From 6514bdbb7eda5fba4ec6268e4bef4973bebcb8bc Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Fri, 3 Feb 2023 16:04:03 -0500
Subject: [PATCH] add more CSPs to the default correction check (#2668)

* add more CSPs to the default correction check

* add Dec2020ContentSecurityPolicy
---
 util/Setup/Context.cs | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/util/Setup/Context.cs b/util/Setup/Context.cs
index c858cde04c..251c61f626 100644
--- a/util/Setup/Context.cs
+++ b/util/Setup/Context.cs
@@ -6,8 +6,26 @@ namespace Bit.Setup;
 public class Context
 {
     private const string ConfigPath = "/bitwarden/config.yml";
-    // This keeps track of the value of the CSP that was defined as of Jan 2023.
-    // Do not change this value.
+
+    // These track of old CSP default values to correct.
+    // Do not change these values.
+    private const string Dec2020ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
+        "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
+        "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
+        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+        "https://twofactorauth.org; object-src 'self' blob:;";
+    private const string Jan2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
+        "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
+        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+        "https://twofactorauth.org; object-src 'self' blob:;";
+    private const string Feb2021ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
+        "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
+        "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+        "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+        "https://2fa.directory; object-src 'self' blob:;";
     private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
         "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
         "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
@@ -15,6 +33,14 @@ public class Context
         "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
         "https://api.2fa.directory; object-src 'self' blob:;";
 
+    private string[] _oldCspDefaults =
+    {
+        Dec2020ContentSecurityPolicy,
+        Jan2021ContentSecurityPolicy,
+        Feb2021ContentSecurityPolicy,
+        Jan2023ContentSecurityPolicy
+    };
+
     public string[] Args { get; set; }
     public bool Quiet { get; set; }
     public bool Stub { get; set; }
@@ -127,7 +153,7 @@ public class Context
         Config = deserializer.Deserialize<Configuration>(configText);
 
         // Fix old explicit config assignments of CSP which should be treated as a default value
-        if (Config.NginxHeaderContentSecurityPolicy == Jan2023ContentSecurityPolicy)
+        if (_oldCspDefaults.Any(c => c == Config.NginxHeaderContentSecurityPolicy))
         {
             Config.NginxHeaderContentSecurityPolicy = null;
             SaveConfiguration();