mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
Browse Source

Add support for CSP_NONCE server variable 

Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.

Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
tags/v17.0.0beta1
Sam Bull 5 years ago
parent
3d0e0f2353
commit
ea935f65fd
No account linked to committer's email address
2 changed files with 26 additions and 3 deletions
Split View Show Diff Stats
  1. 5
    1
      lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
  2. 21
    2
      tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php

+ 5
- 1
lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php View File

@@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
*/
public function getNonce(): string {
if($this->nonce === '') {
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
if (empty($this->request->server['CSP_NONCE'])) {
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
} else {
$this->nonce = $this->request->server['CSP_NONCE'];
}
}

return $this->nonce;

+ 21
- 2
tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php View File

@@ -21,23 +21,26 @@

namespace Test\Security\CSP;

use OC\AppFramework\Http\Request;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\IRequest;
use Test\TestCase;

class ContentSecurityPolicyNonceManagerTest extends TestCase {
/** @var CsrfTokenManager */
private $csrfTokenManager;
/** @var Request */
private $request;
/** @var ContentSecurityPolicyNonceManager */
private $nonceManager;

public function setUp() {
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
$this->request = $this->createMock(Request::class);
$this->nonceManager = new ContentSecurityPolicyNonceManager(
$this->csrfTokenManager,
$this->createMock(IRequest::class)
$this->request
);
}

@@ -56,4 +59,20 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase {
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
}

public function testGetNonceServerVar() {
$token = 'SERVERNONCE';
$this->request
->method('__isset')
->with('server')
->willReturn(true);

$this->request
->method('__get')
->with('server')
->willReturn(['CSP_NONCE' => $token]);

$this->assertSame($token, $this->nonceManager->getNonce());
$this->assertSame($token, $this->nonceManager->getNonce());
}
}

Write Preview
Loading…
Cancel
Save