'OC\\AppFramework\\Middleware\\PublicShare\\PublicShareMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\BruteForceMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\CORSMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php',
+ 'OC\\AppFramework\\Middleware\\Security\\CSPMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\AppNotEnabledException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/AppNotEnabledException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/CrossSiteRequestForgeryException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\LaxSameSiteCookieFailedException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/LaxSameSiteCookieFailedException.php',
'OC\\AppFramework\\Middleware\\PublicShare\\PublicShareMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\BruteForceMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\CORSMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php',
+ 'OC\\AppFramework\\Middleware\\Security\\CSPMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\AppNotEnabledException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/AppNotEnabledException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/CrossSiteRequestForgeryException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\LaxSameSiteCookieFailedException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/LaxSameSiteCookieFailedException.php',
$server->getUserSession()->isLoggedIn(),
$server->getGroupManager()->isAdmin($this->getUserId()),
$server->getUserSession()->getUser() !== null && $server->query(ISubAdmin::class)->isSubAdmin($server->getUserSession()->getUser()),
- $server->getContentSecurityPolicyManager(),
- $server->getCsrfTokenManager(),
- $server->getContentSecurityPolicyNonceManager(),
$server->getAppManager(),
$server->getL10N('lib')
);
$dispatcher->registerMiddleware($securityMiddleware);
+ $dispatcher->registerMiddleware(
+ new OC\AppFramework\Middleware\Security\CSPMiddleware(
+ $server->query(OC\Security\CSP\ContentSecurityPolicyManager::class),
+ $server->query(OC\Security\CSP\ContentSecurityPolicyNonceManager::class),
+ $server->query(OC\Security\CSRF\CsrfTokenManager::class)
+ )
+ );
$dispatcher->registerMiddleware(
new OC\AppFramework\Middleware\Security\PasswordConfirmationMiddleware(
$c->query(IControllerMethodReflector::class),
--- /dev/null
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\AppFramework\Middleware\Security;
+
+use OC\Security\CSP\ContentSecurityPolicyManager;
+use OC\Security\CSP\ContentSecurityPolicyNonceManager;
+use OC\Security\CSRF\CsrfTokenManager;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
+use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+
+class CSPMiddleware extends Middleware {
+
+ /** @var ContentSecurityPolicyManager */
+ private $contentSecurityPolicyManager;
+ /** @var ContentSecurityPolicyNonceManager */
+ private $cspNonceManager;
+ /** @var CsrfTokenManager */
+ private $csrfTokenManager;
+
+ public function __construct(ContentSecurityPolicyManager $policyManager,
+ ContentSecurityPolicyNonceManager $cspNonceManager,
+ CsrfTokenManager $csrfTokenManager) {
+ $this->contentSecurityPolicyManager = $policyManager;
+ $this->cspNonceManager = $cspNonceManager;
+ $this->csrfTokenManager = $csrfTokenManager;
+ }
+
+ /**
+ * Performs the default CSP modifications that may be injected by other
+ * applications
+ *
+ * @param Controller $controller
+ * @param string $methodName
+ * @param Response $response
+ * @return Response
+ */
+ public function afterController($controller, $methodName, Response $response): Response {
+ $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
+
+ if (get_class($policy) === EmptyContentSecurityPolicy::class) {
+ return $response;
+ }
+
+ $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
+ $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
+
+ if($this->cspNonceManager->browserSupportsCspV3()) {
+ $defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
+ }
+
+ $response->setContentSecurityPolicy($defaultPolicy);
+
+ return $response;
+ }
+}
private $isAdminUser;
/** @var bool */
private $isSubAdmin;
- /** @var ContentSecurityPolicyManager */
- private $contentSecurityPolicyManager;
- /** @var CsrfTokenManager */
- private $csrfTokenManager;
- /** @var ContentSecurityPolicyNonceManager */
- private $cspNonceManager;
/** @var IAppManager */
private $appManager;
/** @var IL10N */
bool $isLoggedIn,
bool $isAdminUser,
bool $isSubAdmin,
- ContentSecurityPolicyManager $contentSecurityPolicyManager,
- CsrfTokenManager $csrfTokenManager,
- ContentSecurityPolicyNonceManager $cspNonceManager,
IAppManager $appManager,
IL10N $l10n
) {
$this->isLoggedIn = $isLoggedIn;
$this->isAdminUser = $isAdminUser;
$this->isSubAdmin = $isSubAdmin;
- $this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
- $this->csrfTokenManager = $csrfTokenManager;
- $this->cspNonceManager = $cspNonceManager;
$this->appManager = $appManager;
$this->l10n = $l10n;
}
}
}
- /**
- * Performs the default CSP modifications that may be injected by other
- * applications
- *
- * @param Controller $controller
- * @param string $methodName
- * @param Response $response
- * @return Response
- */
- public function afterController($controller, $methodName, Response $response): Response {
- $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
-
- if (get_class($policy) === EmptyContentSecurityPolicy::class) {
- return $response;
- }
-
- $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
- $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
-
- if($this->cspNonceManager->browserSupportsCspV3()) {
- $defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
- }
-
- $response->setContentSecurityPolicy($defaultPolicy);
-
- return $response;
- }
-
/**
* If an SecurityException is being caught, ajax requests return a JSON error
* response and non ajax requests redirect to the index
--- /dev/null
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Test\AppFramework\Middleware\Security;
+
+use OC\AppFramework\Middleware\Security\CSPMiddleware;
+use OC\Security\CSP\ContentSecurityPolicy;
+use OC\Security\CSP\ContentSecurityPolicyManager;
+use OC\Security\CSP\ContentSecurityPolicyNonceManager;
+use OC\Security\CSRF\CsrfToken;
+use OC\Security\CSRF\CsrfTokenManager;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
+use OCP\AppFramework\Http\Response;
+use PHPUnit\Framework\MockObject\MockObject;
+
+class CSPMiddlewareTest extends \Test\TestCase {
+
+ /** @var CSPMiddleware|MockObject */
+ private $middleware;
+ /** @var Controller|MockObject */
+ private $controller;
+ /** @var ContentSecurityPolicyManager|MockObject */
+ private $contentSecurityPolicyManager;
+ /** @var CsrfTokenManager|MockObject */
+ private $csrfTokenManager;
+ /** @var ContentSecurityPolicyNonceManager|MockObject */
+ private $cspNonceManager;
+
+ protected function setUp() {
+ parent::setUp();
+
+ $this->controller = $this->createMock(Controller::class);
+ $this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class);
+ $this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
+ $this->cspNonceManager = $this->createMock(ContentSecurityPolicyNonceManager::class);
+ $this->middleware = new CSPMiddleware(
+ $this->contentSecurityPolicyManager,
+ $this->cspNonceManager,
+ $this->csrfTokenManager
+ );
+ }
+
+ public function testAfterController() {
+ $this->cspNonceManager
+ ->expects($this->once())
+ ->method('browserSupportsCspV3')
+ ->willReturn(false);
+ $response = $this->createMock(Response::class);
+ $defaultPolicy = new ContentSecurityPolicy();
+ $defaultPolicy->addAllowedImageDomain('defaultpolicy');
+ $currentPolicy = new ContentSecurityPolicy();
+ $currentPolicy->addAllowedConnectDomain('currentPolicy');
+ $mergedPolicy = new ContentSecurityPolicy();
+ $mergedPolicy->addAllowedMediaDomain('mergedPolicy');
+ $response
+ ->expects($this->exactly(2))
+ ->method('getContentSecurityPolicy')
+ ->willReturn($currentPolicy);
+ $this->contentSecurityPolicyManager
+ ->expects($this->once())
+ ->method('getDefaultPolicy')
+ ->willReturn($defaultPolicy);
+ $this->contentSecurityPolicyManager
+ ->expects($this->once())
+ ->method('mergePolicies')
+ ->with($defaultPolicy, $currentPolicy)
+ ->willReturn($mergedPolicy);
+ $response->expects($this->once())
+ ->method('setContentSecurityPolicy')
+ ->with($mergedPolicy);
+
+ $this->middleware->afterController($this->controller, 'test', $response);
+ }
+
+ public function testAfterControllerEmptyCSP() {
+ $response = $this->createMock(Response::class);
+ $emptyPolicy = new EmptyContentSecurityPolicy();
+ $response->expects($this->any())
+ ->method('getContentSecurityPolicy')
+ ->willReturn($emptyPolicy);
+ $response->expects($this->never())
+ ->method('setContentSecurityPolicy');
+
+ $this->middleware->afterController($this->controller, 'test', $response);
+ }
+
+ public function testAfterControllerWithContentSecurityPolicy3Support() {
+ $this->cspNonceManager
+ ->expects($this->once())
+ ->method('browserSupportsCspV3')
+ ->willReturn(true);
+ $token = $this->createMock(CsrfToken::class);
+ $token
+ ->expects($this->once())
+ ->method('getEncryptedValue')
+ ->willReturn('MyEncryptedToken');
+ $this->csrfTokenManager
+ ->expects($this->once())
+ ->method('getToken')
+ ->willReturn($token);
+ $response = $this->createMock(Response::class);
+ $defaultPolicy = new ContentSecurityPolicy();
+ $defaultPolicy->addAllowedImageDomain('defaultpolicy');
+ $currentPolicy = new ContentSecurityPolicy();
+ $currentPolicy->addAllowedConnectDomain('currentPolicy');
+ $mergedPolicy = new ContentSecurityPolicy();
+ $mergedPolicy->addAllowedMediaDomain('mergedPolicy');
+ $response
+ ->expects($this->exactly(2))
+ ->method('getContentSecurityPolicy')
+ ->willReturn($currentPolicy);
+ $this->contentSecurityPolicyManager
+ ->expects($this->once())
+ ->method('getDefaultPolicy')
+ ->willReturn($defaultPolicy);
+ $this->contentSecurityPolicyManager
+ ->expects($this->once())
+ ->method('mergePolicies')
+ ->with($defaultPolicy, $currentPolicy)
+ ->willReturn($mergedPolicy);
+ $response->expects($this->once())
+ ->method('setContentSecurityPolicy')
+ ->with($mergedPolicy);
+
+ $this->assertEquals($response, $this->middleware->afterController($this->controller, 'test', $response));
+ }
+}
private $navigationManager;
/** @var IURLGenerator|\PHPUnit_Framework_MockObject_MockObject */
private $urlGenerator;
- /** @var ContentSecurityPolicyManager|\PHPUnit_Framework_MockObject_MockObject */
- private $contentSecurityPolicyManager;
- /** @var CsrfTokenManager|\PHPUnit_Framework_MockObject_MockObject */
- private $csrfTokenManager;
- /** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
- private $cspNonceManager;
/** @var IAppManager|\PHPUnit_Framework_MockObject_MockObject */
private $appManager;
/** @var IL10N|\PHPUnit_Framework_MockObject_MockObject */
$this->navigationManager = $this->createMock(INavigationManager::class);
$this->urlGenerator = $this->createMock(IURLGenerator::class);
$this->request = $this->createMock(IRequest::class);
- $this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class);
- $this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
- $this->cspNonceManager = $this->createMock(ContentSecurityPolicyNonceManager::class);
$this->l10n = $this->createMock(IL10N::class);
$this->middleware = $this->getMiddleware(true, true, false);
$this->secException = new SecurityException('hey', false);
$isLoggedIn,
$isAdminUser,
$isSubAdmin,
- $this->contentSecurityPolicyManager,
- $this->csrfTokenManager,
- $this->cspNonceManager,
$this->appManager,
$this->l10n
);
$this->assertTrue($response instanceof JSONResponse);
}
- public function testAfterController() {
- $this->cspNonceManager
- ->expects($this->once())
- ->method('browserSupportsCspV3')
- ->willReturn(false);
- $response = $this->createMock(Response::class);
- $defaultPolicy = new ContentSecurityPolicy();
- $defaultPolicy->addAllowedImageDomain('defaultpolicy');
- $currentPolicy = new ContentSecurityPolicy();
- $currentPolicy->addAllowedConnectDomain('currentPolicy');
- $mergedPolicy = new ContentSecurityPolicy();
- $mergedPolicy->addAllowedMediaDomain('mergedPolicy');
- $response
- ->expects($this->exactly(2))
- ->method('getContentSecurityPolicy')
- ->willReturn($currentPolicy);
- $this->contentSecurityPolicyManager
- ->expects($this->once())
- ->method('getDefaultPolicy')
- ->willReturn($defaultPolicy);
- $this->contentSecurityPolicyManager
- ->expects($this->once())
- ->method('mergePolicies')
- ->with($defaultPolicy, $currentPolicy)
- ->willReturn($mergedPolicy);
- $response->expects($this->once())
- ->method('setContentSecurityPolicy')
- ->with($mergedPolicy);
-
- $this->middleware->afterController($this->controller, 'test', $response);
- }
-
- public function testAfterControllerEmptyCSP() {
- $response = $this->createMock(Response::class);
- $emptyPolicy = new EmptyContentSecurityPolicy();
- $response->expects($this->any())
- ->method('getContentSecurityPolicy')
- ->willReturn($emptyPolicy);
- $response->expects($this->never())
- ->method('setContentSecurityPolicy');
-
- $this->middleware->afterController($this->controller, 'test', $response);
- }
-
- public function testAfterControllerWithContentSecurityPolicy3Support() {
- $this->cspNonceManager
- ->expects($this->once())
- ->method('browserSupportsCspV3')
- ->willReturn(true);
- $token = $this->createMock(CsrfToken::class);
- $token
- ->expects($this->once())
- ->method('getEncryptedValue')
- ->willReturn('MyEncryptedToken');
- $this->csrfTokenManager
- ->expects($this->once())
- ->method('getToken')
- ->willReturn($token);
- $response = $this->createMock(Response::class);
- $defaultPolicy = new ContentSecurityPolicy();
- $defaultPolicy->addAllowedImageDomain('defaultpolicy');
- $currentPolicy = new ContentSecurityPolicy();
- $currentPolicy->addAllowedConnectDomain('currentPolicy');
- $mergedPolicy = new ContentSecurityPolicy();
- $mergedPolicy->addAllowedMediaDomain('mergedPolicy');
- $response
- ->expects($this->exactly(2))
- ->method('getContentSecurityPolicy')
- ->willReturn($currentPolicy);
- $this->contentSecurityPolicyManager
- ->expects($this->once())
- ->method('getDefaultPolicy')
- ->willReturn($defaultPolicy);
- $this->contentSecurityPolicyManager
- ->expects($this->once())
- ->method('mergePolicies')
- ->with($defaultPolicy, $currentPolicy)
- ->willReturn($mergedPolicy);
- $response->expects($this->once())
- ->method('setContentSecurityPolicy')
- ->with($mergedPolicy);
-
- $this->assertEquals($response, $this->middleware->afterController($this->controller, 'test', $response));
- }
-
public function dataRestrictedApp() {
return [
[false, false, false,],
projects / nextcloud-server.git / commitdiff