From d51242fd9749d3e4fbc8552ab18a44b3a9a50125 Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Fri, 14 Feb 2025 13:57:13 -0800
Subject: [PATCH] add default enforced Content Security Policy (#135)

* add default csp.enforce block and ability to load an optional.application.properties

* remove CSP_REPORT and CSP_ENFORCE; update README

* add wiring for optional app properties file from s3

* update to match what's currently deployed

* Update README.md

Co-authored-by: labkey-stuartm <32204841+labkey-stuartm@users.noreply.github.com>

---------

Co-authored-by: labkey-stuartm <32204841+labkey-stuartm@users.noreply.github.com>
---
 Dockerfile             |  3 ---
 README.md              |  7 +++++++
 application.properties | 18 ++++++++++++++++++
 docker-compose.yml     |  7 ++++---
 entrypoint.sh          | 21 +++++++--------------
 quickstart_envs.sh     |  1 +
 6 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index d7f0a5e..4592efc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -89,9 +89,6 @@ ENV CERT_C="US" \
     CERT_OU="IT" \
     CERT_CN="localhost" \
     \
-    CSP_REPORT= \
-    CSP_ENFORCE= \
-    \
     SMTP_HOST="localhost" \
     SMTP_USER="root" \
     SMTP_PORT="25" \
diff --git a/README.md b/README.md
index b43fc3a..fcb2f7e 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,13 @@ This repo contains a Dockerfile, `docker-compose.yml`, and various other files f
 
 This repo is a work in progress. Containers created from these sources are untested. Until further work is done, integrations with LabKey products that traditionally have relied on OS configuration such as R reports or Python scripts will **NOT** work.
 
+## Content Security Policy
+February 2025 brings an enforced Content Security Policy enabled by default, the same one that LabKey uses in most if not all deployments, and is highly recommended to be left in place. It can, however, be disabled by enabling the `ExperimentalFeature.disableEnforceCsp` startup property.
+
+The policy itself can be overriden with an `optional.application.properties` file.
+
+CSP_REPORT and CSP_ENFORCE environment variables have been removed.
+
 ## Upgrading from 23.11 to 24.3
 March 2024 saw [many changes](https://github.com/LabKey/Dockerfile/commits/24.3.0) in an effort to bring this repo in line with LabKey server versioning/releases, starting with v24.3, in which the embedded tomcat version has been upgraded from 9 to 10. 
 
diff --git a/application.properties b/application.properties
index b589543..01033e4 100644
--- a/application.properties
+++ b/application.properties
@@ -162,3 +162,21 @@ info.labkey.distribution=${LABKEY_DISTRIBUTION}
 server.tomcat.max-threads=50
 server.servlet.session.timeout=60m
 context.workDirLocation=/work/Tomcat/localhost
+
+## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
+csp.enforce=\
+    default-src 'self' https: ;\
+    connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\
+    object-src 'none' ;\
+    style-src 'self' https: 'unsafe-inline' ;\
+    img-src 'self' https: data: ;\
+    font-src 'self' data: ;\
+    script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
+    base-uri 'self' ;\
+    upgrade-insecure-requests ;\
+    frame-ancestors 'self' ;\
+    report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
+## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
+
+## Load optional application.properties if file exists - used for one-off labkey cloud use cases etc.
+spring.config.import=optional:file:${LABKEY_HOME}/config/optional.application.properties
diff --git a/docker-compose.yml b/docker-compose.yml
index eece112..10b6d0f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -80,6 +80,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
@@ -192,6 +193,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
@@ -302,6 +304,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
@@ -377,9 +380,6 @@ services:
       - MAX_JVM_RAM_PERCENT=${MAX_JVM_RAM_PERCENT:-75.0}
       - JAVA_PRE_JAR_EXTRA=-XX:+UseSerialGC -Xss512k
 
-      - CSP_REPORT=${CSP_REPORT:-}
-      - CSP_ENFORCE=${CSP_ENFORCE:-}
-
       # - SMTP_HOST=mailhog
       # - SMTP_PORT=1025
 
@@ -416,6 +416,7 @@ services:
       - POSTGRES_VALIDATION_QUERY=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
 
       - LABKEY_CUSTOM_PROPERTIES_S3_URI=${LABKEY_CUSTOM_PROPERTIES_S3_URI}
+      - LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI=${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI}
       - LABKEY_DEFAULT_PROPERTIES_S3_URI=${LABKEY_DEFAULT_PROPERTIES_S3_URI}
       - LOG4J_CONFIG_FILE=${LOG4J_CONFIG_FILE-log4j2.xml}
       - JSON_OUTPUT=${JSON_OUTPUT-false}
diff --git a/entrypoint.sh b/entrypoint.sh
index 4cd9b57..5665132 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -12,6 +12,7 @@ keystore_alias="${TOMCAT_KEYSTORE_ALIAS:-}"
 keystore_format="${TOMCAT_KEYSTORE_FORMAT:-}"
 
 LABKEY_CUSTOM_PROPERTIES_S3_URI="${LABKEY_CUSTOM_PROPERTIES_S3_URI:=none}"
+LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI="${LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI:=none}"
 LABKEY_DEFAULT_PROPERTIES_S3_URI="${LABKEY_DEFAULT_PROPERTIES_S3_URI:=none}"
 
 # set below to 'labkeywebapp/WEB-INF/classes/log4j2.xml' to use embedded tomcat version from the built .jar
@@ -20,10 +21,6 @@ LOG4J_CONFIG_FILE="${LOG4J_CONFIG_FILE:=log4j2.xml}"
 # below assumes using local log4j2.xml file, as the embedded version is not available for edits until after server is running
 JSON_OUTPUT="${JSON_OUTPUT:-false}"
 
-# Content Security Policy settings
-CSP_REPORT="${CSP_REPORT:-}"
-CSP_ENFORCE="${CSP_ENFORCE:-}"
-
 # for ecs/datadog, optionally enable APM and JMX metrics
 DD_COLLECT_APM="${DD_COLLECT_APM:-false}"
 JAVA_RMI_SERVER_HOSTNAME="${JAVA_RMI_SERVER_HOSTNAME:-}"
@@ -145,6 +142,11 @@ main() {
     awsclibin/aws s3 cp $LABKEY_CUSTOM_PROPERTIES_S3_URI startup/
   fi
 
+  if [ $LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI != 'none' ]; then
+    echo "trying to s3 cp '$LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI'"
+    awsclibin/aws s3 cp $LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI config/
+  fi
+
   echo "sleeping for $SLEEP seconds..."
   sleep $SLEEP
 
@@ -212,15 +214,6 @@ main() {
   sed -i "s/@@jdbcUser@@/${POSTGRES_USER:-postgres}/" config/application.properties
   sed -i "s/@@jdbcPassword@@/${POSTGRES_PASSWORD:-}/" config/application.properties
 
-  # note: leave newlines out of CSP_REPORT/ENFORCE env vars
-  #       ex: "default-src 'self' https: ; connect-src 'self' https: ; ...""
-  if [ -n "$CSP_REPORT" ]; then
-    echo "csp.report=$CSP_REPORT\n" >> config/application.properties
-  fi
-  if [ -n "$CSP_ENFORCE" ]; then
-    echo "csp.enforce=$CSP_ENFORCE\n" >> config/application.properties
-  fi
-
   sed -i "s/@@smtpHost@@/${SMTP_HOST}/" config/application.properties
   sed -i "s/@@smtpUser@@/${SMTP_USER}/" config/application.properties
   sed -i "s/@@smtpPort@@/${SMTP_PORT}/" config/application.properties
@@ -261,7 +254,7 @@ main() {
   fi
 
   echo "Purging secrets and other bits from environment variables..."
-  unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS CSP_REPORT CSP_ENFORCE
+  unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS
   unset SMTP_HOST SMTP_USER SMTP_PORT SMTP_PASSWORD SMTP_AUTH SMTP_FROM SMTP_STARTTLS
   unset LABKEY_CREATE_INITIAL_USER LABKEY_CREATE_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_EMAIL LABKEY_INITIAL_USER_GROUP LABKEY_INITIAL_USER_ROLE
   unset LABKEY_EK SLEEP CONTAINER_PRIVATE_IP
diff --git a/quickstart_envs.sh b/quickstart_envs.sh
index 053b026..e7cde42 100644
--- a/quickstart_envs.sh
+++ b/quickstart_envs.sh
@@ -18,3 +18,4 @@ export LABKEY_CREATE_INITIAL_USER_APIKEY=""
 
 export LABKEY_DEFAULT_PROPERTIES_S3_URI="none"
 export LABKEY_CUSTOM_PROPERTIES_S3_URI="none"
+export LABKEY_OPTIONAL_APP_PROPERTIES_S3_URI="none"