KoolReport's Forum

Official Support Area, Q&As, Discussions, Suggestions and Bug reports.
Forum's Guidelines

Security concerns regarding the use of unsafe-eval and unsafe-inline #3287

Open GHSix opened this topic on on May 13 - 8 comments
GHSix commented on May 13

Our client’s security team has requested the removal of “unsafe-eval” and “unsafe-inline” directives from the “Content-Security-Policy” header to enhance protection against XSS attacks, among other vulnerabilities.

When the CSP header includes something like “default-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’”, it permits the execution of JavaScript code from unsafe sources, thereby increasing the risk of XSS attacks. This encompasses functions like eval(), inline scripting and styling, among others. You can find more information on this topic here https://csp.withgoogle.com/docs/strict-csp.html and here https://content-security-policy.com and here https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy.

Is that possible to secure headers with Koolreport Dashboard?

Thank you for taking the time to understand our needs and for your efforts in providing clarification.

Best regards.

GHSix commented on May 17

This issue is directly linked to our ability to continue using Koolreport, so please let me know if my question is unclear in any way.

Thank you in advance

GHSix commented on May 28

Please, I really need an official response from Koolreport team regarding this security subject. If it's not possible to use a strict CSP with Koolreport Dashboard right now, is there any plans to make it CSP compatible?

Thank you.

KoolReport commented on May 29

Hi GHSix,

Please post me your current CSP meta tag.

I would like to examine the case.

GHSix commented on May 30

Hi. Thank you for taking the time to take a look at this issue.

My current CSP is as follows:

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.ghsix.com.br *.googleapis.com *.gstatic.com data:; img-src * data:; font-src 'self' fonts.googleapis.com fonts.gstatic.com data:; frame-ancestors 'self' *.ghsix.com.br

As soon as I remove the unsafe-eval and unsafe-inline and reload the Dashboard, I got lots of errors like this one on the login screen with a never ending loading icon over the login form:

[Script Loader] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' *.ghsix.com.br *.googleapis.com *.gstatic.com data:".

    at eval (<anonymous>)
    at e.exports (appstack.js:1:4837)
    at Object.<anonymous> (appstack.js:812:207391)
    at t (appstack.js:1:110)
    at Module.<anonymous> (appstack.js:48815:32271)
    at t (appstack.js:1:110)
    at appstack.js:1:900
    at appstack.js:1:911
GHSix commented on Jul 15

Hi KoolReport,

Any updates?

Sebastian Morales commented on Jul 22

Does it only happen with Dashboard's AppStack theme? In the case of AppStack theme, I think you can safely remove eval function by opening the file koolreport/appstack/assets/js/appstack.js and replace the following string:

eval.call(null,t)

with:

true

This eval function is used to load some js controls of AppStack. Since Dashboard uses KoolReport's own controls, not AppStack's controls this should be fine. If there's any issue let us know.

GHSix commented on Jul 25

Hi. I have first changed to Amazing theme to see what happens. Without unsafe-inline I could not pass the login screen too, and letting unsafe-inline and removing only unsafe-eval from CSP, I got this trying to login in:

app.js:95 Uncaught 
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' *.averbeporto.com.br *.ghsix.com.br *.googleapis.com *.gstatic.com data:".

    at new Function (<anonymous>)
    at app.js:95:24
    at Array.forEach (<anonymous>)
    at Object.contactDone (app.js:94:26)
    at Object.<anonymous> (app.js:56:34)
    at c (jquery.min.js:2:28294)
    at Object.fireWith [as resolveWith] (jquery.min.js:2:29039)
    at l (jquery.min.js:2:79817)
    at XMLHttpRequest.<anonymous> (jquery.min.js:2:82271)
(anonymous)	@	app.js:95
contactDone	@	app.js:94
(anonymous)	@	app.js:56
c	@	jquery.min.js:2
fireWith	@	jquery.min.js:2
l	@	jquery.min.js:2
(anonymous)	@	jquery.min.js:2
load		
send	@	jquery.min.js:2
ajax	@	jquery.min.js:2
contact	@	app.js:47
login	@	app.js:107
onsubmit	@	?kdr=eyJyb3V0ZSI6IkF…YW1zIjpudWxsfQ==:28

app.js (94-96) - Here is the evil, "new Function" is eval too.:

response.scripts.forEach(function (script) {
            var func = new Function(script);
            func();
        });

I'm not a security expert either, but I guess that to make Koolreport CSP compliant and security-aware, you'd have to refactor some of your code. This might involve evaluating "script" inside a web worker or in a sandboxed iframe. I'm not entirely sure, though.

Have you considered any specific approaches to address these security concerns?

Sebastian Morales commented on Aug 2

We are looking to implement methods to make Dashboard CSP compatible but it would need some time, probably at least 1-2 months. We will keep you updated on this topic.

Build Your Excellent Data Report

Let KoolReport help you to make great reports. It's free & open-source released under MIT license.

Download KoolReport View demo
help needed
Dashboard

Designed and built with by KoolPHP Inc.

Code licensed MIT.