Allow editing of the CSP trusted image sources.

Author: w1ll-i-code

application/forms/Config/General/ApplicationConfigForm.php

@@ -5,7 +5,10 @@
 
 use Icinga\Application\Icinga;
 use Icinga\Data\ResourceFactory;
+use Icinga\Security\SecurityException;
 use Icinga\Web\Form;
+use Icinga\Util\Csp;
+use Icinga\Web\Notification;
 
 /**
  * Configuration form for general application options
@@ -67,6 +70,23 @@ public function createElements(array $formData)
             ]
         );
 
+        $securityImageSourceWhitelistHidden =
+            !(boolean) Icinga::app()->getConfig()->get("security", "use_strict_csp", false);
+        $securityImageSourceWhitelistHiddenClass = $securityImageSourceWhitelistHidden ? 'input-hidden' : '';
+        $this->addElement(
+            'text',
+            'security_image_source_whitelist',
+            [
+                'label'         => $this->translate('Domains whitelist for the CSP image source'),
+                'placeholder'   => $this->translate('No external domains whitelisted'),
+                'class'         => $securityImageSourceWhitelistHiddenClass,
+                'description'   => $this->translate(
+                    'This whitelist allows you to specify a comma separated list of trusted hosts, '
+                    . 'from which images for the icingaweb2 UI can be loaded.'
+                )
+            ]
+        );
+
         $this->addElement(
             'text',
             'global_module_path',
@@ -102,4 +122,27 @@ public function createElements(array $formData)
 
         return $this;
     }
+
+    /**
+     * @inheritDoc
+     */
+    public function isValid($formData)
+    {
+        $imageSourceWhitelist = $formData["security_image_source_whitelist"] ?? "";
+        if (empty($imageSourceWhitelist) || !$this->getRequest()->isPost()) {
+            return $this;
+        }
+
+        $valid = true;
+        foreach (explode(",", $imageSourceWhitelist) as $imageSource) {
+            try {
+                Csp::validateImageSourceWhitelistItem($imageSource);
+            }catch (SecurityException $e) {
+                Notification::warning($e->getMessage());
+                $valid = false;
+            }
+        }
+
+        return $valid && parent::isValid($formData);
+    }
 }

library/Icinga/Util/Csp.php

@@ -4,8 +4,12 @@
 
 namespace Icinga\Util;
 
+use Icinga\Application\Icinga;
+use Icinga\Application\Logger;
+use Icinga\Security\SecurityException;
 use Icinga\Web\Response;
 use Icinga\Web\Window;
+use ipl\I18n\StaticTranslator;
 use RuntimeException;
 
 use function ipl\Stdlib\get_php_type;
@@ -51,9 +55,13 @@ public static function addHeader(Response $response): void
             throw new RuntimeException('No nonce set for CSS');
         }
 
+        $header = "default-src 'self'; style-src 'self' 'nonce-{$csp->styleNonce}'; ";
+        $imageSourceWhitelist = Icinga::app()->getConfig()->get("security", "image_source_whitelist", "");
+        $header = $header . Csp::getImageSourceDirective($imageSourceWhitelist);
+
         $response->setHeader(
             'Content-Security-Policy',
-            "script-src 'self'; style-src 'self' 'nonce-$csp->styleNonce';",
+            $header,
             true
         );
     }
@@ -79,6 +87,9 @@ public static function createNonce(): void
      */
     public static function getStyleNonce(): ?string
     {
+        if (Icinga::app()->isCli()) {
+            return null;
+        }
         return static::getInstance()->styleNonce;
     }
 
@@ -108,4 +119,52 @@ protected static function getInstance(): self
 
         return static::$instance;
     }
+
+    public static function getImageSourceDirective(string $whitelist): string {
+        $directive = "img-src 'self' data:";
+
+        if (empty($whitelist)) {
+            return $directive . ";";
+        }
+
+        foreach (explode(",", $whitelist) as $domain) {
+            try {
+                $domain = Csp::validateImageSourceWhitelistItem($domain);
+                $directive .= " " . $domain;
+            } catch (SecurityException $e) {
+                Logger::error("Ignoring domain '$domain' as it is not valid. $e");
+            }
+        }
+
+        return $directive . ";";
+    }
+
+    /**
+     * Validates and trims an item that is used as a domain in the img-src directive.
+     * Will throw an error, if the user tries to whitelist everything (*) or tries
+     * to inject special characters that might allow to escape and edit the whole csp.
+     *
+     * @throws SecurityException
+     */
+    public static function validateImageSourceWhitelistItem(string $item): string {
+        $item = trim($item);
+        // Don't allow general whitelisting of all domains
+        if ($item == '*') {
+            throw new SecurityException(
+                StaticTranslator::$instance->translate("Whitelisting all domains is not allowed.")
+            );
+        }
+
+        // Don't allow special characters that might allow to escape and edit the whole csp.
+        // Otherwise, e.g. "example.com; script-src *" will allow the user to change other directives.
+        $csp_config_regex = "|^\*?[a-zA-Z0-9+._\-:]*$|";
+        if (!preg_match($csp_config_regex, $item)) {
+            throw new SecurityException(
+                StaticTranslator::$instance->translate("The following domain is invalid: ")
+                . $item
+            );
+        }
+
+        return $item;
+    }
 }

public/css/icinga/forms.less

@@ -33,6 +33,10 @@ form.icinga-form {
         margin-bottom: 0;
       }
     }
+
+    &:has(.input-hidden) {
+      display: none;
+    }
   }
 
   .control-group > :not(.control-label-group) {