Bug 2097778

Summary: Pcs WebUI - CSP headers do not restrict script source
Product: Red Hat Enterprise Linux 9 Reporter: Tom Sorensen <tsorense>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: low Docs Contact:
Priority: medium    
Version: 9.0CC: cluster-maint, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, sbradley, tojeline
Target Milestone: rcKeywords: Security, Triaged
Target Release: 9.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.11.3-1.el9 Doc Type: Enhancement
Doc Text:
Feature: Instruct web browsers to only load resources directly from pcs web UI and no other sources. Reason: This helps guard against cross-site scripting attacks. Result: HTTP header "Content-Security-Policy: frame-ancestors 'self'; default-src 'self'" is sent by pcsd in all HTTP responses instructing web browsers to only load and run resources from pcs web UI and no external sources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 09:49:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Sorensen 2022-06-16 14:15:22 UTC 
Description of problem:
Possible security issue due to not restricting the source of scripts being run in the pcs WebUI

Version-Release number of selected component (if applicable):
pcs-0.11.1-10.el9

How reproducible:
Always


Steps to Reproduce:
1. Navigate to pcs Web UI
2. Check headers

Actual results:
Content-Security-Policy header does not include "script-src 'self'"

Expected results:
Script-src should be set to ensure no third party scripts are loaded

Additional info:
This has already gone through secalert and is assigned to Clustering team.
Comment 2 Tomas Jelinek 2022-06-23 08:50:22 UTC 
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/d7f9e7c0e0346d189b88ce98903fb004696e317d

Test:
Check that all HTTP responses contain "Content-Security-Policy: frame-ancestors 'self'; default-src 'self'" header.
Comment 3 Miroslav Lisik 2022-06-24 13:14:00 UTC 
DevTestResults:

[root@r91-1 pcs]# rpm -q pcs
pcs-0.11.3-1.el9.x86_64

[root@r91-1 pcs]# systemctl show -p ActiveState pcsd
ActiveState=active
[root@r91-1 pcs]# curl -kv https://localhost:2224 |& grep Content-Security-Policy
< Content-Security-Policy: frame-ancestors 'self'; default-src 'self'

Content-Security-Policy header contains: default-src 'self'
Comment 10 errata-xmlrpc 2022-11-15 09:49:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pcs security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7935