-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Expand file tree
/
Copy pathCspService.php
More file actions
232 lines (194 loc) · 5.91 KB
/
CspService.php
File metadata and controls
232 lines (194 loc) · 5.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
<?php
namespace BookStack\Util;
use Illuminate\Support\Str;
class CspService
{
protected string $nonce;
public function __construct(string $nonce = '')
{
$this->nonce = $nonce ?: Str::random(24);
}
/**
* Get the nonce value for CSP.
*/
public function getNonce(): string
{
return $this->nonce;
}
/**
* Get the CSP headers for the application.
*/
public function getCspHeader(): string
{
$headers = [
$this->getFrameAncestors(),
$this->getFrameSrc(),
$this->getScriptSrc(),
$this->getStyleSrc(),
$this->getImgSrc(),
$this->getObjectSrc(),
$this->getBaseUri(),
];
return implode('; ', array_filter($headers));
}
/**
* Get the CSP rules for the application for a HTML meta tag.
*/
public function getCspMetaTagValue(): string
{
$headers = [
$this->getFrameSrc(),
$this->getScriptSrc(),
$this->getStyleSrc(),
$this->getImgSrc(),
$this->getObjectSrc(),
$this->getBaseUri(),
];
return implode('; ', array_filter($headers));
}
/**
* Check if the user has configured some allowed iframe hosts.
*/
public function allowedIFrameHostsConfigured(): bool
{
return count($this->getAllowedIframeHosts()) > 0;
}
/**
* Create CSP 'script-src' rule to restrict the forms of script that can run on the page.
*/
protected function getScriptSrc(): string
{
if ($this->scriptFilteringDisabled()) {
return '';
}
$parts = [
'http:',
'https:',
'\'nonce-' . $this->nonce . '\'',
'\'strict-dynamic\'',
];
return 'script-src ' . implode(' ', $parts);
}
/**
* Create CSP "frame-ancestors" rule to restrict the hosts that BookStack can be iframed within.
*/
protected function getFrameAncestors(): string
{
$iframeHosts = $this->getAllowedIframeHosts();
array_unshift($iframeHosts, "'self'");
return 'frame-ancestors ' . implode(' ', $iframeHosts);
}
/**
* Creates CSP "frame-src" rule to restrict what hosts/sources can be loaded
* within iframes to provide an allow-list-style approach to iframe content.
*/
protected function getFrameSrc(): string
{
$iframeHosts = $this->getAllowedIframeSources();
array_unshift($iframeHosts, "'self'");
return 'frame-src ' . implode(' ', $iframeHosts);
}
/**
* Creates CSP 'object-src' rule to restrict the types of dynamic content
* that can be embedded on the page.
*/
protected function getObjectSrc(): string
{
if ($this->scriptFilteringDisabled()) {
return '';
}
return "object-src 'self'";
}
/**
* Creates CSP 'style-src' rule to restrict where styles can be loaded from.
*/
protected function getStyleSrc(): string
{
return 'style-src ' . implode(' ', $this->getAllowedStyleSources());
}
/**
* Creates CSP 'img-src' rule to restrict where images can be loaded from.
*/
protected function getImgSrc(): string
{
return 'img-src ' . implode(' ', $this->getAllowedImageSources());
}
/**
* Creates CSP 'base-uri' rule to restrict what base tags can be set on
* the page to prevent manipulation of relative links.
*/
protected function getBaseUri(): string
{
return "base-uri 'self'";
}
protected function scriptFilteringDisabled(): bool
{
return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
}
protected function getAllowedIframeHosts(): array
{
$hosts = config('app.iframe_hosts') ?? '';
return array_filter(explode(' ', $hosts));
}
protected function getAllowedIframeSources(): array
{
$sources = explode(' ', config('app.iframe_sources', ''));
$sources[] = $this->getDrawioHost();
return array_filter($sources);
}
/**
* Get allowed style sources for the style-src directive.
*/
protected function getAllowedStyleSources(): array
{
$configured = config('app.css_sources');
if (is_string($configured)) {
$sources = array_filter(explode(' ', $configured));
array_unshift($sources, "'self'");
return array_values(array_unique($sources));
}
return [
"'self'",
"'unsafe-inline'",
'http:',
'https:',
];
}
/**
* Get allowed image sources for the img-src directive.
*/
protected function getAllowedImageSources(): array
{
$configured = config('app.image_sources');
if (is_string($configured)) {
$sources = array_filter(explode(' ', $configured));
array_unshift($sources, "'self'");
return array_values(array_unique($sources));
}
return [
"'self'",
'data:',
'blob:',
'http:',
'https:',
];
}
/**
* Extract the host name of the configured drawio URL for use in CSP.
* Returns empty string if not in use.
*/
protected function getDrawioHost(): string
{
$drawioConfigValue = config('services.drawio');
if (!$drawioConfigValue) {
return '';
}
$drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
$drawioSourceParsed = parse_url($drawioSource);
$drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
if (isset($drawioSourceParsed['port'])) {
$drawioHost .= ':' . $drawioSourceParsed['port'];
}
return $drawioHost;
}
}