Skip to content

Commit

Permalink
Add csp.disableUnsafeEval config option to remove the unsafe-eval CSP (
Browse files Browse the repository at this point in the history 
…elastic#124484)

Adds a new experimental Kibana setting called `csp.disableUnsafeEval` which will default to `false`. When set to `true`, it will remove `unsafe-eval` from our CSP.

Also introduces a new module called `@kbn/handlebars` which is a replacement for the official `handlebars` module used in the frontend. This new module is necessary in order to avoid calling `eval`/`new Function` from within `handlebars` which is not allowed once `unsafe-eval` is removed from our CSP.

The `@kbn/handlebars` module is simply an extension of the main `handlebars` module which adds a new compile function called `compileAST` (as an alternative to the regular `compile` function). This new function will not use code-generation from strings to compile the template but will instead generate an AST and return a render function with the same API as the function returned by the regular `compile` function.

This is a little bit slower method, but since this is only meant to be used client-side, the slowdown should not be an issue.

The following limitations exists when using `@kbn/handlebars`:

The Inline partials handlebars template feature is not supported.

Only the following compile options will be supported:
- `knownHelpers`
- `knownHelpersOnly`
- `strict`
- `assumeObjects`
- `noEscape`
- `data`

Only the following runtime options will be supported:
- `helpers`
- `blockParams`
- `data`

Closes elastic#36311
  • Loading branch information
@j-bennet
Thomas Watson authored and j-bennet committed Jun 2, 2022
1 parent d104450 commit 95efed6
Show file tree
Hide file tree
Showing 78 changed files with 11,036 additions and 309 deletions.
86 changes: 86 additions & 0 deletions .eslintrc.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,22 @@ const SAFER_LODASH_SET_DEFINITELYTYPED_HEADER = `
*/
`;

const KBN_HANDLEBARS_HEADER = `
/*
* Elasticsearch B.V licenses this file to you under the MIT License.
* See \`packages/kbn-handlebars/LICENSE\` for more information.
*/
`;

const KBN_HANDLEBARS_HANDLEBARS_HEADER = `
/*
* This file is forked from the handlebars project (https://github.com/handlebars-lang/handlebars.js),
* and may include modifications made by Elasticsearch B.V.
* Elasticsearch B.V. licenses this file to you under the MIT License.
* See \`packages/kbn-handlebars/LICENSE\` for more information.
*/
`;

const packagePkgJsons = globby.sync('*/package.json', {
cwd: Path.resolve(__dirname, 'packages'),
absolute: true,
Expand Down Expand Up @@ -293,6 +309,8 @@ module.exports = {
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
Expand Down Expand Up @@ -325,6 +343,8 @@ module.exports = {
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
Expand Down Expand Up @@ -364,6 +384,8 @@ module.exports = {
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
Expand Down Expand Up @@ -393,6 +415,8 @@ module.exports = {
OLD_ELASTIC_LICENSE_HEADER,
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
Expand All @@ -418,6 +442,8 @@ module.exports = {
OLD_ELASTIC_LICENSE_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
Expand All @@ -443,6 +469,66 @@ module.exports = {
OLD_DUAL_LICENSE_HEADER,
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
KBN_HANDLEBARS_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
},
},

/**
* @kbn/handlebars package requires special license headers
*/
{
files: ['packages/kbn-handlebars/**/*.{js,mjs,ts,tsx}'],
rules: {
'@kbn/eslint/require-license-header': [
'error',
{
license: KBN_HANDLEBARS_HEADER,
},
],
'@kbn/eslint/disallow-license-headers': [
'error',
{
licenses: [
APACHE_2_0_LICENSE_HEADER,
DUAL_LICENSE_HEADER,
ELASTIC_LICENSE_HEADER,
OLD_DUAL_LICENSE_HEADER,
OLD_ELASTIC_LICENSE_HEADER,
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HANDLEBARS_HEADER,
],
},
],
},
},
{
files: ['packages/kbn-handlebars/src/upstream/**/*.{js,mjs,ts,tsx}'],
rules: {
'@kbn/eslint/require-license-header': [
'error',
{
license: KBN_HANDLEBARS_HANDLEBARS_HEADER,
},
],
'@kbn/eslint/disallow-license-headers': [
'error',
{
licenses: [
APACHE_2_0_LICENSE_HEADER,
DUAL_LICENSE_HEADER,
ELASTIC_LICENSE_HEADER,
OLD_DUAL_LICENSE_HEADER,
OLD_ELASTIC_LICENSE_HEADER,
SAFER_LODASH_SET_HEADER,
SAFER_LODASH_SET_LODASH_HEADER,
SAFER_LODASH_SET_DEFINITELYTYPED_HEADER,
KBN_HANDLEBARS_HEADER,
],
},
],
Expand Down
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,7 @@

# Kibana Platform Security
/packages/kbn-crypto/ @elastic/kibana-security
/packages/kbn-handlebars/ @elastic/kibana-security
/src/core/server/csp/ @elastic/kibana-security @elastic/kibana-core
/src/plugins/interactive_setup/ @elastic/kibana-security
/test/interactive_setup_api_integration/ @elastic/kibana-security
Expand Down
Loading

0 comments on commit 95efed6

Please sign in to comment.