From 37a4282c7ae27c518ce7143be491a00a651e4f4a Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Sat, 27 Jul 2019 16:04:51 +0200 Subject: Split up security middleware With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma --- .../Middleware/Security/CSPMiddleware.php | 80 ++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 lib/private/AppFramework/Middleware/Security/CSPMiddleware.php (limited to 'lib/private/AppFramework/Middleware/Security/CSPMiddleware.php') diff --git a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php new file mode 100644 index 00000000000..0eaeda2b1bd --- /dev/null +++ b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php @@ -0,0 +1,80 @@ + + * + * @author Roeland Jago Douma + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OC\AppFramework\Middleware\Security; + +use OC\Security\CSP\ContentSecurityPolicyManager; +use OC\Security\CSP\ContentSecurityPolicyNonceManager; +use OC\Security\CSRF\CsrfTokenManager; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\ContentSecurityPolicy; +use OCP\AppFramework\Http\EmptyContentSecurityPolicy; +use OCP\AppFramework\Http\Response; +use OCP\AppFramework\Middleware; + +class CSPMiddleware extends Middleware { + + /** @var ContentSecurityPolicyManager */ + private $contentSecurityPolicyManager; + /** @var ContentSecurityPolicyNonceManager */ + private $cspNonceManager; + /** @var CsrfTokenManager */ + private $csrfTokenManager; + + public function __construct(ContentSecurityPolicyManager $policyManager, + ContentSecurityPolicyNonceManager $cspNonceManager, + CsrfTokenManager $csrfTokenManager) { + $this->contentSecurityPolicyManager = $policyManager; + $this->cspNonceManager = $cspNonceManager; + $this->csrfTokenManager = $csrfTokenManager; + } + + /** + * Performs the default CSP modifications that may be injected by other + * applications + * + * @param Controller $controller + * @param string $methodName + * @param Response $response + * @return Response + */ + public function afterController($controller, $methodName, Response $response): Response { + $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy(); + + if (get_class($policy) === EmptyContentSecurityPolicy::class) { + return $response; + } + + $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); + $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); + + if($this->cspNonceManager->browserSupportsCspV3()) { + $defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue()); + } + + $response->setContentSecurityPolicy($defaultPolicy); + + return $response; + } +} -- cgit v1.2.3