CSP headers and management UI

[sumanth28kalluri]

Community Support Policy

• I have read RabbitMQ's Community Support Policy

RabbitMQ version used

3.13.7 or older

How is RabbitMQ deployed?

RPM package

Steps to reproduce the behavior in question

Hi,
After running a dynamic scan on my v4.1.0 and v3.13.2 RabbitMQ instance, I found the following vulnerabilities -

1. CSP: Wildcard Directive
2. CSP: script-src unsafe-eval
3. CSP: script-src unsafe-inline
4. Dangerous JS Functions

Initially -
The CSP header is not being set by us, we are recieving it in the response headers of our HTTP API request with the following directives -
Content-Security-Policy: default-src 'self'; script-src 'https' 'unsafe-eval' 'unsafe-inline'; frame-ancestors 'none';
thus, causing vulnerabilities.

Inorder to resolve these vulnerabilities, I've followed the Official Docs and tried the following -

1. removed issue causing directives(script-src which contains unsafe-eval and unsafe-inline) and specifying domain name in the default-src directive.
2. removed issue causing directives(script-src which contains unsafe-eval and unsafe-inline) and using Wildcard of the host domain in default-src directive.

but in both the cases I get the same issue, The login page of management UI just shows a blank page and I can see the below error in the Inspect tab -

The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts and style sheets.

To solve this, move all inline scripts (e.g. onclick=[JS code]) and styles into external files.

⚠️ Allowing inline execution comes at the risk of script injection via injection of HTML script elements. If you absolutely must, you can allow inline script and styles by:

- adding unsafe-inline as a source to the CSP header
- adding the hash or nonce of the inline script to your CSP header.
1 directive
Directive    Element    Source location    Status
script-src-elem        localhost/:27    blocked

[michaelklishin]

These are not vulnerabilities, they are warnings. A vulnerability is a proven

RabbitMQ's management UI is an old SPA that relies on a very old library (Sammy), so it might depend on inline scripts. This won't change in the short and medium term. If you want to contribute a new UI, you are welcome to do so.

The UI should not be exposed to the public Internet and its use is entirely optional. Prometheus and Grafana are the recommended monitoring option, standard CLI tools and rabbitmqadmin v2 can do everything the UI can (and more).