [community chat](https://decapcms.org/chat/) if you need help.
3. Help out and [write the readme yourself](https://github.com/decaporg/decap-cms/edit/main/packages/decap-cms-core/README.md)!

## Config Schema Validation

This package uses [AJV](http://ajv.js.org) to validate user's configuration files. There are two versions of this validation mechanism - static and dynamic. Dynamic validation is triggered when the configuration file includes custom validation schema for custom widgets. Static validation is used when the configuration does not have custom validation schema. Dynamic validation does not work in environments where Content Security Policy does not allow `unsafe-eval`. Due to this constraint, custom validation for custom widgets does not work where `unsafe-eval` is disallowed. You can learn more about this in [CMS does not work with Content Security Policy (CSP). Requires unsafe-eval / unsafe-inline for script-src / style-src](https://github.com/netlify/netlify-cms/issues/2138) issue.

### Modifying Static Config Schema validation

Static schema validation is stored in [./src/constants/staticValidateConfig.js](./src/constants/staticValidateConfig.js). It is generated using `yarn write-validate-schema` script which intern uses `ajv` CLI to compile schema stored in [./config.schema.json](./config.schema.json) to JavaScript that can be executed the browsers without triggering Content Security Policy where `unsafe-eval` is disallowed. This script relies on [./validation-rules/instanceof.js](./validation-rules/instanceof.js) and [./validation-rules/uniqueItemProperties.js](./validation-rules/uniqueItemProperties.js) these validation rules describe how AJV should generate source code for `instanceof` and `uniqueItemProperties` keywords. They are necessary because `[email protected]` which is used by this package does not support code generation yet - see notes in [instanceof](https://github.com/ajv-validator/ajv-keywords#instanceof) and [uniqueItemProperties](https://github.com/ajv-validator/ajv-keywords#uniqueitemproperties). These two files can be removed when `ajv-keywords` adds support for code generation for thes keywords.

**Note**: If you modify [./config.schema.json](./config.schema.json) then you should run `yarn write-validate-schema` to regenerate the [./src/constants/staticValidateConfig.js](./src/constants/staticValidateConfig.js) file.
Loading
Loading