From 41f2d912d26b7155d61c921d4e53ee7d846522ed Mon Sep 17 00:00:00 2001
From: Daniel Calviño Sánchez <danxuliu@gmail.com>
Date: Thu, 4 May 2023 16:54:23 +0200
Subject: Allow "wasm-unsafe-eval" in CSP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).

Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.

To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
---
 lib/public/AppFramework/Http/ContentSecurityPolicy.php |  2 ++
 .../AppFramework/Http/EmptyContentSecurityPolicy.php   | 18 +++++++++++++++++-
 .../AppFramework/Http/StrictContentSecurityPolicy.php  |  2 ++
 3 files changed, 21 insertions(+), 1 deletion(-)

(limited to 'lib/public/AppFramework/Http')

diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 0e3a6a705d5..f17dd9bd270 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -44,6 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	protected $inlineScriptAllowed = false;
 	/** @var bool Whether eval in JS scripts is allowed */
 	protected $evalScriptAllowed = false;
+	/** @var bool Whether WebAssembly compilation is allowed */
+	protected ?bool $evalWasmAllowed = false;
 	/** @var bool Whether strict-dynamic should be set */
 	protected $strictDynamicAllowed = false;
 	/** @var array Domains from which scripts can get loaded */
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 035b4f01f60..7e1de2ef2eb 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -47,6 +47,8 @@ class EmptyContentSecurityPolicy {
 	 * @link https://github.com/owncloud/core/issues/11925
 	 */
 	protected $evalScriptAllowed = null;
+	/** @var bool Whether WebAssembly compilation is allowed */
+	protected ?bool $evalWasmAllowed = null;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = null;
 	/**
@@ -116,6 +118,17 @@ class EmptyContentSecurityPolicy {
 		return $this;
 	}
 
+	/**
+	 * Whether WebAssembly compilation is allowed or forbidden
+	 * @param bool $state
+	 * @return $this
+	 * @since 28.0.0
+	 */
+	public function allowEvalWasm(bool $state = true) {
+		$this->evalWasmAllowed = $state;
+		return $this;
+	}
+
 	/**
 	 * Allows to execute JavaScript files from a specific domain. Use * to
 	 * allow JavaScript from all domains.
@@ -433,7 +446,7 @@ class EmptyContentSecurityPolicy {
 		$policy .= "base-uri 'none';";
 		$policy .= "manifest-src 'self';";
 
-		if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) {
+		if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
 			$policy .= 'script-src ';
 			if (is_string($this->useJsNonce)) {
 				if ($this->strictDynamicAllowed) {
@@ -453,6 +466,9 @@ class EmptyContentSecurityPolicy {
 			if ($this->evalScriptAllowed) {
 				$policy .= ' \'unsafe-eval\'';
 			}
+			if ($this->evalWasmAllowed) {
+				$policy .= ' \'wasm-unsafe-eval\'';
+			}
 			$policy .= ';';
 		}
 
diff --git a/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php b/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
index ed137bad930..96c03673d5c 100644
--- a/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
@@ -46,6 +46,8 @@ class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	protected $inlineScriptAllowed = false;
 	/** @var bool Whether eval in JS scripts is allowed */
 	protected $evalScriptAllowed = false;
+	/** @var bool Whether WebAssembly compilation is allowed */
+	protected ?bool $evalWasmAllowed = false;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = [
 		'\'self\'',
-- 
cgit v1.2.3