From b0cb2c72e98206c42bdd25d6077582362a837f55 Mon Sep 17 00:00:00 2001
From: Andrew Kane <andrew@ankane.org>
Date: Thu, 11 Jul 2024 14:22:12 -0700
Subject: [PATCH] Improved CSP support

---
 CHANGELOG.md                                  |  4 ++++
 app/views/blazer/_variables.html.erb          | 16 ++++++++--------
 app/views/blazer/checks/_form.html.erb        | 16 ++++++++--------
 app/views/blazer/checks/index.html.erb        |  4 ++--
 app/views/blazer/dashboards/_form.html.erb    |  4 ++--
 app/views/blazer/dashboards/show.html.erb     |  4 ++--
 app/views/blazer/queries/_form.html.erb       |  4 ++--
 app/views/blazer/queries/home.html.erb        |  4 ++--
 app/views/blazer/queries/run.html.erb         |  8 ++++----
 app/views/blazer/queries/schema.html.erb      |  4 ++--
 app/views/blazer/queries/show.html.erb        |  8 ++++----
 app/views/blazer/uploads/index.html.erb       |  4 ++--
 app/views/layouts/blazer/application.html.erb |  8 ++++----
 13 files changed, 46 insertions(+), 42 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 97d077fef..fe342c9f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.0.4 (unreleased)
+
+- Improved CSP support
+
 ## 3.0.3 (2024-01-10)
 
 - Fixed error with Trilogy, non-ASCII column names, and charts
diff --git a/app/views/blazer/_variables.html.erb b/app/views/blazer/_variables.html.erb
index a2bc8df1f..9d8af1be3 100644
--- a/app/views/blazer/_variables.html.erb
+++ b/app/views/blazer/_variables.html.erb
@@ -1,6 +1,6 @@
 <% if @bind_vars.any? %>
   <% var_params = request.query_parameters %>
-  <script>
+  <%= javascript_tag nonce: true do %>
     <%= blazer_js_var "timeZone", Blazer.time_zone.tzinfo.name %>
     var now = moment.tz(timeZone)
     var format = "YYYY-MM-DD"
@@ -8,7 +8,7 @@
     function toDate(time) {
       return moment.tz(time.format(format), timeZone)
     }
-  </script>
+  <% end %>
   <form id="bind" method="get" action="<%= action %>" class="form-inline" style="margin-bottom: 15px;">
     <% date_vars = ["start_time", "end_time"] %>
     <% if (date_vars - @bind_vars).empty? %>
@@ -21,11 +21,11 @@
       <%= label_tag var, var %>
       <% if (data = @smart_vars[var]) %>
         <%= select_tag var, options_for_select([[nil, nil]] + data, selected: var_params[var]), style: "margin-right: 20px; width: 200px; display: none;" %>
-        <script>
+        <%= javascript_tag nonce: true do %>
           $("#<%= var %>").selectize({
             create: true
           });
-        </script>
+        <% end %>
       <% elsif var.end_with?("_at") || var == "start_time" || var == "end_time" %>
         <%= hidden_field_tag var, var_params[var] %>
 
@@ -35,7 +35,7 @@
           </div>
         </div>
 
-        <script>
+        <%= javascript_tag nonce: true do %>
           (function() {
             var input = $("#<%= var %>")
             var datePicker = $("#<%= var %>-select")
@@ -57,7 +57,7 @@
               datePicker.find("span").html(toDate(picker.startDate).format("MMMM D, YYYY"))
             }
           })()
-        </script>
+        <% end %>
       <% else %>
         <%= text_field_tag var, var_params[var], style: "width: 120px; margin-right: 20px;", autofocus: i == 0 && !var.end_with?("_at") && !var_params[var], class: "form-control" %>
       <% end %>
@@ -75,7 +75,7 @@
         </div>
       </div>
 
-      <script>
+      <%= javascript_tag nonce: true do %>
         function dateStr(daysAgo) {
           return now.clone().subtract(daysAgo || 0, "days").format(format)
         }
@@ -119,7 +119,7 @@
           $("#reportrange").trigger("apply.daterangepicker", picker)
           submitIfCompleted($("#start_time").closest("form"))
         }
-      </script>
+      <% end %>
     <% end %>
 
     <input type="submit" class="btn btn-success" value="Run" style="vertical-align: top;" />
diff --git a/app/views/blazer/checks/_form.html.erb b/app/views/blazer/checks/_form.html.erb
index ceaf4e440..3e6020604 100644
--- a/app/views/blazer/checks/_form.html.erb
+++ b/app/views/blazer/checks/_form.html.erb
@@ -12,12 +12,12 @@
     <div class="hide">
       <%= f.select :query_id, [], {include_blank: true} %>
     </div>
-    <script>
+    <%= javascript_tag nonce: true do %>
       <%= blazer_js_var "queries", Blazer::Query.active.named.order(:name).select("id, name").map { |q| {text: q.name, value: q.id} } %>
       <%= blazer_js_var "items", [@check.query_id].compact %>
 
       $("#check_query_id").selectize({options: queries, items: items, highlight: false, maxOptions: 100}).parents(".hide").removeClass("hide");
-    </script>
+    <% end %>
   </div>
 
   <% if @check.respond_to?(:check_type) %>
@@ -28,9 +28,9 @@
         <% check_options << ["Anomaly (most recent data point)", "anomaly"] if Blazer.anomaly_checks %>
         <%= f.select :check_type, check_options %>
       </div>
-      <script>
+      <%= javascript_tag nonce: true do %>
         $("#check_check_type").selectize({}).parent().removeClass("hide");
-      </script>
+      <% end %>
     </div>
   <% elsif @check.respond_to?(:invert) %>
     <div class="form-group">
@@ -38,9 +38,9 @@
       <div class="hide">
         <%= f.select :invert, [["Any results (bad data)", false], ["No results (missing data)", true]] %>
       </div>
-      <script>
+      <%= javascript_tag nonce: true do %>
         $("#check_invert").selectize({}).parent().removeClass("hide");
-      </script>
+      <% end %>
     </div>
   <% end %>
 
@@ -50,9 +50,9 @@
       <div class="hide">
         <%= f.select :schedule, Blazer.check_schedules.map { |v| [v, v] } %>
       </div>
-      <script>
+      <%= javascript_tag nonce: true do %>
         $("#check_schedule").selectize({}).parent().removeClass("hide");
-      </script>
+      <% end %>
     </div>
   <% end %>
 
diff --git a/app/views/blazer/checks/index.html.erb b/app/views/blazer/checks/index.html.erb
index 5ce7296b8..dd1e3cda4 100644
--- a/app/views/blazer/checks/index.html.erb
+++ b/app/views/blazer/checks/index.html.erb
@@ -62,11 +62,11 @@
   </tbody>
 </table>
 
-<script>
+<%= javascript_tag nonce: true do %>
   $("#search").on("keyup", function() {
     var value = $(this).val().toLowerCase()
     $("#checks tbody tr").filter( function() {
       $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
     })
   }).focus()
-</script>
+<% end %>
diff --git a/app/views/blazer/dashboards/_form.html.erb b/app/views/blazer/dashboards/_form.html.erb
index af0d3cb2b..4e881dc8d 100644
--- a/app/views/blazer/dashboards/_form.html.erb
+++ b/app/views/blazer/dashboards/_form.html.erb
@@ -30,7 +30,7 @@
   </p>
 <% end %>
 
-<script>
+<%= javascript_tag nonce: true do %>
   <%= blazer_js_var "queries", Blazer::Query.active.named.order(:name).select("id, name").map { |q| {text: q.name, value: q.id} } %>
   <%= blazer_js_var "dashboardQueries", @queries || @dashboard.dashboard_queries.order(:position).map(&:query) %>
 
@@ -79,4 +79,4 @@
       app.queries.splice(e.newIndex, 0, app.queries.splice(e.oldIndex, 1)[0])
     }
   })
-</script>
+<% end %>
diff --git a/app/views/blazer/dashboards/show.html.erb b/app/views/blazer/dashboards/show.html.erb
index 30b716b93..8ba1f2b77 100644
--- a/app/views/blazer/dashboards/show.html.erb
+++ b/app/views/blazer/dashboards/show.html.erb
@@ -38,7 +38,7 @@
       <p class="text-muted">Loading...</p>
     </div>
   </div>
-  <script>
+  <%= javascript_tag nonce: true do %>
     <% data = {statement: query.statement, query_id: query.id, data_source: query.data_source, variables: variable_params(query), only_chart: true} %>
     <% data.merge!(cohort_period: params[:cohort_period]) if params[:cohort_period] %>
     <%= blazer_js_var "data", data %>
@@ -49,5 +49,5 @@
     }, function (message) {
       $("#chart-<%= i %>").addClass("query-error").html(message)
     });
-  </script>
+  <% end %>
 <% end %>
diff --git a/app/views/blazer/queries/_form.html.erb b/app/views/blazer/queries/_form.html.erb
index 5ad024c25..2cfe7cc59 100644
--- a/app/views/blazer/queries/_form.html.erb
+++ b/app/views/blazer/queries/_form.html.erb
@@ -68,7 +68,7 @@
   </div>
 </div>
 
-<script>
+<%= javascript_tag nonce: true do %>
   <%= blazer_js_var "variableParams", @variable_params %>
   <%= blazer_js_var "previewStatement", Blazer.data_sources.to_h { |k, v| [k, (v.preview_statement rescue "")] } %>
 
@@ -252,4 +252,4 @@
   })
   app.config.compilerOptions.whitespace = "preserve"
   app.mount("#app")
-</script>
+<% end %>
diff --git a/app/views/blazer/queries/home.html.erb b/app/views/blazer/queries/home.html.erb
index 80795fd37..051894f55 100644
--- a/app/views/blazer/queries/home.html.erb
+++ b/app/views/blazer/queries/home.html.erb
@@ -56,7 +56,7 @@
   <p v-if="more" class="text-muted">Loading...</p>
 </div>
 
-<script>
+<%= javascript_tag nonce: true do %>
   <%= blazer_js_var "dashboards", @dashboards %>
   <%= blazer_js_var "queries", @queries %>
   <%= blazer_js_var "more", @more %>
@@ -166,4 +166,4 @@
   })
   app.config.compilerOptions.whitespace = "preserve"
   app.mount("#queries")
-</script>
+<% end %>
diff --git a/app/views/blazer/queries/run.html.erb b/app/views/blazer/queries/run.html.erb
index 2f433e918..82760be1b 100644
--- a/app/views/blazer/queries/run.html.erb
+++ b/app/views/blazer/queries/run.html.erb
@@ -75,21 +75,21 @@
     <% if @markers.any? %>
       <% map_id = SecureRandom.hex %>
       <%= content_tag :div, nil, id: map_id, style: "height: #{@only_chart ? 300 : 500}px;" %>
-      <script>
+      <%= javascript_tag nonce: true do %>
         <%= blazer_js_var "mapboxAccessToken", Blazer.mapbox_access_token %>
         <%= blazer_js_var "markers", @markers %>
         <%= blazer_js_var "mapId", map_id %>
         new Mapkick.Map(mapId, markers, {accessToken: mapboxAccessToken, tooltips: {hover: false, html: true}});
-      </script>
+      <% end %>
     <% elsif @geojson.any? %>
       <% map_id = SecureRandom.hex %>
       <%= content_tag :div, nil, id: map_id, style: "height: #{@only_chart ? 300 : 500}px;" %>
-      <script>
+      <%= javascript_tag nonce: true do %>
         <%= blazer_js_var "mapboxAccessToken", Blazer.mapbox_access_token %>
         <%= blazer_js_var "geojson", @geojson %>
         <%= blazer_js_var "mapId", map_id %>
         new Mapkick.AreaMap(mapId, geojson, {accessToken: mapboxAccessToken, tooltips: {hover: false, html: true}});
-      </script>
+      <% end %>
     <% elsif chart_type == "line" %>
       <% chart_data = @columns[1..-1].each_with_index.map{ |k, i| {name: blazer_series_name(k), data: @rows.map{ |r| [r[0], r[i + 1]] }, library: series_library[i]} } %>
       <%= line_chart chart_data, **chart_options %>
diff --git a/app/views/blazer/queries/schema.html.erb b/app/views/blazer/queries/schema.html.erb
index be3b2897f..764a85773 100644
--- a/app/views/blazer/queries/schema.html.erb
+++ b/app/views/blazer/queries/schema.html.erb
@@ -28,7 +28,7 @@
   </table>
 <% end %>
 
-<script>
+<%= javascript_tag nonce: true do %>
   $("#search").on("keyup", function() {
     var value = $(this).val().toLowerCase()
     $(".schema-table").filter(function() {
@@ -52,4 +52,4 @@
       $(this).toggle(found)
     })
   }).focus()
-</script>
+<% end %>
diff --git a/app/views/blazer/queries/show.html.erb b/app/views/blazer/queries/show.html.erb
index 560b367e8..5a03b5380 100644
--- a/app/views/blazer/queries/show.html.erb
+++ b/app/views/blazer/queries/show.html.erb
@@ -46,7 +46,7 @@
     <p class="text-muted">Loading...</p>
   </div>
 
-  <script>
+  <%= javascript_tag nonce: true do %>
     function showRun(data) {
       $("#results").html(data)
       $("#results table").stupidtable(stupidtableCustomSettings).stickyTableHeaders({fixedOffset: 60})
@@ -59,14 +59,14 @@
     <%= blazer_js_var "data", @run_data %>
 
     runQuery(data, showRun, showError)
-  </script>
+  <% end %>
 <% end %>
 
-<script>
+<%= javascript_tag nonce: true do %>
   // do not highlight really long queries
   // this can lead to performance issues
   var code = $("#code code")
   if (code.text().length < 10000) {
     hljs.highlightElement(code.get(0))
   }
-</script>
+<% end %>
diff --git a/app/views/blazer/uploads/index.html.erb b/app/views/blazer/uploads/index.html.erb
index 18dc1a2b1..96506f808 100644
--- a/app/views/blazer/uploads/index.html.erb
+++ b/app/views/blazer/uploads/index.html.erb
@@ -45,11 +45,11 @@
   </tbody>
 </table>
 
-<script>
+<%= javascript_tag nonce: true do %>
   $("#search").on("keyup", function() {
     var value = $(this).val().toLowerCase()
     $("#uploads tbody tr").filter( function() {
       $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
     })
   }).focus()
-</script>
+<% end %>
diff --git a/app/views/layouts/blazer/application.html.erb b/app/views/layouts/blazer/application.html.erb
index b8a87f70e..93f71cf07 100644
--- a/app/views/layouts/blazer/application.html.erb
+++ b/app/views/layouts/blazer/application.html.erb
@@ -7,14 +7,14 @@
     <%= favicon_link_tag "blazer/favicon.png" %>
     <% if defined?(Propshaft::Railtie) %>
       <%= stylesheet_link_tag "blazer/bootstrap-propshaft", "blazer/bootstrap", "blazer/selectize", "blazer/github", "blazer/daterangepicker", "blazer/application" %>
-      <%= javascript_include_tag "blazer/jquery", "blazer/rails-ujs", "blazer/stupidtable", "blazer/stupidtable-custom-settings", "blazer/jquery.stickytableheaders", "blazer/selectize", "blazer/highlight.min", "blazer/moment", "blazer/moment-timezone-with-data", "blazer/daterangepicker", "blazer/chart.umd", "blazer/chartjs-adapter-date-fns.bundle", "blazer/chartkick", "blazer/mapkick.bundle", "blazer/ace/ace", "blazer/ace/ext-language_tools", "blazer/ace/theme-twilight", "blazer/ace/mode-sql", "blazer/ace/snippets/text", "blazer/ace/snippets/sql", "blazer/Sortable", "blazer/bootstrap", "blazer/vue.global.prod", "blazer/routes", "blazer/queries", "blazer/fuzzysearch", "blazer/application" %>
+      <%= javascript_include_tag "blazer/jquery", "blazer/rails-ujs", "blazer/stupidtable", "blazer/stupidtable-custom-settings", "blazer/jquery.stickytableheaders", "blazer/selectize", "blazer/highlight.min", "blazer/moment", "blazer/moment-timezone-with-data", "blazer/daterangepicker", "blazer/chart.umd", "blazer/chartjs-adapter-date-fns.bundle", "blazer/chartkick", "blazer/mapkick.bundle", "blazer/ace/ace", "blazer/ace/ext-language_tools", "blazer/ace/theme-twilight", "blazer/ace/mode-sql", "blazer/ace/snippets/text", "blazer/ace/snippets/sql", "blazer/Sortable", "blazer/bootstrap", "blazer/vue.global.prod", "blazer/routes", "blazer/queries", "blazer/fuzzysearch", "blazer/application", nonce: true %>
     <% else %>
       <%= stylesheet_link_tag "blazer/application" %>
-      <%= javascript_include_tag "blazer/application" %>
+      <%= javascript_include_tag "blazer/application", nonce: true %>
     <% end %>
-    <script>
+    <%= javascript_tag nonce: true do %>
       <%= blazer_js_var "rootPath", root_path %>
-    </script>
+    <% end %>
     <%= csrf_meta_tags %>
   </head>
   <body>