mirrors
/
sonarqube
镜像来自 https://github.com/SonarSource/sonarqube.git
關註 1
收藏 0
複製 0
程式碼 問題管理 0 版本發佈 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36353 Commit
59 分支
目錄樹: 6055f04793
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '6055f04793'
${ noResults }
sonarqube/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java

SamlValidationCspHeaders.java 2.1KB
原始文件 Blame 文件歷史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.authentication;

  21. 

  22. import java.math.BigInteger;

  23. import java.security.SecureRandom;

  24. import java.util.List;

  25. import org.sonar.api.server.http.HttpResponse;

  26. 

  27. public class SamlValidationCspHeaders {

  28. 

  29.   private SamlValidationCspHeaders() {

  30.     throw new IllegalStateException("Utility class, cannot be instantiated");

  31.   }

  32. 

  33.   public static String addCspHeadersWithNonceToResponse(HttpResponse httpResponse) {

  34.     final String nonce = getNonce();

  35. 

  36.     List<String> cspPolicies = List.of(

  37.       "default-src 'self'",

  38.       "base-uri 'none'",

  39.       "connect-src 'self' http: https:",

  40.       "font-src 'self' data:;" +

  41.       "img-src * data: blob:",

  42.       "object-src 'none'",

  43.       "script-src 'nonce-" + nonce + "'",

  44.       "style-src 'self' 'unsafe-inline'",

  45.       "worker-src 'none'");

  46.     String policies = String.join("; ", cspPolicies).trim();

  47. 

  48.     List<String> cspHeaders = List.of("Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP");

  49.     cspHeaders.forEach(header -> httpResponse.setHeader(header, policies));

  50.     return nonce;

  51.   }

  52. 

  53.   private static String getNonce() {

  54.     // this code is the same as in org.sonar.server.authentication.JwtCsrfVerifier.generateState

  55.     return new BigInteger(130, new SecureRandom()).toString(32);

  56.   }

  57. }