HumanSignal · jombooth · Dec 7, 2023 · Nov 20, 2023 · Nov 21, 2023 · Nov 28, 2023
diff --git a/label_studio/core/decorators.py b/label_studio/core/decorators.py
@@ -1,3 +1,6 @@
+from functools import wraps
+
+
 def permission_required(*permissions, fn=None):
     def decorator(view):
         def wrapped_view(self, request, *args, **kwargs):
@@ -19,3 +22,17 @@ def wrapped_view(self, request, *args, **kwargs):
         return wrapped_view
 
     return decorator
+
+
+def override_report_only_csp(view_func):
+    """
+    Decorator to switch report-only CSP to regular CSP. For use with core.middleware.HumanSignalCspMiddleware.
+    """
+
+    @wraps(view_func)
+    def wrapper(*args, **kwargs):
+        response = view_func(*args, **kwargs)
+        setattr(response, '_override_report_only_csp', True)
+        return response
+
+    return wrapper
diff --git a/label_studio/core/middleware.py b/label_studio/core/middleware.py
@@ -6,6 +6,7 @@
 
 import ujson as json
 from core.utils.contextlog import ContextLog
+from csp.middleware import CSPMiddleware
 from django.conf import settings
 from django.contrib.auth import logout
 from django.core.exceptions import MiddlewareNotUsed
@@ -207,3 +208,20 @@ def process_request(self, request) -> None:
         request.session.set_expiry(
             settings.MAX_TIME_BETWEEN_ACTIVITY if request.session.get('keep_me_logged_in', True) else 0
         )
+
+
+class HumanSignalCspMiddleware(CSPMiddleware):
+    """
+    Extend CSPMiddleware to support switching report-only CSP to regular CSP.
+
+    For use with core.decorators.override_report_only_csp.
+    """
+
+    def process_response(self, request, response):
+        response = super().process_response(request, response)
+        if getattr(response, '_override_report_only_csp', False):
+            if csp_policy := response.get('Content-Security-Policy-Report-Only'):
+                response['Content-Security-Policy'] = csp_policy
+                del response['Content-Security-Policy-Report-Only']
+            delattr(response, '_override_report_only_csp')
+        return response
diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
@@ -674,3 +674,43 @@ def collect_versions_dummy(**kwargs):
 DATA_MANAGER_FILTER_ALLOWLIST = list(
     set(get_env_list('DATA_MANAGER_FILTER_ALLOWLIST') + ['updated_by__active_organization'])
 )
+
+if ENABLE_LS_CSP := get_bool_env('ENABLE_LS_CSP', True):
+    CSP_DEFAULT_SRC = (
+        "'self'",
+        "'report-sample'",
+    )
+    CSP_STYLE_SRC = ("'self'", "'report-sample'", "'unsafe-inline'")
+    CSP_SCRIPT_SRC = (
+        "'self'",
+        "'report-sample'",
+        "'unsafe-inline'",
+        "'unsafe-eval'",
+        'blob:',
+        'browser.sentry-cdn.com',
+        'https://*.googletagmanager.com',
+    )
+    CSP_IMG_SRC = (
+        "'self'",
+        "'report-sample'",
+        'data:',
+        'https://*.google-analytics.com',
+        'https://*.googletagmanager.com',
+        'https://*.google.com',
+    )
+    CSP_CONNECT_SRC = (
+        "'self'",
+        "'report-sample'",
+        'https://*.google-analytics.com',
+        'https://*.analytics.google.com',
+        'https://analytics.google.com',
+        'https://*.googletagmanager.com',
+        'https://*.g.double' + 'click.net',  # hacky way of suppressing codespell complaint
+        'https://*.ingest.sentry.io',
+    )
+    # Note that this will be overridden to true CSP for views that use the override_report_only_csp decorator
+    CSP_REPORT_ONLY = get_bool_env('LS_CSP_REPORT_ONLY', True)
+    CSP_REPORT_URI = get_env('LS_CSP_REPORT_URI', None)
+    CSP_INCLUDE_NONCE_IN = ['script-src', 'default-src']
+
+    MIDDLEWARE.append('core.middleware.HumanSignalCspMiddleware')
diff --git a/label_studio/data_import/api.py b/label_studio/data_import/api.py
@@ -9,12 +9,14 @@
 from urllib.parse import unquote, urlparse
 
 import drf_yasg.openapi as openapi
+from core.decorators import override_report_only_csp
 from core.feature_flags import flag_set
 from core.permissions import ViewClassPermission, all_permissions
 from core.redis import start_job_async_or_sync
 from core.utils.common import retry_database_locked, timeit
 from core.utils.exceptions import LabelStudioValidationErrorSentryIgnored
 from core.utils.params import bool_from_request, list_of_strings_from_request
+from csp.decorators import csp
 from django.conf import settings
 from django.db import transaction
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
@@ -596,6 +598,8 @@ def put(self, *args, **kwargs):
 class UploadedFileResponse(generics.RetrieveAPIView):
     permission_classes = (IsAuthenticated,)
 
+    @override_report_only_csp
+    @csp(SANDBOX=[])
     @swagger_auto_schema(auto_schema=None)
     def get(self, *args, **kwargs):
         request = self.request
@@ -613,8 +617,8 @@ def get(self, *args, **kwargs):
             content_type, encoding = mimetypes.guess_type(str(file.name))
             content_type = content_type or 'application/octet-stream'
             return RangedFileResponse(request, file.open(mode='rb'), content_type=content_type)
-        else:
-            return Response(status=status.HTTP_404_NOT_FOUND)
+
+        return Response(status=status.HTTP_404_NOT_FOUND)
 
 
 class DownloadStorageData(APIView):

diff --git a/label_studio/templates/base.html b/label_studio/templates/base.html
@@ -25,7 +25,7 @@
   <script src="{{settings.HOSTNAME}}{% static 'js/jquery.min.js' %}"></script>
   <script src="{{settings.HOSTNAME}}{% static 'js/helpers.js' %}"></script>
 
-  <script>
+  <script nonce="{{request.csp_nonce}}">
     EDITOR_JS = "{{settings.HOSTNAME}}/label-studio-frontend/js/main.js?v={{ versions.lsf.commit }}";
     EDITOR_CSS = "{{settings.HOSTNAME}}/label-studio-frontend/css/main.css?v={{ versions.lsf.commit }}";
     DM_JS = "{{settings.HOSTNAME}}/dm/js/main.js?v={{ versions.dm2.commit }}";
@@ -37,7 +37,7 @@
    integrity="sha384-lowBFC6YTkvMIWPORr7+TERnCkZdo5ab00oH5NkFLeQUAmBTLGwJpFjF6djuxJ/5"
    crossorigin="anonymous"></script>
 
-  <script>
+  <script nonce="{{request.csp_nonce}}">
     window.exports = () => {};
   </script>
 
@@ -59,13 +59,7 @@
 <div class="app-wrapper"></div>
 
 <template id="main-content">
-  <main class="main" style="background: transparent">
-
-      <div class="ui floating dropdown theme basic" style="float: right;">
-        {% block top-buttons %}
-        {% endblock %}
-      </div>
-    </div>
+  <main class="main">
 
     <!-- Space & Divider -->
     {% block divider %}
@@ -87,7 +81,7 @@
   {% block context_menu_right %}{% endblock %}
 </template>
 
-<script id="app-settings">
+<script id="app-settings" nonce="{{request.csp_nonce}}">
   window.APP_SETTINGS = Object.assign({
     user: {
       id: {{ user.pk }},
@@ -124,7 +118,7 @@
 <script src="{{settings.HOSTNAME}}/react-app/index.js?v={{ versions.backend.commit }}"></script>
 
 <div id="dynamic-content">
-  <script>
+  <script nonce="{{request.csp_nonce}}">
       applyCsrf();
 
       $('.message .close').on('click', function () {
@@ -136,7 +130,7 @@
   {% endblock %}
 
   {% block storage-persistence %}
-  <script>
+  <script nonce="{{request.csp_nonce}}">
     {# storage persistence #}
     {% if not settings.STORAGE_PERSISTENCE %}
     new Toast({

diff --git a/label_studio/users/templates/users/new-ui/user_base.html b/label_studio/users/templates/users/new-ui/user_base.html
@@ -7,8 +7,8 @@
 {% block head %}
 <link rel="stylesheet" href="{{ settings.HOSTNAME }}{% static 'css/login.css' %}"/>
 
-<script async src="https://www.googletagmanager.com/gtag/js?id=UA-129877673-1"></script>
-<script>
+<script async src="https://www.googletagmanager.com/gtag/js?id=UA-129877673-1" nonce="{{request.csp_nonce}}"></script>
+<script nonce="{{request.csp_nonce}}">
 window.dataLayer = window.dataLayer || [];
 function gtag(){dataLayer.push(arguments);}
 gtag('js', new Date());
@@ -42,4 +42,4 @@ <h3>A full-fledged open source solution for data labeling</h3>
 </div>
 
   {% endblock %}
-{% endblock %}
+{% endblock %}
diff --git a/label_studio/users/templates/users/new-ui/user_tips.html b/label_studio/users/templates/users/new-ui/user_tips.html
@@ -1,6 +1,6 @@
 {% load filters %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
   const dataTips = [
     {
       title: 'Did you know?',

diff --git a/label_studio/users/templates/users/user_base.html b/label_studio/users/templates/users/user_base.html
@@ -7,7 +7,7 @@
 <link rel="stylesheet" href="{{ settings.HOSTNAME }}{% static 'css/login.css' %}"/>
 
 <script async src="https://www.googletagmanager.com/gtag/js?id=UA-129877673-1"></script>
-<script>
+<script nonce="{{request.csp_nonce}}">
 window.dataLayer = window.dataLayer || [];
 function gtag(){dataLayer.push(arguments);}
 gtag('js', new Date());
@@ -31,4 +31,4 @@ <h2>A full-fledged open source solution for data labeling</h2>
 
   {% block user_content %}
   {% endblock %}
-{% endblock %}
+{% endblock %}
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -200,6 +200,7 @@ python-json-logger = "2.0.4"
 label-studio-converter = "0.0.57"
 google-cloud-storage = "^2.13.0"
 mysqlclient = {version = "*", optional = true}
+django-csp = "3.7"
 
 [tool.poetry.group.test.dependencies]
 pytest = "7.2.2"