Add support for CSP_NONCE server variable
Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
3d0e0f2353
commit
ea935f65fd
|
@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
|
||||||
*/
|
*/
|
||||||
public function getNonce(): string {
|
public function getNonce(): string {
|
||||||
if($this->nonce === '') {
|
if($this->nonce === '') {
|
||||||
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
|
if (empty($this->request->server['CSP_NONCE'])) {
|
||||||
|
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
|
||||||
|
} else {
|
||||||
|
$this->nonce = $this->request->server['CSP_NONCE'];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->nonce;
|
return $this->nonce;
|
||||||
|
|
|
@ -21,23 +21,26 @@
|
||||||
|
|
||||||
namespace Test\Security\CSP;
|
namespace Test\Security\CSP;
|
||||||
|
|
||||||
|
use OC\AppFramework\Http\Request;
|
||||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||||
use OC\Security\CSRF\CsrfToken;
|
use OC\Security\CSRF\CsrfToken;
|
||||||
use OC\Security\CSRF\CsrfTokenManager;
|
use OC\Security\CSRF\CsrfTokenManager;
|
||||||
use OCP\IRequest;
|
|
||||||
use Test\TestCase;
|
use Test\TestCase;
|
||||||
|
|
||||||
class ContentSecurityPolicyNonceManagerTest extends TestCase {
|
class ContentSecurityPolicyNonceManagerTest extends TestCase {
|
||||||
/** @var CsrfTokenManager */
|
/** @var CsrfTokenManager */
|
||||||
private $csrfTokenManager;
|
private $csrfTokenManager;
|
||||||
|
/** @var Request */
|
||||||
|
private $request;
|
||||||
/** @var ContentSecurityPolicyNonceManager */
|
/** @var ContentSecurityPolicyNonceManager */
|
||||||
private $nonceManager;
|
private $nonceManager;
|
||||||
|
|
||||||
public function setUp() {
|
public function setUp() {
|
||||||
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
|
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
|
||||||
|
$this->request = $this->createMock(Request::class);
|
||||||
$this->nonceManager = new ContentSecurityPolicyNonceManager(
|
$this->nonceManager = new ContentSecurityPolicyNonceManager(
|
||||||
$this->csrfTokenManager,
|
$this->csrfTokenManager,
|
||||||
$this->createMock(IRequest::class)
|
$this->request
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -56,4 +59,20 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase {
|
||||||
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
||||||
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testGetNonceServerVar() {
|
||||||
|
$token = 'SERVERNONCE';
|
||||||
|
$this->request
|
||||||
|
->method('__isset')
|
||||||
|
->with('server')
|
||||||
|
->willReturn(true);
|
||||||
|
|
||||||
|
$this->request
|
||||||
|
->method('__get')
|
||||||
|
->with('server')
|
||||||
|
->willReturn(['CSP_NONCE' => $token]);
|
||||||
|
|
||||||
|
$this->assertSame($token, $this->nonceManager->getNonce());
|
||||||
|
$this->assertSame($token, $this->nonceManager->getNonce());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue