Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add unpkg.com to disallowed hostnames in CSP #3927

Merged
merged 3 commits into from
Dec 4, 2024
Merged

add unpkg.com to disallowed hostnames in CSP #3927

merged 3 commits into from
Dec 4, 2024

Conversation

underdarknl
Copy link
Contributor

@underdarknl underdarknl commented Dec 3, 2024
edited by ppvg
Loading

unpkg is a fast, global content delivery network for everything on npm. Use it to quickly and easily load any file from any package using a URL like

So, in theory, allowing unpkg.com means allowing any attacker since they can host on unpkg.com.

Changes

add unpkg.com to disallowed hostnames in CSP

QA notes

The question form for allowed CSP domains should list unpkg.com

Code Checklist

  • All the commits in this PR are properly PGP-signed and verified.
  • This PR only contains functionality relevant to the issue.
  • I have written unit tests for the changes or fixes I made.
  • I have checked the documentation and made changes where necessary.
  • I have performed a self-review of my code and refactored it to the best of my abilities.
  • Tickets have been created for newly discovered issues.
  • For any non-trivial functionality, I have added integration and/or end-to-end tests.
  • I have informed others of any required .env changes files if required and changed the .env-dist accordingly.
  • I have included comments in the code to elaborate on what is not self-evident from the code itself, including references to issues and discussions online, or implicit behavior of an interface.

Checklist for code reviewers:

Copy-paste the checklist from the docs/source/templates folder into your comment.

Checklist for QA:

Copy-paste the checklist from the docs/source/templates folder into your comment.

@underdarknl
add unpkg.com to disallowed hostnames in CSP
7fb4713 
npkg is a fast, global content delivery network for everything on npm. Use it to quickly and easily load any file from any package using a URL like

So, in theory, allowing unpkg.com means allowing any attacker since they can host on unpkg.com.
@underdarknl underdarknl requested a review from a team as a code owner December 3, 2024 09:07
@underdarknl underdarknl self-assigned this Dec 4, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Dec 4, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dekkers dekkers merged commit d3ef9a6 into main Dec 4, 2024
32 of 33 checks passed
@dekkers dekkers deleted the feat/add-unpkg-com branch December 4, 2024 17:31
jpbruinsslot added a commit that referenced this pull request Dec 11, 2024
@jpbruinsslot
Merge branch 'main' into poc/mula/combined-schedulers
c40193f 
* main: (21 commits)
  Bump django from 5.0.9 to 5.0.10 in /rocky (#3940)
  Do not let enabling plugins affect the global plugin cache (#3944)
  Fix typing in more places and configure mypy to follow imports (#3932)
  Updates CWE archive to 4.16 (#3943)
  Report flaws (#3880)
  Translations update from Hosted Weblate (#3939)
  Fix report recipe API (#3942)
  Boefje runonce functionality in scheduler (#3906)
  fix: 🔨 do not store CDN findings (#3931)
  Dont check for Locations on local Ip's. (#3894)
  add unpkg.com to disallowed hostnames in CSP (#3927)
  Update website_discovery.py (#3921)
  Add export http boefje (#3901)
  Bump python-multipart from 0.0.9 to 0.0.18 in /bytes (#3925)
  Fix layout issues on scheduled reports page (#3930)
  Create scheduled report with zero objects selectable (#3907)
  Improve the KATalogus `/plugins` endpoint performance (#3892)
  Add bgp.jsonl and bgp-meta.json to .gitignore (#3928)
  Update pre-commit and all hooks (#3923)
  add support for detecting Lame dns delegations on ip ranges (#3899)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ammar92 ammar92 ammar92 approved these changes

@dekkers dekkers dekkers approved these changes

Assignees

@underdarknl underdarknl

Labels
None yet
Projects
KAT
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@underdarknl @dekkers @ammar92