Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Improve Application Security #1889

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

feat: Improve Application Security #1889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
f6c840e
feat: Adds basic CSP configuration
adintegra Nov 18, 2024
d08947d
feat: Simplified config
adintegra Nov 18, 2024
9e43186
Merge branch 'main' into feat/implement-csp
adintegra Nov 18, 2024
1060405
feat: Added CSP for form submission
adintegra Nov 18, 2024
126214a
fix: Reverted unsafe-inline
adintegra Nov 18, 2024
0da84ac
fix: Updated config
adintegra Nov 18, 2024
74262b4
fix: Reverted env var
adintegra Nov 28, 2024
3b1c14c
feat: Updated headers
adintegra Dec 5, 2024
a7c147d
feat: Added headers
adintegra Dec 5, 2024
b0cb4ff
feat: Updated headers
adintegra Dec 5, 2024
dd01e34
feat: Adds GraphQL safeUrl constraint
adintegra Dec 5, 2024
200b96e
fix: Removes localhost, header typo
adintegra Dec 5, 2024
c4746a8
feat: Add custom scalar for DataSourceUrl validation
ptbrowne Dec 7, 2024
15ab20c
Merge branch 'main' into feat/implement-csp
ptbrowne Dec 9, 2024
f3495cd
feat: Move datasource to allowed
ptbrowne Dec 9, 2024
668516a
feat: Adds switch to disable CSP
adintegra Dec 19, 2024
f7b8918
fix: Allowed ldbar.ch in CSP
adintegra Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions app/domain/datasource/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ import {
saveDataSourceToLocalStorage,
} from "./localStorage";

export { isDataSourceUrlAllowed, type DataSourceUrl } from "./urls";

export const parseDataSource = (stringifiedSource: string): DataSource => {
const [type, url] = stringifiedSource.split("+") as [
DataSource["type"],
Expand Down
20 changes: 20 additions & 0 deletions app/domain/datasource/urls.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
import { SOURCE_OPTIONS } from "@/domain/datasource/constants";

const allowedSourceLabels = JSON.parse(
process.env.WHITELISTED_DATA_SOURCES ?? "[]"
);

const allowedSources = SOURCE_OPTIONS.filter((o) =>
allowedSourceLabels.includes(o.label)
);

const allowedDataSourceUrls = allowedSources.map((o) => o.value.split("+")[1]);

export type DataSourceUrl = string & {};

export const isDataSourceUrlAllowed = (url: string): url is DataSourceUrl => {
if (typeof url === "string" && allowedDataSourceUrls.includes(url)) {
return true;
}
return false;
};
18 changes: 9 additions & 9 deletions app/graphql/queries/data-cubes.graphql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
query SearchCubes(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$query: String
$order: SearchCubeResultOrder
Expand All @@ -26,7 +26,7 @@ query SearchCubes(

query DataCubeLatestIri(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$cubeFilter: DataCubeLatestIriFilter!
) {
dataCubeLatestIri(
Expand All @@ -50,7 +50,7 @@ query DataCubeUnversionedIri(

query DataCubeComponents(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$cubeFilter: DataCubeComponentFilter!
) {
Expand All @@ -64,7 +64,7 @@ query DataCubeComponents(

query DataCubeDimensionGeoShapes(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$cubeFilter: DataCubeDimensionGeoShapesCubeFilter!
) {
Expand All @@ -78,7 +78,7 @@ query DataCubeDimensionGeoShapes(

query DataCubeMetadata(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$cubeFilter: DataCubeMetadataFilter!
) {
Expand All @@ -92,7 +92,7 @@ query DataCubeMetadata(

query DataCubeComponentTermsets(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$cubeFilter: DataCubeTermsetFilter!
) {
Expand All @@ -106,7 +106,7 @@ query DataCubeComponentTermsets(

query DataCubeObservations(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$cubeFilter: DataCubeObservationFilter!
) {
Expand All @@ -120,7 +120,7 @@ query DataCubeObservations(

query DataCubePreview(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$locale: String!
$cubeFilter: DataCubePreviewFilter!
) {
Expand All @@ -134,7 +134,7 @@ query DataCubePreview(

query PossibleFilters(
$sourceType: String!
$sourceUrl: String!
$sourceUrl: DataSourceUrl!
$cubeFilter: DataCubePossibleFiltersCubeFilter!
) {
possibleFilters(
Expand Down
58 changes: 31 additions & 27 deletions app/graphql/query-hooks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { DataCubeComponents } from '../domain/data';
import { DataCubeMetadata } from '../domain/data';
import { DataCubeObservations } from '../domain/data';
import { DataCubePreview } from '../domain/data';
import { DataSourceUrl } from '../domain/datasource';
import { DimensionValue } from '../domain/data';
import { Filters } from '../configurator';
import { GeoShapes } from '../domain/data';
Expand Down Expand Up @@ -31,6 +32,7 @@ export type Scalars = {
DataCubeMetadata: DataCubeMetadata;
DataCubeObservations: DataCubeObservations;
DataCubePreview: DataCubePreview;
DataSourceUrl: DataSourceUrl;
DimensionValue: DimensionValue;
FilterValue: any;
Filters: Filters;
Expand All @@ -46,6 +48,7 @@ export type Scalars = {
};



export type DataCubeComponentFilter = {
iri: Scalars['String'];
filters?: Maybe<Scalars['Filters']>;
Expand Down Expand Up @@ -124,6 +127,7 @@ export type DataCubeUnversionedIriFilter = {




export type PossibleFilterValue = {
__typename: 'PossibleFilterValue';
type: Scalars['String'];
Expand All @@ -148,7 +152,7 @@ export type Query = {

export type QueryDataCubeLatestIriArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
cubeFilter: DataCubeLatestIriFilter;
};

Expand All @@ -162,54 +166,54 @@ export type QueryDataCubeUnversionedIriArgs = {

export type QueryDataCubeComponentsArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeComponentFilter;
};


export type QueryDataCubeComponentTermsetsArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeTermsetFilter;
};


export type QueryDataCubeMetadataArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeMetadataFilter;
};


export type QueryDataCubeObservationsArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeObservationFilter;
};


export type QueryDataCubePreviewArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubePreviewFilter;
};


export type QueryPossibleFiltersArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
cubeFilter: DataCubePossibleFiltersCubeFilter;
};


export type QuerySearchCubesArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale?: Maybe<Scalars['String']>;
query?: Maybe<Scalars['String']>;
order?: Maybe<SearchCubeResultOrder>;
Expand All @@ -221,7 +225,7 @@ export type QuerySearchCubesArgs = {

export type QueryDataCubeDimensionGeoShapesArgs = {
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeDimensionGeoShapesCubeFilter;
};
Expand Down Expand Up @@ -291,7 +295,7 @@ export enum TimeUnit {

export type SearchCubesQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
query?: Maybe<Scalars['String']>;
order?: Maybe<SearchCubeResultOrder>;
Expand All @@ -305,7 +309,7 @@ export type SearchCubesQuery = { __typename: 'Query', searchCubes: Array<{ __typ

export type DataCubeLatestIriQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
cubeFilter: DataCubeLatestIriFilter;
}>;

Expand All @@ -323,7 +327,7 @@ export type DataCubeUnversionedIriQuery = { __typename: 'Query', dataCubeUnversi

export type DataCubeComponentsQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeComponentFilter;
}>;
Expand All @@ -333,7 +337,7 @@ export type DataCubeComponentsQuery = { __typename: 'Query', dataCubeComponents:

export type DataCubeDimensionGeoShapesQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeDimensionGeoShapesCubeFilter;
}>;
Expand All @@ -343,7 +347,7 @@ export type DataCubeDimensionGeoShapesQuery = { __typename: 'Query', dataCubeDim

export type DataCubeMetadataQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeMetadataFilter;
}>;
Expand All @@ -353,7 +357,7 @@ export type DataCubeMetadataQuery = { __typename: 'Query', dataCubeMetadata: Dat

export type DataCubeComponentTermsetsQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeTermsetFilter;
}>;
Expand All @@ -363,7 +367,7 @@ export type DataCubeComponentTermsetsQuery = { __typename: 'Query', dataCubeComp

export type DataCubeObservationsQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubeObservationFilter;
}>;
Expand All @@ -373,7 +377,7 @@ export type DataCubeObservationsQuery = { __typename: 'Query', dataCubeObservati

export type DataCubePreviewQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
locale: Scalars['String'];
cubeFilter: DataCubePreviewFilter;
}>;
Expand All @@ -383,7 +387,7 @@ export type DataCubePreviewQuery = { __typename: 'Query', dataCubePreview: DataC

export type PossibleFiltersQueryVariables = Exact<{
sourceType: Scalars['String'];
sourceUrl: Scalars['String'];
sourceUrl: Scalars['DataSourceUrl'];
cubeFilter: DataCubePossibleFiltersCubeFilter;
}>;

Expand All @@ -392,7 +396,7 @@ export type PossibleFiltersQuery = { __typename: 'Query', possibleFilters: Array


export const SearchCubesDocument = gql`
query SearchCubes($sourceType: String!, $sourceUrl: String!, $locale: String!, $query: String, $order: SearchCubeResultOrder, $includeDrafts: Boolean, $fetchDimensionTermsets: Boolean, $filters: [SearchCubeFilter!]) {
query SearchCubes($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $query: String, $order: SearchCubeResultOrder, $includeDrafts: Boolean, $fetchDimensionTermsets: Boolean, $filters: [SearchCubeFilter!]) {
searchCubes(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -414,7 +418,7 @@ export function useSearchCubesQuery(options: Omit<Urql.UseQueryArgs<SearchCubesQ
return Urql.useQuery<SearchCubesQuery>({ query: SearchCubesDocument, ...options });
};
export const DataCubeLatestIriDocument = gql`
query DataCubeLatestIri($sourceType: String!, $sourceUrl: String!, $cubeFilter: DataCubeLatestIriFilter!) {
query DataCubeLatestIri($sourceType: String!, $sourceUrl: DataSourceUrl!, $cubeFilter: DataCubeLatestIriFilter!) {
dataCubeLatestIri(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -440,7 +444,7 @@ export function useDataCubeUnversionedIriQuery(options: Omit<Urql.UseQueryArgs<D
return Urql.useQuery<DataCubeUnversionedIriQuery>({ query: DataCubeUnversionedIriDocument, ...options });
};
export const DataCubeComponentsDocument = gql`
query DataCubeComponents($sourceType: String!, $sourceUrl: String!, $locale: String!, $cubeFilter: DataCubeComponentFilter!) {
query DataCubeComponents($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $cubeFilter: DataCubeComponentFilter!) {
dataCubeComponents(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -454,7 +458,7 @@ export function useDataCubeComponentsQuery(options: Omit<Urql.UseQueryArgs<DataC
return Urql.useQuery<DataCubeComponentsQuery>({ query: DataCubeComponentsDocument, ...options });
};
export const DataCubeDimensionGeoShapesDocument = gql`
query DataCubeDimensionGeoShapes($sourceType: String!, $sourceUrl: String!, $locale: String!, $cubeFilter: DataCubeDimensionGeoShapesCubeFilter!) {
query DataCubeDimensionGeoShapes($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $cubeFilter: DataCubeDimensionGeoShapesCubeFilter!) {
dataCubeDimensionGeoShapes(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -468,7 +472,7 @@ export function useDataCubeDimensionGeoShapesQuery(options: Omit<Urql.UseQueryAr
return Urql.useQuery<DataCubeDimensionGeoShapesQuery>({ query: DataCubeDimensionGeoShapesDocument, ...options });
};
export const DataCubeMetadataDocument = gql`
query DataCubeMetadata($sourceType: String!, $sourceUrl: String!, $locale: String!, $cubeFilter: DataCubeMetadataFilter!) {
query DataCubeMetadata($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $cubeFilter: DataCubeMetadataFilter!) {
dataCubeMetadata(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -482,7 +486,7 @@ export function useDataCubeMetadataQuery(options: Omit<Urql.UseQueryArgs<DataCub
return Urql.useQuery<DataCubeMetadataQuery>({ query: DataCubeMetadataDocument, ...options });
};
export const DataCubeComponentTermsetsDocument = gql`
query DataCubeComponentTermsets($sourceType: String!, $sourceUrl: String!, $locale: String!, $cubeFilter: DataCubeTermsetFilter!) {
query DataCubeComponentTermsets($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $cubeFilter: DataCubeTermsetFilter!) {
dataCubeComponentTermsets(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -496,7 +500,7 @@ export function useDataCubeComponentTermsetsQuery(options: Omit<Urql.UseQueryArg
return Urql.useQuery<DataCubeComponentTermsetsQuery>({ query: DataCubeComponentTermsetsDocument, ...options });
};
export const DataCubeObservationsDocument = gql`
query DataCubeObservations($sourceType: String!, $sourceUrl: String!, $locale: String!, $cubeFilter: DataCubeObservationFilter!) {
query DataCubeObservations($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $cubeFilter: DataCubeObservationFilter!) {
dataCubeObservations(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -510,7 +514,7 @@ export function useDataCubeObservationsQuery(options: Omit<Urql.UseQueryArgs<Dat
return Urql.useQuery<DataCubeObservationsQuery>({ query: DataCubeObservationsDocument, ...options });
};
export const DataCubePreviewDocument = gql`
query DataCubePreview($sourceType: String!, $sourceUrl: String!, $locale: String!, $cubeFilter: DataCubePreviewFilter!) {
query DataCubePreview($sourceType: String!, $sourceUrl: DataSourceUrl!, $locale: String!, $cubeFilter: DataCubePreviewFilter!) {
dataCubePreview(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand All @@ -524,7 +528,7 @@ export function useDataCubePreviewQuery(options: Omit<Urql.UseQueryArgs<DataCube
return Urql.useQuery<DataCubePreviewQuery>({ query: DataCubePreviewDocument, ...options });
};
export const PossibleFiltersDocument = gql`
query PossibleFilters($sourceType: String!, $sourceUrl: String!, $cubeFilter: DataCubePossibleFiltersCubeFilter!) {
query PossibleFilters($sourceType: String!, $sourceUrl: DataSourceUrl!, $cubeFilter: DataCubePossibleFiltersCubeFilter!) {
possibleFilters(
sourceType: $sourceType
sourceUrl: $sourceUrl
Expand Down
Loading
Loading