Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of protobufjs breaks Content Security Policy because of eval usage #800

Closed
schontz opened this issue Oct 21, 2020 · 5 comments
Closed

Use of protobufjs breaks Content Security Policy because of eval usage #800

schontz opened this issue Oct 21, 2020 · 5 comments
Labels
Needs More Information Waiting for more information from builders

Comments

@schontz
Copy link
Contributor

schontz commented Oct 21, 2020

Describe the bug
Deploying the Chime SDK on a site that uses Content Security Policy (CSP) headers causes issues because of this protobufjs bug: protobufjs/protobuf.js#997

Chrome issues tab displays the following:

The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.

To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.

If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.

Someone references https://github.com/mapbox/pbf as an alternative in the cited issue. I hope an alternative can be found, as the bug is old and likely won't be fixed.
@richnew10
Copy link
Contributor

The usual fix for this is in a Webpack config (or similar):

{
        test: /\.(js)$/,
        use: [
          {
            loader: 'string-replace-loader',
            options: {
              multiple: [{
                search: /eval.*\(moduleName\);/g,
                replace: 'undefined;',
              }],
            },
          },
…
        ],
        include: [
          path.join(srcDir, 'node_modules/amazon-chime-sdk-js'),
          path.join(srcDir, 'node_modules/@protobufjs/inquire'),
        ],
      }

I could have sworn that the SDK already included this fix, but apparently I'm misremembering.

rnewman added a commit to rnewman/amazon-chime-sdk-js that referenced this issue Oct 21, 2020
@rnewman
Fall back to a synthetic version number if built with no .git directo…
911c557 
…ry. (aws#800)
@stale stale bot added the Needs More Information Waiting for more information from builders label Nov 7, 2020
@stale stale bot closed this as completed Dec 24, 2020
@nolanlawson
Copy link

Just to circle back on this, this can still be reproduced in the latest version of amazon-chime-sdk-js (2.15.0). Here is a minimal repro on the command line:

mkdir tmp
cd tmp
npm init --yes
npm install [email protected] [email protected]
echo "import 'amazon-chime-sdk-js'" > src.js
npx webpack
grep eval dist/main.js # eval is in the bundle

The eval() comes from @protobufjs/inquire.

This was referenced May 20, 2022
Closed
Open
@p3v9d5ui
Copy link

p3v9d5ui commented Sep 4, 2024

This has been open for 4 years now... no urgency to fix this, from a security perspective? Can protobuf be replaced with something else?

@p3v9d5ui
Copy link

p3v9d5ui commented Sep 4, 2024

@richnew10 , or anyone else -- do you know how the string replacement "fix" can be implemented in Vite?

@rnewman
Copy link
Contributor

rnewman commented Sep 6, 2024

It looks like there's a string replacement plugin for Vite:

https://github.com/windsonR/vite-plugin-string-replace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs More Information Waiting for more information from builders
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rnewman @nolanlawson @schontz @p3v9d5ui @richnew10