From b5a170f6185282e8524bc1e5c1562ac28c6d5e62 Mon Sep 17 00:00:00 2001 From: Daniel Compton Date: Fri, 3 May 2024 06:15:38 +1200 Subject: [PATCH 1/4] feature: add CORS_ALLOW_PRIVATE_NETWORK_ACCESS env var This is needed to be able to access internal IP ranges from a publicly available website, e.g. sourcemaps. https://developer.chrome.com/blog/private-network-access-preflight/ --- Dockerfile.buildkit.plus | 1 + Dockerfile.oss | 1 + Dockerfile.plus | 1 + common/docker-entrypoint.d/00-check-for-required-env.sh | 1 + common/docker-entrypoint.sh | 6 ++++++ common/etc/nginx/templates/gateway/cors.conf.template | 6 ++++++ docs/getting_started.md | 1 + standalone_ubuntu_oss_install.sh | 1 + 8 files changed, 18 insertions(+) diff --git a/Dockerfile.buildkit.plus b/Dockerfile.buildkit.plus index 62091cdc..b096c4ca 100644 --- a/Dockerfile.buildkit.plus +++ b/Dockerfile.buildkit.plus @@ -12,6 +12,7 @@ ENV PROXY_CACHE_VALID_OK "1h" ENV PROXY_CACHE_VALID_NOTFOUND "1m" ENV PROXY_CACHE_VALID_FORBIDDEN "30s" ENV CORS_ENABLED 0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" ENV DIRECTORY_LISTING_PATH_PREFIX "" ENV STRIP_LEADING_DIRECTORY_PATH "" ENV PREFIX_LEADING_DIRECTORY_PATH "" diff --git a/Dockerfile.oss b/Dockerfile.oss index 80aee21e..7b86534b 100644 --- a/Dockerfile.oss +++ b/Dockerfile.oss @@ -11,6 +11,7 @@ ENV PROXY_CACHE_VALID_OK "1h" ENV PROXY_CACHE_VALID_NOTFOUND "1m" ENV PROXY_CACHE_VALID_FORBIDDEN "30s" ENV CORS_ENABLED 0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" ENV DIRECTORY_LISTING_PATH_PREFIX "" ENV STRIP_LEADING_DIRECTORY_PATH "" ENV PREFIX_LEADING_DIRECTORY_PATH "" diff --git a/Dockerfile.plus b/Dockerfile.plus index e73c4708..ebaa13ca 100644 --- a/Dockerfile.plus +++ b/Dockerfile.plus @@ -12,6 +12,7 @@ ENV PROXY_CACHE_VALID_OK "1h" ENV PROXY_CACHE_VALID_NOTFOUND "1m" ENV PROXY_CACHE_VALID_FORBIDDEN "30s" ENV CORS_ENABLED 0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" ENV DIRECTORY_LISTING_PATH_PREFIX "" ENV STRIP_LEADING_DIRECTORY_PATH "" ENV PREFIX_LEADING_DIRECTORY_PATH "" diff --git a/common/docker-entrypoint.d/00-check-for-required-env.sh b/common/docker-entrypoint.d/00-check-for-required-env.sh index 9a7083d2..1001bd4b 100755 --- a/common/docker-entrypoint.d/00-check-for-required-env.sh +++ b/common/docker-entrypoint.d/00-check-for-required-env.sh @@ -136,3 +136,4 @@ echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY} echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}" echo "Allow the following headers from responses (these take precendence over the above): ${HEADER_PREFIXES_ALLOWED}" echo "CORS Enabled: ${CORS_ENABLED}" +echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" diff --git a/common/docker-entrypoint.sh b/common/docker-entrypoint.sh index 86886027..939c57b2 100644 --- a/common/docker-entrypoint.sh +++ b/common/docker-entrypoint.sh @@ -68,6 +68,12 @@ if [ -z "${CORS_ALLOWED_ORIGIN+x}" ]; then export CORS_ALLOWED_ORIGIN="*" fi +# See documentation for this feature. We do not parse this as a boolean +# since "true" and "false" are the required values of the header this populates +if [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "true" ] && [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "false" ]; then + export CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" +fi + # This is the primary logic to determine the s3 host used for the # upstream (the actual proxying action) as well as the `Host` header # diff --git a/common/etc/nginx/templates/gateway/cors.conf.template b/common/etc/nginx/templates/gateway/cors.conf.template index e92a1c95..934dfd0c 100644 --- a/common/etc/nginx/templates/gateway/cors.conf.template +++ b/common/etc/nginx/templates/gateway/cors.conf.template @@ -11,6 +11,12 @@ if ($request_cors = "OPTIONS_1") { # Tell client that this pre-flight info is valid for 20 days # add_header 'Access-Control-Max-Age' 1728000; + # + # Allow/deny Private Network Access CORS requests. + # https://developer.chrome.com/blog/private-network-access-preflight/ + # + add_header 'Access-Control-Allow-Private-Network' '${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}'; + add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; diff --git a/docs/getting_started.md b/docs/getting_started.md index e44af845..1590d965 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -47,6 +47,7 @@ running as a Container or as a Systemd service. | `CORS_ALLOWED_ORIGIN` | No | | | Value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | | `PREFIX_LEADING_DIRECTORY_PATH` | No | | | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed. | +| `CORS_ALLOW_PRIVATE_NETWORK_ACCESS` | No | `true`, `false` | | Flag that enables responding to the CORS OPTIONS pre-flight request header `Access-Control-Request-Private-Network` with the `Access-Control-Allow-Private-Network` header. If the value is "true", responds with "true", if "false" responds with "false". If the environment variable is blank/not set, does not respond with any header. This value is only used if CORS is enabled. See [Private Network Access: introducing preflights](https://developer.chrome.com/blog/private-network-access-preflight/) for more information about this header. | diff --git a/standalone_ubuntu_oss_install.sh b/standalone_ubuntu_oss_install.sh index dbeb3f12..0eb07cd9 100644 --- a/standalone_ubuntu_oss_install.sh +++ b/standalone_ubuntu_oss_install.sh @@ -97,6 +97,7 @@ echo "Proxy Caching Time for Valid Response: ${PROXY_CACHE_VALID_OK}" echo "Proxy Caching Time for Not Found Response: ${PROXY_CACHE_VALID_NOTFOUND}" echo "Proxy Caching Time for Forbidden Response: ${PROXY_CACHE_VALID_FORBIDDEN}" echo "CORS Enabled: ${CORS_ENABLED}" +echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" set -o nounset # abort on unbound variable From e2a91d85f3217dafe79d0d7c1a168c02937e92c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 11:53:06 -0800 Subject: [PATCH 2/4] build(deps): bump github/codeql-action from 3.25.7 to 3.25.8 (#264) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.7 to 3.25.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f079b8493333aace61c81488f8bd40919487bd9f...2e230e8fe0ad3a14a340ad0815ddb96d599d2aff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ossf-scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 446adf87..bc8e3588 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -58,6 +58,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: Upload SARIF results to code scanning - uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 with: sarif_file: results.sarif From 23e9670665d223e425392ff0d77c8d4ac7bdf0e1 Mon Sep 17 00:00:00 2001 From: Javier Evans Date: Wed, 12 Jun 2024 00:25:00 -0700 Subject: [PATCH 3/4] add CORS_ALLOW_PRIVATE_NETWORK_ACCESS to vm setup --- standalone_ubuntu_oss_install.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/standalone_ubuntu_oss_install.sh b/standalone_ubuntu_oss_install.sh index 0eb07cd9..9d7177d6 100644 --- a/standalone_ubuntu_oss_install.sh +++ b/standalone_ubuntu_oss_install.sh @@ -231,12 +231,20 @@ fi set -o nounset # abort on unbound variable + +# CORS related variable setup if [ -z "${CORS_ALLOWED_ORIGIN+x}" ]; then CORS_ALLOWED_ORIGIN="*" fi +if [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "true" ] && [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "false" ]; then + CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" +fi + + cat >> "/etc/nginx/environment" << EOF CORS_ALLOWED_ORIGIN=${CORS_ALLOWED_ORIGIN} +CORS_ALLOW_PRIVATE_NETWORK_ACCESS=${CORS_ALLOW_PRIVATE_NETWORK_ACCESS} EOF # Only include these env vars if we are not using a instance profile credential From c2467979588aafd8a907b2e8753be6decc872b61 Mon Sep 17 00:00:00 2001 From: Javier Evans Date: Wed, 12 Jun 2024 22:02:39 -0700 Subject: [PATCH 4/4] avoid unbound variable errors when checking CORS_ALLOW_PRIVATE_NETWORK_ACCESS in vm install --- standalone_ubuntu_oss_install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/standalone_ubuntu_oss_install.sh b/standalone_ubuntu_oss_install.sh index 9d7177d6..38c8a364 100644 --- a/standalone_ubuntu_oss_install.sh +++ b/standalone_ubuntu_oss_install.sh @@ -237,7 +237,7 @@ if [ -z "${CORS_ALLOWED_ORIGIN+x}" ]; then CORS_ALLOWED_ORIGIN="*" fi -if [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "true" ] && [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" != "false" ]; then +if [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS:-}" != "true" ] && [ "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS:-}" != "false" ]; then CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" fi