Add ContentSecurityPolicyNonceManager
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
parent
9e6634814e
commit
38b3ac8213
9 changed files with 130 additions and 4 deletions
|
@ -47,7 +47,7 @@ $linkToJs = \OC::$server->getURLGenerator()->linkToRoute(
|
|||
'script',
|
||||
[
|
||||
'src' => $linkToJs,
|
||||
'nonce' => base64_encode(\OC::$server->getCsrfTokenManager()->getToken()->getEncryptedValue())
|
||||
'nonce' => \OC::$server->getContentSecurityPolicyNonceManager()->getNonce()
|
||||
], ''
|
||||
);
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print">
|
||||
<?php endforeach; ?>
|
||||
<?php foreach ($_['jsfiles'] as $jsfile): ?>
|
||||
<script src="<?php print_unescaped($jsfile); ?>" nonce="<?php p(base64_encode($_['requesttoken'])) ?>"></script>
|
||||
<script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
|
||||
<?php endforeach; ?>
|
||||
<?php print_unescaped($_['headers']); ?>
|
||||
</head>
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print">
|
||||
<?php endforeach; ?>
|
||||
<?php foreach($_['jsfiles'] as $jsfile): ?>
|
||||
<script nonce="<?php p(base64_encode($_['requesttoken'])) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
|
||||
<script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
|
||||
<?php endforeach; ?>
|
||||
<?php print_unescaped($_['headers']); ?>
|
||||
</head>
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print">
|
||||
<?php endforeach; ?>
|
||||
<?php foreach($_['jsfiles'] as $jsfile): ?>
|
||||
<script nonce="<?php p(base64_encode($_['requesttoken'])) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
|
||||
<script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
|
||||
<?php endforeach; ?>
|
||||
<?php print_unescaped($_['headers']); ?>
|
||||
</head>
|
||||
|
|
|
@ -674,6 +674,7 @@ return array(
|
|||
'OC\\Security\\Bruteforce\\Throttler' => $baseDir . '/lib/private/Security/Bruteforce/Throttler.php',
|
||||
'OC\\Security\\CSP\\ContentSecurityPolicy' => $baseDir . '/lib/private/Security/CSP/ContentSecurityPolicy.php',
|
||||
'OC\\Security\\CSP\\ContentSecurityPolicyManager' => $baseDir . '/lib/private/Security/CSP/ContentSecurityPolicyManager.php',
|
||||
'OC\\Security\\CSP\\ContentSecurityPolicyNounceManager' => $baseDir . '/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php',
|
||||
'OC\\Security\\CSRF\\CsrfToken' => $baseDir . '/lib/private/Security/CSRF/CsrfToken.php',
|
||||
'OC\\Security\\CSRF\\CsrfTokenGenerator' => $baseDir . '/lib/private/Security/CSRF/CsrfTokenGenerator.php',
|
||||
'OC\\Security\\CSRF\\CsrfTokenManager' => $baseDir . '/lib/private/Security/CSRF/CsrfTokenManager.php',
|
||||
|
|
|
@ -704,6 +704,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\Security\\Bruteforce\\Throttler' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/Throttler.php',
|
||||
'OC\\Security\\CSP\\ContentSecurityPolicy' => __DIR__ . '/../../..' . '/lib/private/Security/CSP/ContentSecurityPolicy.php',
|
||||
'OC\\Security\\CSP\\ContentSecurityPolicyManager' => __DIR__ . '/../../..' . '/lib/private/Security/CSP/ContentSecurityPolicyManager.php',
|
||||
'OC\\Security\\CSP\\ContentSecurityPolicyNounceManager' => __DIR__ . '/../../..' . '/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php',
|
||||
'OC\\Security\\CSRF\\CsrfToken' => __DIR__ . '/../../..' . '/lib/private/Security/CSRF/CsrfToken.php',
|
||||
'OC\\Security\\CSRF\\CsrfTokenGenerator' => __DIR__ . '/../../..' . '/lib/private/Security/CSRF/CsrfTokenGenerator.php',
|
||||
'OC\\Security\\CSRF\\CsrfTokenManager' => __DIR__ . '/../../..' . '/lib/private/Security/CSRF/CsrfTokenManager.php',
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\CSP;
|
||||
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
|
||||
/**
|
||||
* @package OC\Security\CSP
|
||||
*/
|
||||
class ContentSecurityPolicyNonceManager {
|
||||
/** @var CsrfTokenManager */
|
||||
private $csrfTokenManager;
|
||||
/** @var string */
|
||||
private $nonce = '';
|
||||
|
||||
/**
|
||||
* @param CsrfTokenManager $csrfTokenManager
|
||||
*/
|
||||
public function __construct(CsrfTokenManager $csrfTokenManager) {
|
||||
$this->csrfTokenManager = $csrfTokenManager;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the current CSP nounce
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getNonce() {
|
||||
if($this->nonce === '') {
|
||||
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
|
||||
}
|
||||
|
||||
return $this->nonce;
|
||||
}
|
||||
}
|
|
@ -73,6 +73,7 @@ use OC\Security\Bruteforce\Throttler;
|
|||
use OC\Security\CertificateManager;
|
||||
use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||
use OC\Security\Crypto;
|
||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||
use OC\Security\CSRF\CsrfTokenGenerator;
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
use OC\Security\CSRF\TokenStorage\SessionStorage;
|
||||
|
@ -708,6 +709,11 @@ class Server extends ServerContainer implements IServerContainer {
|
|||
$this->registerService('ContentSecurityPolicyManager', function (Server $c) {
|
||||
return new ContentSecurityPolicyManager();
|
||||
});
|
||||
$this->registerService('ContentSecurityPolicyNonceManager', function(Server $c) {
|
||||
return new ContentSecurityPolicyNonceManager(
|
||||
$c->getCsrfTokenManager()
|
||||
);
|
||||
});
|
||||
$this->registerService('ShareManager', function(Server $c) {
|
||||
$config = $c->getConfig();
|
||||
$factoryClass = $config->getSystemValue('sharing.managerFactory', '\OC\Share20\ProviderFactory');
|
||||
|
@ -1405,6 +1411,13 @@ class Server extends ServerContainer implements IServerContainer {
|
|||
return $this->query('ContentSecurityPolicyManager');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return ContentSecurityPolicyNonceManager
|
||||
*/
|
||||
public function getContentSecurityPolicyNonceManager() {
|
||||
return $this->query('ContentSecurityPolicyNonceManager');
|
||||
}
|
||||
|
||||
/**
|
||||
* Not a public API as of 8.2, wait for 9.0
|
||||
*
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\Security\CSP;
|
||||
|
||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||
use OC\Security\CSRF\CsrfToken;
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
use Test\TestCase;
|
||||
|
||||
class ContentSecurityPolicyNonceManagerTest extends TestCase {
|
||||
/** @var CsrfTokenManager */
|
||||
private $csrfTokenManager;
|
||||
/** @var ContentSecurityPolicyNonceManager */
|
||||
private $nonceManager;
|
||||
|
||||
public function setUp() {
|
||||
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
|
||||
$this->nonceManager = new ContentSecurityPolicyNonceManager(
|
||||
$this->csrfTokenManager
|
||||
);
|
||||
}
|
||||
|
||||
public function testGetNonce() {
|
||||
$token = $this->createMock(CsrfToken::class);
|
||||
$token
|
||||
->expects($this->once())
|
||||
->method('getEncryptedValue')
|
||||
->willReturn('MyToken');
|
||||
|
||||
$this->csrfTokenManager
|
||||
->expects($this->once())
|
||||
->method('getToken')
|
||||
->willReturn($token);
|
||||
|
||||
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
||||
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue