chore(chat): add CSP headers, bump minimatch to 10.2.4 (#5917)

IlyaBondar · dependabot[bot] · web-flow · commit 85817c278eb0 · 2026-03-09T15:45:24.000+01:00
Signed-off-by: dependabot[bot] &lt;support@github.com&gt;
Co-authored-by: dependabot[bot] &lt;49699333+dependabot[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/deploy-development.yml b/.github/workflows/deploy-development.yml
@@ -24,7 +24,7 @@ jobs:
             gitlab-project-id: "3016"
 
     name: Deploy to ${{ matrix.environment-name }}
-    uses: epam/ai-dial-ci/.github/workflows/deploy-development.yml@3.1.2
+    uses: epam/ai-dial-ci/.github/workflows/deploy-development.yml@3.1.3
     with:
       gitlab-project-id: ${{ matrix.gitlab-project-id }}
       environment-name: ${{ matrix.environment-name }}
diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
@@ -13,6 +13,6 @@ concurrency:
 
 jobs:
   pr-title-check:
-    uses: epam/ai-dial-ci/.github/workflows/pr-title-check.yml@3.1.2
+    uses: epam/ai-dial-ci/.github/workflows/pr-title-check.yml@3.1.3
     secrets:
       ACTIONS_BOT_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }}
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -10,7 +10,7 @@ concurrency:
 
 jobs:
   run_tests:
-    uses: epam/ai-dial-ci/.github/workflows/node_pr.yml@3.1.2
+    uses: epam/ai-dial-ci/.github/workflows/node_pr.yml@3.1.3
     secrets: inherit
     with:
       node-version: 24
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ concurrency:
 
 jobs:
   release:
-    uses: epam/ai-dial-ci/.github/workflows/node_release.yml@3.1.2
+    uses: epam/ai-dial-ci/.github/workflows/node_release.yml@3.1.3
     secrets: inherit
     with:
       node-version: 24
diff --git a/.trivyignore b/.trivyignore
@@ -1,5 +1,2 @@
 # node:24-alpine vulnerabilities in https://hub.docker.com/layers/library/node/24-alpine
-CVE-2026-25547 exp:2026-05-20
-CVE-2026-26996 exp:2026-05-20
-CVE-2026-24842 exp:2026-05-20
-CVE-2026-26960 exp:2026-05-20
+CVE-2026-22184 exp:2026-05-20
diff --git a/apps/chat/.env.development b/apps/chat/.env.development
@@ -153,7 +153,7 @@ NEXT_PUBLIC_OVERLAY_HOST="localhost:3000"
 TOPICS="Business,Development,User Experience,Analysis,SQL,SDLC,Talk-To-Your-Data,RAG,Text Generation,Image Generation,Image Recognition"
 # CODE_EDITOR_PYTHON_VERSIONS="python3.11,python3.12"
 
-# NEXT_PUBLIC_STAGE_CONTENT_LIMIT="400"
+NEXT_PUBLIC_STAGE_CONTENT_LIMIT="100"
 
 # HIDDEN_ENTITY_TAG=""
 AUTH_IDTOKEN_PROVIDERS="google,gitlab"
diff --git a/apps/chat/README.md b/apps/chat/README.md
@@ -107,8 +107,9 @@ DIAL Chat uses environment variables for configuration. All environment variable
 | `DIAL_API_VERSION`                  |    No    | DIAL API Version                                                                                                                                                                                                                                                                                                              | Any string                                                                                                                                                                                                          | `2025-01-01-preview`                                                                                                            |
 | `APP_BASE_PATH`                     |    No    | The root directory in the file system where the application is located                                                                                                                                                                                                                                                        | Any string                                                                                                                                                                                                          |                                                                                                                                 |
 | `APP_BASE_ORIGIN`                   | Optional | A base URL or origin of the application.<br />Required if `APP_BASE_PATH` is set.                                                                                                                                                                                                                                             | Any string                                                                                                                                                                                                          |                                                                                                                                 |
-| `ALLOWED_IFRAME_ORIGINS`            |    No    | Specifies all URLs that are allowed to embed DIAL Chat within an iframe.<br />Necessary for [DIAL Overlay](../../libs/overlay/README.md).                                                                                                                                                                                     | Any origin valid format. List of space separated URLs.                                                                                                                                                              | `none`                                                                                                                          |
-| `ALLOWED_IFRAME_SOURCES`            |    No    | iFrame sources (e.g. [visualizers](https://github.com/epam/ai-dial-chat/blob/development/libs/chat-visualizer-connector/README.md)) that are allowed to load content into an iframe in the DIAL Chat application                                                                                                              | Any valid source format. List of space separated sources.                                                                                                                                                           | `none`                                                                                                                          |
+| `ALLOWED_IFRAME_ORIGINS`            |    No    | Specifies all URLs that are allowed to embed DIAL Chat within an iframe.<br />Necessary for [DIAL Overlay](../../libs/overlay/README.md). (`frame-ancestors` directive of Content Security Policy (CSP))                                                                                                                      | Any origin valid format. List of space separated URLs.                                                                                                                                                              | `none`                                                                                                                          |
+| `ALLOWED_IFRAME_SOURCES`            |    No    | iFrame sources (e.g. [visualizers](https://github.com/epam/ai-dial-chat/blob/development/libs/chat-visualizer-connector/README.md)) that are allowed to load content into an iframe in the DIAL Chat application (`frame-src` directive of Content Security Policy (CSP))                                                     | Any valid source format. List of space separated sources.                                                                                                                                                           | `none`                                                                                                                          |
+| `ALLOWED_SCRIPT_SOURCES`            |    No    | Specifies `script-src` directive of Content Security Policy (CSP) : define from where scripts can be executed                                                                                                                                                                                                                 | Any origin valid format. List of space separated URLs.                                                                                                                                                              | `'self' ALLOWED_IFRAME_ORIGINS ALLOWED_IFRAME_SOURCES`                                                                          |
 | `IS_IFRAME`                         |    No    | Is iFrame flag enables/disables the [DIAL Overlay](../../libs/overlay/README.md)                                                                                                                                                                                                                                              | `true`, `false`                                                                                                                                                                                                     | `false`                                                                                                                         |
 | `ALLOW_OPEN_SIGNIN_PAGE_IN_IFRAME`  |    No    | This is the iFrame flag for the [DIAL Overlay](../../libs/overlay/README.md) enables the Sign-In page to render within an iFrame. Activating this flag disables the `X-Frame-Options: SAMEORIGIN` header and enforces the `frame-ancestors` directive using the URLs specified in the `ALLOWED_IFRAME_ORIGINS` variable.      | `true`, `false`                                                                                                                                                                                                     | `false`                                                                                                                         |
 | `ENABLED_FEATURES`                  |    No    | Features enabled in the DIAL Chat application. [See details](/docs/ENABLED_FEATURES_ROLES.md)                                                                                                                                                                                                                                 | Refer to [Features](../../libs/shared/src/types/features.ts) to view all the available features.                                                                                                                    |                                                                                                                                 |
diff --git a/apps/chat/environment.d.ts b/apps/chat/environment.d.ts
@@ -16,9 +16,10 @@ declare global {
       APP_BASE_PATH?: string;
       APP_BASE_ORIGIN?: string;
       ALLOWED_IFRAME_ORIGINS?: string;
+      ALLOWED_IFRAME_SOURCES?: string;
+      ALLOWED_SCRIPT_SOURCES?: string;
       IS_IFRAME?: string;
       ALLOW_OPEN_SIGNIN_PAGE_IN_IFRAME?: string;
-      ALLOWED_IFRAME_SOURCES?: string;
       CUSTOM_VISUALIZERS?: string;
       ALLOW_VISUALIZER_SEND_MESSAGES?: boolean;
       ENABLED_FEATURES?: string;
diff --git a/apps/chat/src/components/Chat/MessageStage.tsx b/apps/chat/src/components/Chat/MessageStage.tsx
@@ -14,6 +14,9 @@ import { getDownLoadCurrentDate } from '@/src/utils/app/import-export';
 
 import { Translation } from '@/src/types/translation';
 
+import { useAppSelector } from '@/src/store/hooks';
+import { SettingsSelectors } from '@/src/store/selectors';
+
 import { Spinner } from '@/src/components/Common/Spinner';
 import { Tooltip } from '@/src/components/Common/Tooltip';
 import { ChatMDComponent } from '@/src/components/Markdown/ChatMDComponent';
@@ -60,14 +63,12 @@ const StageTitle = ({ isOpened, stage }: StageTitleProps) => (
   </div>
 );
 
-const getLimitStageContent = () =>
-  parseFloat(process.env.NEXT_PUBLIC_STAGE_CONTENT_LIMIT ?? '40');
-
-interface Props {
-  stage: Stage;
+interface DownloadStageViewProps {
+  content: string;
+  limit: number;
 }
 
-const DownloadStageView = ({ content }: { content: string }) => {
+const DownloadStageView = ({ content, limit }: DownloadStageViewProps) => {
   const { t } = useTranslation(Translation.Chat);
 
   const { copied: isCopied, onCopy: copyToClipboard } = useCopy(content, true);
@@ -89,9 +90,7 @@ const DownloadStageView = ({ content }: { content: string }) => {
 
   return (
     <div className="flex justify-between gap-1 ps-1">
-      {t(
-        `Content is too large to display (exceeds ${getLimitStageContent()} KB).`,
-      )}
+      {t(`Content is too large to display (exceeds ${limit} KB).`)}
       <div className="flex items-center gap-3 text-secondary">
         <DialButton
           className="[&:not(:disabled)]:hover:text-accent-primary"
@@ -124,10 +123,13 @@ const DownloadStageView = ({ content }: { content: string }) => {
 const StageView = ({ content }: { content: string }) => {
   // Calculate byte size of the string
   const size = useMemo(() => new Blob([content]).size, [content]);
+  const stageContentLimit = useAppSelector(
+    SettingsSelectors.selectStageContentLimit,
+  );
 
   // in bytes
-  if (size > getLimitStageContent() * 1024) {
-    return <DownloadStageView content={content} />;
+  if (size > stageContentLimit * 1024) {
+    return <DownloadStageView content={content} limit={stageContentLimit} />;
   }
   return (
     <span className="inline-block overflow-auto">
@@ -136,7 +138,11 @@ const StageView = ({ content }: { content: string }) => {
   );
 };
 
-export const MessageStage = ({ stage }: Props) => {
+interface MessageStageProps {
+  stage: Stage;
+}
+
+export const MessageStage = ({ stage }: MessageStageProps) => {
   const [isOpened, setIsOpened] = useState(false);
   const [hasContent, setHasContent] = useState(
     () => !!(stage?.content || stage?.attachments?.length),
diff --git a/apps/chat/src/middleware.ts b/apps/chat/src/middleware.ts
@@ -10,33 +10,15 @@ import { HeadersNames } from './constants/server';
 export function middleware(request: NextRequest) {
   const path = request.nextUrl.pathname;
 
-  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
-
-  const isDev = process.env.NODE_ENV === 'development';
   const shouldIgnoreFrameOptions =
     (!process.env.ALLOW_OPEN_SIGNIN_PAGE_IN_IFRAME ||
       process.env.ALLOW_OPEN_SIGNIN_PAGE_IN_IFRAME === 'false') &&
     (path === '/auth/signin' || path === '/api/auth/signin');
 
-  const frameDirectives = getFrameContentSecurityPolicyDirectives(
-    process.env.ALLOWED_IFRAME_ORIGINS,
-    process.env.ALLOWED_IFRAME_SOURCES,
+  const [cspHeader, nonce] = getFrameContentSecurityPolicyDirectives(
     shouldIgnoreFrameOptions,
   );
-  const allowedScriptsSrc =
-    `${process.env.ALLOWED_IFRAME_ORIGINS ?? ''} ${process.env.ALLOWED_IFRAME_SOURCES ?? ''}`.replace(
-      "'self'",
-      '',
-    );
-  const cspHeader = `
-    object-src 'none';
-    base-uri 'self';
-    script-src 'self' ${allowedScriptsSrc}
-     https://cdn.jsdelivr.net/npm/monaco-editor@0.54.0/
-     'nonce-${nonce}' 'wasm-unsafe-eval' ${isDev ? "'unsafe-eval'" : ''};
-     worker-src 'self' blob:;
-    ${frameDirectives}
-`;
+
   // Replace newline characters and spaces
   const contentSecurityPolicyHeaderValue = cleanHeaderDirectives(cspHeader);
 
diff --git a/apps/chat/src/store/settings/settings.reducers.ts b/apps/chat/src/store/settings/settings.reducers.ts
@@ -31,6 +31,7 @@ const initialState: SettingsState = {
     borderlessTypes: [],
     withoutTitleTypes: [],
   },
+  stageContentLimit: 40,
 };
 
 export const settingsSlice = createSlice({
diff --git a/apps/chat/src/store/settings/settings.selectors.ts b/apps/chat/src/store/settings/settings.selectors.ts
@@ -248,6 +248,9 @@ const selectAttachmentsSettings = (state: RootState) =>
 const selectHiddenEntityTag = (state: RootState) =>
   rootSelector(state).hiddenEntityTag;
 
+const selectStageContentLimit = (state: RootState) =>
+  rootSelector(state).stageContentLimit;
+
 export const SettingsSelectors = {
   selectAppName,
   selectIsOverlay,
@@ -283,4 +286,5 @@ export const SettingsSelectors = {
   selectIsAuthDisabled,
   selectAttachmentsSettings,
   selectHiddenEntityTag,
+  selectStageContentLimit,
 };
diff --git a/apps/chat/src/store/settings/settings.types.ts b/apps/chat/src/store/settings/settings.types.ts
@@ -46,4 +46,5 @@ export interface SettingsState {
     borderlessTypes: string[];
     withoutTitleTypes: string[];
   };
+  stageContentLimit: number;
 }
diff --git a/apps/chat/src/utils/server/get-common-page-props.ts b/apps/chat/src/utils/server/get-common-page-props.ts
@@ -59,10 +59,13 @@ export const getCommonPageProps: GetServerSideProps = async ({
 }) => {
   const requestCSPHeaders = req.headers[HeadersNames.CONTENT_SECURITY_POLICY];
 
-  const cspHeaders = `${requestCSPHeaders ? requestCSPHeaders : getFrameContentSecurityPolicyDirectives(process.env.ALLOWED_IFRAME_ORIGINS, process.env.ALLOWED_IFRAME_SOURCES)}`;
+  const [cspHeader, nonce] = getFrameContentSecurityPolicyDirectives();
+
+  const cspHeaders = `${requestCSPHeaders ? requestCSPHeaders : cspHeader}`;
 
   const contentSecurityPolicyHeaderValue = cleanHeaderDirectives(cspHeaders);
 
+  res.setHeader('x-nonce', nonce);
   res.setHeader(
     HeadersNames.CONTENT_SECURITY_POLICY,
     contentSecurityPolicyHeaderValue,
@@ -182,6 +185,9 @@ export const getCommonPageProps: GetServerSideProps = async ({
         [],
       ),
     },
+    stageContentLimit: parseFloat(
+      process.env.NEXT_PUBLIC_STAGE_CONTENT_LIMIT || '40',
+    ),
   };
 
   if (isIsolatedView) {
diff --git a/apps/chat/src/utils/server/headers-helpers.ts b/apps/chat/src/utils/server/headers-helpers.ts
@@ -1,27 +1,39 @@
+'use server';
 export const cleanHeaderDirectives = (directives: string) =>
   directives.replace(/\s{2,}/g, ' ').trim();
 
+const insertSelf = (str: string) => `'self' ${str.replaceAll("'self'", '')}`;
 /**
  *
  * @param frameAncestors sources for the 'frame-ancestors' directive from the 'process.env.ALLOWED_IFRAME_ORIGINS'
  * @param frameSrc sources for the 'frame-src' directive from the 'process.env.ALLOWED_IFRAME_SOURCES'
  * @param disabled if 'true' will set 'none' for both directives
  * @returns
  */
-export const getFrameContentSecurityPolicyDirectives = (
-  frameAncestors: string | undefined,
-  frameSrc: string | undefined,
-  disabled?: boolean,
-) => {
+export const getFrameContentSecurityPolicyDirectives = (disabled = false) => {
+  const frameAncestors = process.env.ALLOWED_IFRAME_ORIGINS;
+  const frameSrc = process.env.ALLOWED_IFRAME_SOURCES;
+  const scriptSrc = process.env.ALLOWED_SCRIPT_SOURCES;
+  const isDev = process.env.NODE_ENV === 'development';
+  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
+  const allowedScriptsSrc = insertSelf(
+    scriptSrc ?? `${frameAncestors ?? ''} ${frameSrc ?? ''}`,
+  );
   const ancestorsDirective =
-    frameAncestors && !disabled
-      ? `frame-ancestors 'self' ${frameAncestors.replace("'self'", '')}`
-      : "frame-ancestors 'none'";
+    frameAncestors && !disabled ? insertSelf(frameAncestors) : "'none'";
 
   const frameSrcDirective =
-    frameSrc && !disabled
-      ? `frame-src 'self' ${frameSrc.replace("'self'", '')}`
-      : "frame-src 'none'";
+    frameSrc && !disabled ? insertSelf(frameSrc) : "'none'";
 
-  return `${ancestorsDirective}; ${frameSrcDirective};`;
+  return [
+    `
+    object-src 'none';
+    base-uri 'self';
+    script-src ${allowedScriptsSrc} https://cdn.jsdelivr.net/npm/monaco-editor@0.54.0/ 'nonce-${nonce}' ${isDev ? "'unsafe-eval'" : ''};
+    worker-src 'self' blob:;
+    frame-ancestors ${ancestorsDirective};
+    frame-src ${frameSrcDirective};
+`,
+    nonce,
+  ];
 };
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/trivy.yaml b/trivy.yaml
