Merge pull request from GHSA-53q7-4874-24qg

lucanovera · Lucano Vera · daveqnet · Kelsey-Ethyca · commit 0555080541f1 · 2024-07-02T18:13:36.000-07:00
* Prevent exposing of SERVER_SIDE_FIDES_API_URL env variable to the client response

* Update changelog

* Remove exposure of serverSideFidesApiUrl as part of FidesConfig

* Update CHANGELOG.md

Co-authored-by: Dave Quinlan &lt;83430497+daveqnet@users.noreply.github.com&gt;

---------

Co-authored-by: Lucano Vera &lt;lucanovera@ethyca.com&gt;
Co-authored-by: Dave Quinlan &lt;83430497+daveqnet@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,10 @@ The types of changes are:
 ### Security
 - Removed FidesJS's exposure to `polyfill.io` supply chain attack [CVE-2024-38537](https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m)
 
+### Security
+- Remove the SERVER_SIDE_FIDES_API_URL env variable from the client clientSettings [CVE-2024-31223](https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg)
+
+
 ## [2.39.0](https://github.com/ethyca/fides/compare/2.38.1...2.39.0)
 
 ### Added
diff --git a/clients/admin-ui/src/features/privacy-experience/preview/helpers.ts b/clients/admin-ui/src/features/privacy-experience/preview/helpers.ts
@@ -47,7 +47,6 @@ export const buildBaseConfig = (
     fidesApiUrl: "http://localhost:8080/api/v1",
     preventDismissal: experienceConfig.dismissable ?? false,
     allowHTMLDescription: true,
-    serverSideFidesApiUrl: "",
     fidesString: null,
     fidesJsBaseUrl: "",
     base64Cookie: false,
diff --git a/clients/fides-js/src/fides-tcf.ts b/clients/fides-js/src/fides-tcf.ts
@@ -245,7 +245,6 @@ const _Fides: FidesGlobal = {
     modalLinkId: null,
     privacyCenterUrl: "",
     fidesApiUrl: "",
-    serverSideFidesApiUrl: "",
     tcfEnabled: true,
     gppEnabled: false,
     fidesEmbed: false,
diff --git a/clients/fides-js/src/fides.ts b/clients/fides-js/src/fides.ts
@@ -183,7 +183,6 @@ const _Fides: FidesGlobal = {
     modalLinkId: null,
     privacyCenterUrl: "",
     fidesApiUrl: "",
-    serverSideFidesApiUrl: "",
     tcfEnabled: false,
     gppEnabled: false,
     fidesEmbed: false,
diff --git a/clients/fides-js/src/lib/consent-types.ts b/clients/fides-js/src/lib/consent-types.ts
@@ -72,9 +72,6 @@ export interface FidesInitOptions {
   // URL for the Fides API, used to fetch and save consent preferences. Required.
   fidesApiUrl: string;
 
-  // URL for Server-side Fides API, used to fetch geolocation and consent preference. Optional.
-  serverSideFidesApiUrl: string;
-
   // Whether we should show the TCF modal
   tcfEnabled: boolean;
 
diff --git a/clients/privacy-center/app/server-environment.ts b/clients/privacy-center/app/server-environment.ts
@@ -26,9 +26,15 @@ import {
 } from "~/types/config";
 
 /**
- * SERVER-SIDE functions
+ * Subset of PrivacyCenterSettings that are for use only on server-side and
+ * should never be exposed to the client.
  */
 
+export type PrivacyCenterServerSettings = Pick<
+  PrivacyCenterSettings,
+  "SERVER_SIDE_FIDES_API_URL"
+>;
+
 /**
  * Subset of PrivacyCenterSettings that are forwarded to the client.
  *
@@ -37,7 +43,6 @@ import {
 export type PrivacyCenterClientSettings = Pick<
   PrivacyCenterSettings,
   | "FIDES_API_URL"
-  | "SERVER_SIDE_FIDES_API_URL"
   | "DEBUG"
   | "GEOLOCATION_API_URL"
   | "IS_GEOLOCATION_ENABLED"
@@ -261,6 +266,20 @@ export const loadStylesFromFile = async (
   return file;
 };
 
+/**
+ * Load server settings from global environment variables
+ * The returned Server settings should never be exposed to the client
+ */
+export const loadServerSettings = (): PrivacyCenterServerSettings => {
+  const settings = loadEnvironmentVariables();
+  const serverSideSettings: PrivacyCenterServerSettings = {
+    SERVER_SIDE_FIDES_API_URL:
+      settings.SERVER_SIDE_FIDES_API_URL || settings.FIDES_API_URL,
+  };
+
+  return serverSideSettings;
+};
+
 /**
  * Loads all the ENV variable settings, configuration files, etc. to initialize the environment
  */
@@ -305,8 +324,6 @@ export const loadPrivacyCenterEnvironment = async ({
   // Load client settings (ensuring we only pass-along settings that are safe for the client)
   const clientSettings: PrivacyCenterClientSettings = {
     FIDES_API_URL: settings.FIDES_API_URL,
-    SERVER_SIDE_FIDES_API_URL:
-      settings.SERVER_SIDE_FIDES_API_URL || settings.FIDES_API_URL,
     DEBUG: settings.DEBUG,
     IS_OVERLAY_ENABLED: settings.IS_OVERLAY_ENABLED,
     IS_PREFETCH_ENABLED: settings.IS_PREFETCH_ENABLED,
diff --git a/clients/privacy-center/app/server-utils/getPropertyFromUrl.ts b/clients/privacy-center/app/server-utils/getPropertyFromUrl.ts
@@ -26,6 +26,7 @@ const getPropertyFromUrl = async ({
       result = await response.json();
     }
   } catch (e) {
+    // eslint-disable-next-line no-console
     console.log("Request to find property failed", e);
   }
 
diff --git a/clients/privacy-center/pages/api/fides-js.ts b/clients/privacy-center/pages/api/fides-js.ts
@@ -10,7 +10,10 @@ import {
   ComponentType,
   debugLog,
 } from "fides-js";
-import { loadPrivacyCenterEnvironment } from "~/app/server-environment";
+import {
+  loadPrivacyCenterEnvironment,
+  loadServerSettings,
+} from "~/app/server-environment";
 import { LOCATION_HEADERS, lookupGeolocation } from "~/common/geolocation";
 import { safeLookupPropertyId } from "~/common/property-id";
 
@@ -103,6 +106,8 @@ export default async function handler(
 ) {
   // Load the configured consent options (data uses, defaults, etc.) from environment
   const environment = await loadPrivacyCenterEnvironment();
+  const serverSettings = await loadServerSettings();
+
   let options: ConsentOption[] = [];
   if (environment.config?.consent?.page.consentOptions) {
     const configuredOptions = environment.config.consent.page.consentOptions;
@@ -158,7 +163,7 @@ export default async function handler(
       );
       experience = await fetchExperience(
         fidesRegionString,
-        environment.settings.SERVER_SIDE_FIDES_API_URL ||
+        serverSettings.SERVER_SIDE_FIDES_API_URL ||
           environment.settings.FIDES_API_URL,
         environment.settings.DEBUG,
         null,
@@ -208,9 +213,6 @@ export default async function handler(
       fidesApiUrl: environment.settings.FIDES_API_URL,
       tcfEnabled,
       gppEnabled,
-      serverSideFidesApiUrl:
-        environment.settings.SERVER_SIDE_FIDES_API_URL ||
-        environment.settings.FIDES_API_URL,
       fidesEmbed: environment.settings.FIDES_EMBED,
       fidesDisableSaveApi: environment.settings.FIDES_DISABLE_SAVE_API,
       fidesDisableNoticesServedApi:
@@ -325,8 +327,10 @@ async function fetchCustomFidesCss(
   if (shouldRefresh) {
     try {
       const environment = await loadPrivacyCenterEnvironment();
+      const serverSettings = await loadServerSettings();
+
       const fidesUrl =
-        environment.settings.SERVER_SIDE_FIDES_API_URL ||
+        serverSettings.SERVER_SIDE_FIDES_API_URL ||
         environment.settings.FIDES_API_URL;
       const response = await fetch(
         `${fidesUrl}/plus/custom-asset/custom-fides.css`

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ const getPropertyFromUrl = async ({`
`26`	`26`	`result = await response.json();`
`27`	`27`	`}`
`28`	`28`	`} catch (e) {`
	`29`	`+ // eslint-disable-next-line no-console`
`29`	`30`	`console.log("Request to find property failed", e);`
`30`	`31`	`}`
`31`	`32`