8000 [2.8][WebProfilerBundle] Fix bundle usage in Content-Security-Policy context by romainneutron · Pull Request #18434 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[2.8][WebProfilerBundle] Fix bundle usage in Content-Security-Policy context #18434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[2.8][WebProfilerBundle] Fix bundle usage in Content-Security-Policy context #18434

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 26 additions & 9 deletions src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

namespace Symfony\Bundle\WebProfilerBundle\Controller;

use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
use Symfony\Bundle\WebProfilerBundle\Profiler\TemplateManager;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
Expand All @@ -33,6 +34,7 @@ class ProfilerController
private $twig;
private $templates;
private $toolbarPosition;
private $cspHandler;

/**
* Constructor.
Expand All @@ -43,13 +45,14 @@ class ProfilerController
* @param array $templates The templates
* @param string $toolbarPosition The toolbar position (top, bottom, normal, or null -- use the configuration)
*/
public function __construct(UrlGeneratorInterface $generator, Profiler $profiler = null, \Twig_Environment $twig, array $templates, $toolbarPosition = & 8000 #39;normal')
public function __construct(UrlGeneratorInterface $generator, Profiler $profiler = null, \Twig_Environment $twig, array $templates, $toolbarPosition = 'normal', ContentSecurityPolicyHandler $cspHandler = null)
{
$this->generator = $generator;
$this->profiler = $profiler;
$this->twig = $twig;
$this->templates = $templates;
$this->toolbarPosition = $toolbarPosition;
$this->cspHandler = $cspHandler;
}

/**
Expand Down Expand Up @@ -103,7 +106,7 @@ public function panelAction(Request $request, $token)
throw new NotFoundHttpException(sprintf('Panel "%s" is not available for token "%s".', $panel, $token));
}

return new Response($this->twig->render($this->getTemplateManager()->getName($profile, $panel), array(
return $this->renderWithCspNonces($request, $this->getTemplateManager()->getName($profile, $panel), array(
'token' => $token,
'profile' => $profile,
'collector' => $profile->getCollector($panel),
Expand All @@ -113,7 +116,7 @@ public function panelAction(Request $request, $token)
'templates' => $this->getTemplateManager()->getTemplates($profile),
'is_ajax' => $request->isXmlHttpRequest(),
'profiler_markup_version' => 2, // 1 = original profiler, 2 = Symfony 2.8+ profiler
)), 200, array('Content-Type' => 'text/html'));
));
}

/**
Expand Down Expand Up @@ -155,10 +158,10 @@ public function infoAction(Request $request, $about)

$this->profiler->disable();

return new Response($this->twig->render('@WebProfiler/Profiler/info.html.twig', array(
return $this->renderWithCspNonces($request, '@WebProfiler/Profiler/info.html.twig', array(
'about' => $about,
'request' => $request,
)), 200, array('Content-Type' => 'text/html'));
));
}

/**
Expand Down Expand Up @@ -206,15 +209,15 @@ public function toolbarAction(Request $request, $token)
// the profiler is not enabled
}

return new Response($this->twig->render('@WebProfiler/Profiler/toolbar.html.twig', array(
return $this->renderWithCspNonces($request, '@WebProfiler/Profiler/toolbar.html.twig', array(
'request' => $request,
'position' => $position,
'profile' => $profile,
'templates' => $this->getTemplateManager()->getTemplates($profile),
'profiler_url' => $url,
'token' => $token,
'profiler_markup_version' => 2, // 1 = original toolbar, 2 = Symfony 2.8+ toolbar
)), 200, array('Content-Type' => 'text/html'));
));
}

/**
Expand Down Expand Up @@ -295,7 +298,7 @@ public function searchResultsAction(Request $request, $token)
$end = $request->query->get('end', null);
$limit = $request->query->get('limit');

return new Response($this->twig->render('@WebProfiler/Profiler/results.html.twig', array(
return $this->renderWithCspNonces($request, '@WebProfiler/Profiler/results.html.twig', array(
'request' => $request,
'token' => $token,
'profile' => $profile,
Expand All @@ -307,7 +310,7 @@ public function searchResultsAction(Request $request, $token)
'end' => $end,
'limit' => $limit,
'panel' => null,
)), 200, array('Content-Type' => 'text/html'));
));
}

/**
Expand Down Expand Up @@ -397,4 +400,18 @@ protected function getTemplateManager()

return $this->templateManager;
}

private function renderWithCspNonces(Request $request, $template, $variables, $code = 200, $headers = array('Content-Type' => 'text/html'))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

according to your talk at the SymfonyLive right now, wouldn't it be better to use signatures instead ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually this PR provides CSP support for setups where unsafe-inline is disabled in development environment (because it only affects the WebProfilerBundle that should not be enabled in prod in any case)

So, even if it's recommended to use signature instead of nonce, it's a recommendation for production or staging. In development, it enables user to fully uses test with their CSP and uses the WebProfilerBundle.

So, no, it's not a problem :)

{
$response = new Response('', $code, $headers);

$nonces = $this->cspHandler ? $this->cspHandler->getNonces($request, $response) : array();

$variables['csp_script_nonce'] = isset($nonces['csp_script_nonce']) ? $nonces['csp_script_nonce'] : null;
$variables['csp_style_nonce'] = isset($nonces['csp_style_nonce']) ? $nonces['csp_style_nonce'] : null;

$response->setContent($this->twig->render($template, $variables));

return $response;
}
}
253 changes: 253 additions & 0 deletions src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,253 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\WebProfilerBundle\Csp;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;

/**
* Handles Content-Security-Policy HTTP header for the WebProfiler Bundle.
*
* @author Romain Neutron <imprec@gmail.com>
*/
class ContentSecurityPolicyHandler
{
private $nonceGenerator;

public function __construct(NonceGenerator $nonceGenerator)
{
return $this->nonceGenerator = $nonceGenerator;
}

/**
* Returns an array of nonces to be used in Twig templates and Content-Security-Policy headers.
*
* Nonce can be provided by;
* - The request - In case HTML content is fetched via AJAX and inserted in DOM, it must use the same nonce as origin
* - The response - A call to getNonces() has already been done previously. Same nonce are returned
* - They are otherwise randomly generated
*
* @param Request $request
* @param Response $response
*
* @return array
*/
public function getNonces(Request $request, Response $response)
{
if ($request->headers->has('X-SymfonyProfiler-Script-Nonce') && $request->headers->has('X-SymfonyProfiler-Style-Nonce')) {
return array(
'csp_script_nonce' => $request->headers->get('X-SymfonyProfiler-Script-Nonce'),
'csp_style_nonce' => $request->headers->get('X-SymfonyProfiler-Style-Nonce'),
);
}

if ($response->headers->has('X-SymfonyProfiler-Script-Nonce') && $response->headers->has('X-SymfonyProfiler-Style-Nonce')) {
return array(
'csp_script_nonce' => $response->headers->get('X-SymfonyProfiler-Script-Nonce'),
'csp_style_nonce' => $response->headers->get('X-SymfonyProfiler-Style-Nonce'),
);
}

$nonces = array(
'csp_script_nonce' => $this->generateNonce(),
'csp_style_nonce' => $this->generateNonce(),
);

$response->headers->set('X-SymfonyProfiler-Script-Nonce', $nonces['csp_script_nonce']);
$response->headers->set('X-SymfonyProfiler-Style-Nonce', $nonces['csp_style_nonce']);

return $nonces;
}

/**
* Cleanup temporary headers and updates Content-Security-Policy headers.
*
* This method should be called on KernelEvents::RESPONSE
*
* @param Request $request
* @param Response $response
*
* @return array Nonce used by the bundle in Content-Security-Policy header
*/
public function onKernelResponse(Request $request, Response $response)
{
$nonces = $this->getNonces($request, $response);
$this->cleanHeaders($response);
$this->updateCspHeaders($response, $nonces);

return $nonces;
}

/**
* @param Response $response
*/
private function cleanHeaders(Response $response)
{
$response->headers->remove('X-SymfonyProfiler-Script-Nonce');
$response->headers->remove('X-SymfonyProfiler-Style-Nonce');
}

/**
* Updates Content-Security-Policy headers in a response.
*
* @param Response $response
* @param array $nonces
*
* @return array
*/
private function updateCspHeaders(Response $response, array $nonces = array()) {
$nonces = array_replace(array(
'csp_script_nonce' => $this->generateNonce(),
'csp_style_nonce' => $this->generateNonce(),
), $nonces);

$ruleIsSet = false;

$headers = $this->getCspHeaders($response);

foreach ($headers as $header => $directives) {
foreach (array('script-src' => 'csp_script_nonce', 'style-src' => 'csp_style_nonce') as $type => $tokenName) {
if (!$this->authorizesInline($directives, $type)) {
if (!isset($headers[$header][$type])) {
if (isset($headers[$header]['default-src'])) {
$headers[$header][$type] = $headers[$header]['default-src'];
} else {
$headers[$header][$type] = array();
}
}
$ruleIsSet = true;
if (!in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
$headers[$header][$type][] = '\'unsafe-inline\'';
}
$headers[$header][$type][] = sprintf('\'nonce-%s\'', $nonces[$tokenName]);
}
}
}

if (!$ruleIsSet) {
return $nonces;
}

foreach ($headers as $header => $directives) {
$response->headers->set($header, $this->generateCspHeader($directives));
}

return $nonces;
}

/**
* Generates a valid Content-Security-Policy nonce.
*
* @return string
*/
private function generateNonce()
{
return $this->nonceGenerator->generate();
}

/**
* Converts a directives set array into Content-Security-Policy header.
*
* @param array $directives The directives set
*
* @return string The Content-Security-Policy header
*/
private function generateCspHeader(array $directives)
{
return array_reduce(array_keys($directives), function ($res, $name) use ($directives) {
return ($res !== '' ? $res.'; ' : '').sprintf('%s %s', $name, implode(' ', $directives[$name]));
}, '');
}

/**
* Converts a Content-Security-Policy header value into a directives set array.
*
* @param string $header The header value
*
* @return array The directives set
*/
private function parseDirectives($header) {
$directives = array();

foreach (explode(';', $header) as $directive) {
$parts = explode(' ', trim($directive));
if (count($parts) < 1) {
continue;
}
$name = array_shift($parts);
$directives[$name] = $parts;
}

return $directives;
}

/**
* Detects if the 'unsafe-inline' is prevented for a directive within the directives set.
*
* @param array $directivesSet The directives set
* @param string $type The name of the directive to check
*
* @return bool
*/
private function authorizesInline(array $directivesSet, $type)
{
if (isset($directivesSet[$type])) {
$directives = $directivesSet[$type];
} elseif (isset($directivesSet['default-src'])) {
$directives = $directivesSet['default-src'];
} else {
return false;
}

return in_array('\'unsafe-inline\'', $directives, true) && !$this->hasHashOrNonce($directives);
}

private function hasHashOrNonce(array $directives)
{
foreach ($directives as $directive) {
if ('\'' !== substr($directive, -1)) {
continue;
}
if ('\'nonce-' === substr($directive, 0, 7)) {
return true;
}
if (in_array(substr($directive, 0, 8), array('\'sha256-', '\'sha384-', '\'sha512-'), true)) {
return true;
}
}

return false;
}

/**
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
* a response.
*
* @param Response $response The response
*
* @return array An associative array of headers
*/
private function getCspHeaders(Response $response)
{
$headers = array();

if ($response->headers->has('Content-Security-Policy')) {
$headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));
}

if ($response->headers->has('X-Content-Security-Policy')) {
$headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
}

return $headers;
}
}
25 changes: 25 additions & 0 deletions src/Symfony/Bundle/WebProfilerBundle/Csp/NonceGenerator.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\WebProfilerBundle\Csp;

/**
* Generates Content-Security-Policy nonce.
*
* @author Romain Neutron <imprec@gmail.com>
*/
class NonceGenerator
{
public function generate()
{
return bin2hex(random_bytes(16));
}
}
Loading
0