Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
Browse Source

Add support for CSP_NONCE server variable 

Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.

Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
pull/16380/head
Sam Bull 7 years ago
committed by Roeland Jago Douma
parent
3d0e0f2353
commit
ea935f65fd
No known key found for this signature in database GPG Key ID: F941078878347C0C
2 changed files with 26 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
  2. 23
      tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php

6
lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
View File

@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
*/ */
public function getNonce(): string { public function getNonce(): string {
if($this->nonce === '') { if($this->nonce === '') {
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
if (empty($this->request->server['CSP_NONCE'])) {
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
} else {
$this->nonce = $this->request->server['CSP_NONCE'];
}
} }
return $this->nonce; return $this->nonce;

23
tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php
View File

@ -21,23 +21,26 @@
namespace Test\Security\CSP; namespace Test\Security\CSP;
use OC\AppFramework\Http\Request;
use OC\Security\CSP\ContentSecurityPolicyNonceManager; use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfToken; use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager; use OC\Security\CSRF\CsrfTokenManager;
use OCP\IRequest;
use Test\TestCase; use Test\TestCase;
class ContentSecurityPolicyNonceManagerTest extends TestCase { class ContentSecurityPolicyNonceManagerTest extends TestCase {
/** @var CsrfTokenManager */ /** @var CsrfTokenManager */
private $csrfTokenManager; private $csrfTokenManager;
/** @var Request */
private $request;
/** @var ContentSecurityPolicyNonceManager */ /** @var ContentSecurityPolicyNonceManager */
private $nonceManager; private $nonceManager;
public function setUp() { public function setUp() {
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class); $this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
$this->request = $this->createMock(Request::class);
$this->nonceManager = new ContentSecurityPolicyNonceManager( $this->nonceManager = new ContentSecurityPolicyNonceManager(
$this->csrfTokenManager, $this->csrfTokenManager,
$this->createMock(IRequest::class)
$this->request
); );
} }
@ -56,4 +59,20 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase {
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce()); $this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce()); $this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
} }
public function testGetNonceServerVar() {
$token = 'SERVERNONCE';
$this->request
->method('__isset')
->with('server')
->willReturn(true);
$this->request
->method('__get')
->with('server')
->willReturn(['CSP_NONCE' => $token]);
$this->assertSame($token, $this->nonceManager->getNonce());
$this->assertSame($token, $this->nonceManager->getNonce());
}
} }
Write Preview
Loading…
Cancel
Save