Add support for CSP_NONCE server variable

Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.

Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Sam Bull 2019-07-08 20:54:45 +01:00 committed by Roeland Jago Douma
parent 3d0e0f2353
commit ea935f65fd
No known key found for this signature in database
GPG Key ID: F941078878347C0C
2 changed files with 26 additions and 3 deletions

View File

@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
*/
public function getNonce(): string {
if($this->nonce === '') {
if (empty($this->request->server['CSP_NONCE'])) {
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
} else {
$this->nonce = $this->request->server['CSP_NONCE'];
}
}
return $this->nonce;

View File

@ -21,23 +21,26 @@
namespace Test\Security\CSP;
use OC\AppFramework\Http\Request;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\IRequest;
use Test\TestCase;
class ContentSecurityPolicyNonceManagerTest extends TestCase {
/** @var CsrfTokenManager */
private $csrfTokenManager;
/** @var Request */
private $request;
/** @var ContentSecurityPolicyNonceManager */
private $nonceManager;
public function setUp() {
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
$this->request = $this->createMock(Request::class);
$this->nonceManager = new ContentSecurityPolicyNonceManager(
$this->csrfTokenManager,
$this->createMock(IRequest::class)
$this->request
);
}
@ -56,4 +59,20 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase {
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
}
public function testGetNonceServerVar() {
$token = 'SERVERNONCE';
$this->request
->method('__isset')
->with('server')
->willReturn(true);
$this->request
->method('__get')
->with('server')
->willReturn(['CSP_NONCE' => $token]);
$this->assertSame($token, $this->nonceManager->getNonce());
$this->assertSame($token, $this->nonceManager->getNonce());
}
}