Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AJV schema validation functions should be pre-compiled to avoid unsafe-eval CSP requirement #423

Closed
hrobertson opened this issue Jul 28, 2021 · 5 comments · Fixed by #471
Closed

AJV schema validation functions should be pre-compiled to avoid unsafe-eval CSP requirement #423

hrobertson opened this issue Jul 28, 2021 · 5 comments · Fixed by #471
Labels
type/bug Something isn't working

Comments

@hrobertson
Copy link

Describe the Bug
Compiling the AJV schema validation functions at runtime uses new new Function which requires the CSP script-src to include 'unsafe-eval'.

Instead, the schema validation functions should be pre-compiled.

Steps to Reproduce

  1. Use the cloudevents/sdk-javascript library in a site with a CSP with script-src not including 'unsafe-eval'
  2. Use new CloudEvent(...)
  3. Observe CSP error

Expected Behavior
The library should be able to be used successfully without including 'unsafe-eval' in your CSP.

Additional context
See https://github.com/ajv-validator/ajv/blob/master/docs/security.md#content-security-policy
@lance
Copy link
Member

lance commented Aug 3, 2021

@hrobertson thanks for reporting this.

See also: https://github.com/ajv-validator/ajv/blob/master/docs/standalone.md

@lance lance added the type/bug Something isn't working label Aug 3, 2021
@github-actions
Copy link
Contributor

github-actions bot commented Sep 3, 2021

This issue is stale because it has been open 30 days with no activity.

@lance
Copy link
Member

lance commented Dec 14, 2021

I have been working on this, but am awaiting some response from the ajv team ajv-validator/ajv#1837

@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity.

lance added a commit to lance/sdk-javascript that referenced this issue Feb 10, 2022
@lance
feat: precompile cloudevent schema
4119381 
This commit modifies the build pipleline so that the cloudevent schema is
precompiled for runtime validation. This eliminates the need to compile the
schema at runtime, improving both performance and security.

Fixes: cloudevents#423

Signed-off-by: Lance Ball <lball@redhat.com>
@lance lance mentioned this issue Feb 10, 2022
Merged
lance added a commit to lance/sdk-javascript that referenced this issue Feb 11, 2022
@lance
feat: precompile cloudevent schema
2e8cc9a 
This commit modifies the build pipleline so that the cloudevent schema is
precompiled for runtime validation. This eliminates the need to compile the
schema at runtime, improving both performance and security.

Fixes: cloudevents#423

Signed-off-by: Lance Ball <lball@redhat.com>
@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity.

lance added a commit that referenced this issue Feb 15, 2022
@lance
feat: precompile cloudevent schema (#471)
b13bde9 
* feat: precompile cloudevent schema

This commit modifies the build pipleline so that the cloudevent schema is
precompiled for runtime validation. This eliminates the need to compile the
schema at runtime, improving both performance and security.

Fixes: #423

Signed-off-by: Lance Ball <lball@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: precompile cloudevent schema lance/sdk-javascript
2 participants
@lance @hrobertson