Merge pull request #296 from GeekInTheNorth/release/v3.1.0

Release v3.1.0

Author: GeekInTheNorth

src/Stott.Security.Optimizely.Test/Features/Csp/CspOptimizerTests.cs

@@ -31,14 +31,9 @@ public sealed class CspServiceTests
 
     private Mock<IContentSecurityPolicyPage> _mockPage;
 
-    private Mock<ICspReportUrlResolver> _mockReportUrlResolver;
-
     [SetUp]
     public void SetUp()
     {
-        _mockReportUrlResolver = new Mock<ICspReportUrlResolver>();
-        _mockReportUrlResolver.Setup(x => x.GetReportToPath()).Returns("https://www.example.com/");
-
         _mockSettingsService = new Mock<ICspSettingsService>();
 
         _mockSandboxService = new Mock<ICspSandboxService>();
@@ -50,8 +45,7 @@ public void SetUp()
         _cspService = new CspService(
             _mockSettingsService.Object,
             _mockPermissionService.Object,
-            _mockSandboxService.Object,
-            _mockReportUrlResolver.Object);
+            _mockSandboxService.Object);
     }
 
     [Test]

src/Stott.Security.Optimizely.Test/Features/Csp/CspServiceTests.cs

@@ -1,7 +1,5 @@
-using System.Collections.Generic;
-
-using EPiServer.Core;
-using EPiServer.Web.Templating;
+using EPiServer.Core;
+using EPiServer.Web.Routing;
 
 using Microsoft.AspNetCore.Http;
 
@@ -22,6 +20,8 @@ public sealed class DefaultNonceProviderTests
 
     private Mock<ICspSettingsService> _mockCspSettingsService;
 
+    private Mock<IPageRouteHelper> _mockPageRouteHelper;
+
     private Mock<HttpContext> _mockContext;
 
     private Mock<HttpRequest> _mockHttpRequest;
@@ -37,6 +37,8 @@ public void SetUp()
         _mockHttpContextAccessor = new Mock<IHttpContextAccessor>();
         _mockHttpContextAccessor.Setup(x => x.HttpContext).Returns(_mockContext.Object);
 
+        _mockPageRouteHelper = new Mock<IPageRouteHelper>();
+
         _mockCspSettingsService = new Mock<ICspSettingsService>();
     }
 
@@ -48,8 +50,9 @@ public void GetNonce_ReturnsNullWhenCspOrNonceIsDisabled(bool isEnabled, bool is
     {
         // Assert
         _mockCspSettingsService.Setup(x => x.Get()).Returns(new CspSettings { IsEnabled = isEnabled, IsNonceEnabled = isNonceEnabled });
+        _mockPageRouteHelper.Setup(x => x.PageLink).Returns(new PageReference(1));
 
-        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object);
+        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object, _mockPageRouteHelper.Object);
 
         // Act
         var nonce = nonceProvider.GetNonce();
@@ -71,7 +74,7 @@ public void GetNonce_ReturnsNullOnNonContentPathExceptForTheCompiledHeadersPath(
 
         _mockHttpRequest.Setup(x => x.Path).Returns(new PathString(pathValue));
 
-        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object);
+        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object, _mockPageRouteHelper.Object);
 
         // Act
         var nonce = nonceProvider.GetNonce();
@@ -82,20 +85,13 @@ public void GetNonce_ReturnsNullOnNonContentPathExceptForTheCompiledHeadersPath(
     }
 
     [Test]
-    public void GetNonce_ReturnsNullIfRederingContextDoesNotContainContentData()
+    public void GetNonce_ReturnsNullIfNotRenderingAPage()
     {
         // Assert
-        var renderingContext = new ContentRenderingContext(null, (IContentData)null);
-
+        _mockPageRouteHelper.Setup(x => x.PageLink).Returns((PageReference)null);
         _mockCspSettingsService.Setup(x => x.Get()).Returns(new CspSettings { IsEnabled = true, IsNonceEnabled = true });
 
-        _mockContext.Setup(x => x.Items)
-                    .Returns(new Dictionary<object, object>
-                    {
-                        { ContentRenderingContext.ContentRenderingContextKey, renderingContext }
-                    });
-
-        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object);
+        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object, _mockPageRouteHelper.Object);
 
         // Act
         var nonce = nonceProvider.GetNonce();
@@ -108,20 +104,10 @@ public void GetNonce_ReturnsNullIfRederingContextDoesNotContainContentData()
     public void GetNonce_ReturnsNonceIfRederingContextDoesContainContentData()
     {
         // Assert
-        var mockContent = new Mock<IContent>();
-        mockContent.Setup(x => x.ContentLink).Returns(new ContentReference(1));
-
-        var renderingContext = new ContentRenderingContext(null, mockContent.Object);
-
+        _mockPageRouteHelper.Setup(x => x.PageLink).Returns(new PageReference(1));
         _mockCspSettingsService.Setup(x => x.Get()).Returns(new CspSettings { IsEnabled = true, IsNonceEnabled = true });
 
-        _mockContext.Setup(x => x.Items)
-                    .Returns(new Dictionary<object, object>
-                    {
-                        { ContentRenderingContext.ContentRenderingContextKey, renderingContext }
-                    });
-
-        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object);
+        var nonceProvider = new DefaultNonceProvider(_mockCspSettingsService.Object, _mockHttpContextAccessor.Object, _mockPageRouteHelper.Object);
 
         // Act
         var nonce = nonceProvider.GetNonce();

src/Stott.Security.Optimizely.Test/Features/Csp/Nonce/DefaultNonceProviderTests.cs

@@ -59,11 +59,10 @@ public static IEnumerable<TestCaseData> GetValidUrlTestCases
             yield return new TestCaseData("http://www.example.com:80");
             yield return new TestCaseData("http://www.example.com/");
             yield return new TestCaseData("http://www.example.com/something");
-            yield return new TestCaseData("http://www.example.com/something");
             yield return new TestCaseData("https://www.example.com");
+            yield return new TestCaseData("https://www.EXAMPLE.com");
             yield return new TestCaseData("https://www.example.com/");
             yield return new TestCaseData("https://www.example.com/something");
-            yield return new TestCaseData("https://www.example.com/something");
             yield return new TestCaseData("*.mailsite.com");
             yield return new TestCaseData("https://onlinebanking.jumbobank.com");
             yield return new TestCaseData("media1.com");
@@ -78,6 +77,12 @@ public static IEnumerable<TestCaseData> GetValidUrlTestCases
             yield return new TestCaseData("http://www.example.io");
             yield return new TestCaseData("https://www.example.co");
             yield return new TestCaseData("https://www.example.io");
+            yield return new TestCaseData("https://abc1d23456de7f890g12-h34ijklm567nop890qr12stu3v4567wx.ssl.cf5.rackcdn.com/1234/v4.3.2iframeResizer.min.js");
+            yield return new TestCaseData("https://example.com/xyZxYzabcDEFghij-eu1/zaius-min.js");
+            yield return new TestCaseData("https://example.com/Test@test");
+            yield return new TestCaseData("x.com");
+            yield return new TestCaseData("https://x.com");            
+            yield return new TestCaseData("https://*");
         }
     }
 
@@ -126,7 +131,6 @@ public static IEnumerable<TestCaseData> GetValidDirectivesTestCases
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ManifestSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.MediaSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ObjectSource });
-            yield return new TestCaseData(new List<string> { CspConstants.Directives.PreFetchSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ScriptSourceAttribute });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ScriptSourceElement });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.ScriptSource });
@@ -135,7 +139,7 @@ public static IEnumerable<TestCaseData> GetValidDirectivesTestCases
             yield return new TestCaseData(new List<string> { CspConstants.Directives.StyleSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.WorkerSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.BaseUri, CspConstants.Directives.ObjectSource });
-            yield return new TestCaseData(new List<string> { CspConstants.Directives.ChildSource, CspConstants.Directives.PreFetchSource });
+            yield return new TestCaseData(new List<string> { CspConstants.Directives.ChildSource, CspConstants.Directives.FrameSource });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.FontSource, CspConstants.Directives.ScriptSourceAttribute });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.FontSource, CspConstants.Directives.ScriptSourceElement });
             yield return new TestCaseData(new List<string> { CspConstants.Directives.FrameAncestors, CspConstants.Directives.ScriptSource });

src/Stott.Security.Optimizely.Test/Features/Csp/Permissions/Save/SavePermissionModelTestCases.cs

@@ -88,7 +88,6 @@ public static IEnumerable<TestCaseData> DirectiveSuggestionTestCases
             yield return new TestCaseData(CspConstants.Directives.ManifestSource, new List<string> { CspConstants.Directives.ManifestSource });
             yield return new TestCaseData(CspConstants.Directives.MediaSource, new List<string> { CspConstants.Directives.MediaSource });
             yield return new TestCaseData(CspConstants.Directives.ObjectSource, new List<string> { CspConstants.Directives.ObjectSource });
-            yield return new TestCaseData(CspConstants.Directives.PreFetchSource, new List<string> { CspConstants.Directives.PreFetchSource });
             yield return new TestCaseData(CspConstants.Directives.ScriptSourceAttribute, new List<string> { CspConstants.Directives.ScriptSourceAttribute, CspConstants.Directives.ScriptSource });
             yield return new TestCaseData(CspConstants.Directives.ScriptSourceElement, new List<string> { CspConstants.Directives.ScriptSourceElement, CspConstants.Directives.ScriptSource });
             yield return new TestCaseData(CspConstants.Directives.ScriptSource, new List<string> { CspConstants.Directives.ScriptSource });

src/Stott.Security.Optimizely.Test/Features/Csp/Reporting/ViolationReportSummaryTestCases.cs

@@ -9,7 +9,7 @@
 using Stott.Security.Optimizely.Features.Csp.Reporting;
 
 [TestFixture]
-public class ViolationReportSummaryTests
+public sealed class ViolationReportSummaryTests
 {
     [Test]
     [TestCaseSource(typeof(ViolationReportSummaryTestCases), nameof(ViolationReportSummaryTestCases.SanitizedSourceTestCases))]
@@ -18,7 +18,7 @@ public void SanitizedSourceReturnsEitherTheFullDomainOrOriginalString(
         string expectedSanitizedSource)
     {
         // Arrange
-        var summary = new ViolationReportSummary(1, source, string.Empty, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, 1, DateTime.Now);
 
         // Assert
         Assert.That(summary.SanitizedSource, Is.EqualTo(expectedSanitizedSource));
@@ -29,7 +29,7 @@ public void SanitizedSourceReturnsEitherTheFullDomainOrOriginalString(
     public void CreatesAppropriateSuggestionsForWildCardDomains(string source, IList<string> expectedSuggestions)
     {
         // Arrange
-        var summary = new ViolationReportSummary(1, source, string.Empty, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, 1, DateTime.Now);
 
         // Assert
         Assert.That(summary.SourceSuggestions, Is.EquivalentTo(expectedSuggestions));
@@ -40,7 +40,7 @@ public void CreatesAppropriateSuggestionsForWildCardDomains(string source, IList
     public void CreatesASingleSuggestionMatchingTheSourceWhenSourceIsNotAUrl(string source)
     {
         // Arrange
-        var summary = new ViolationReportSummary(1, source, string.Empty, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), source, string.Empty, 1, DateTime.Now);
 
         // Assert
         Assert.Multiple(() =>
@@ -55,7 +55,7 @@ public void CreatesASingleSuggestionMatchingTheSourceWhenSourceIsNotAUrl(string
     public void CreatesAppropriateSuggestionsForDirectives(string directive, IList<string> expectedDirectives)
     {
         // Arrange
-        var summary = new ViolationReportSummary(1, string.Empty, directive, 1, DateTime.Now);
+        var summary = new ViolationReportSummary(Guid.NewGuid(), string.Empty, directive, 1, DateTime.Now);
 
         // Assert
         Assert.That(summary.DirectiveSuggestions, Is.EquivalentTo(expectedDirectives));

src/Stott.Security.Optimizely.Test/Features/Csp/Reporting/ViolationReportSummaryTests.cs

@@ -171,4 +171,50 @@ public async Task GetSecurityHeadersAsync_UsesPageSpecificCacheKeyWhenPageDataIs
         Assert.That(cacheKeyUsed, Is.Not.EqualTo(CspConstants.CacheKeys.CompiledHeaders));
         Assert.That(cacheKeyUsed.Contains(CspConstants.CacheKeys.CompiledHeaders), Is.True);
     }
+
+    [Test]
+    public async Task GetSecurityHeadersAsync_GivenReportingEndpointHeaderIsPresent_ThenInternalReportingPlaceholderIsUpdated()
+    {
+        // Arrange
+        var headers = new List<HeaderDto>
+        {
+            new() { Key = CspConstants.HeaderNames.ContentSecurityPolicy, Value = "default-src 'self'; report-to /report" },
+            new() { Key = CspConstants.HeaderNames.ReportingEndpoints, Value = $"stott-security-endpoint=\"{CspConstants.InternalReportingPlaceholder}\""}
+        };
+
+        _cacheWrapper.Setup(x => x.Get<List<HeaderDto>>(It.IsAny<string>()))
+                     .Returns(headers);
+
+        _mockReportUrlResolver.Setup(x => x.GetReportToPath()).Returns("https://example.com/report");
+
+        // Act
+        var result = await _service.GetSecurityHeadersAsync(null);
+        var reportingHeader = result.Find(x => x.Key == CspConstants.HeaderNames.ReportingEndpoints);
+
+        // Assert
+        Assert.That(reportingHeader?.Value, Is.EqualTo("stott-security-endpoint=\"https://example.com/report\""));
+    }
+
+    [Test]
+    public async Task GetSecurityHeadersAsync_GivenReportingEndpointHeaderIsPresent_AndInternalAndExternalReportingIsEnabled_ThenInternalReportingPlaceholderIsUpdated()
+    {
+        // Arrange
+        var headers = new List<HeaderDto>
+        {
+            new() { Key = CspConstants.HeaderNames.ContentSecurityPolicy, Value = "default-src 'self'; report-to /report" },
+            new() { Key = CspConstants.HeaderNames.ReportingEndpoints, Value = $"stott-security-endpoint=\"{CspConstants.InternalReportingPlaceholder}\", stott-security-external-endpoint=\"https://www.external.com/report/\""}
+        };
+
+        _cacheWrapper.Setup(x => x.Get<List<HeaderDto>>(It.IsAny<string>()))
+                     .Returns(headers);
+
+        _mockReportUrlResolver.Setup(x => x.GetReportToPath()).Returns("https://example.com/report");
+
+        // Act
+        var result = await _service.GetSecurityHeadersAsync(null);
+        var reportingHeader = result.Find(x => x.Key == CspConstants.HeaderNames.ReportingEndpoints);
+
+        // Assert
+        Assert.That(reportingHeader?.Value, Is.EqualTo("stott-security-endpoint=\"https://example.com/report\", stott-security-external-endpoint=\"https://www.external.com/report/\""));
+    }
 }

src/Stott.Security.Optimizely.Test/Features/Header/HeaderCompilationServiceTests.cs

@@ -58,7 +58,29 @@ public void ShouldValidateQuotedSources(string source, bool shouldError)
     }
 
     [Test]
-    [TestCaseSource(typeof(SavePermissionModelTestCases), nameof(SavePermissionModelTestCases.GetValidUrlTestCases))]
+    [TestCase("ws://www.example.com")]
+    [TestCase("wss://www.example.com")]
+    [TestCase("http://www.example.com")]
+    [TestCase("http://www.example.com:80")]
+    [TestCase("http://www.example.com/")]
+    [TestCase("http://www.example.com/something")]
+    [TestCase("https://www.example.com")]
+    [TestCase("https://www.example.com/")]
+    [TestCase("https://www.example.com/something")]
+    [TestCase("*.mailsite.com")]
+    [TestCase("https://onlinebanking.jumbobank.com")]
+    [TestCase("media1.com")]
+    [TestCase("*.trusted.com")]
+    [TestCase("wss://localhost:44323")]
+    [TestCase("https://localhost:*")]
+    [TestCase("*.example.co")]
+    [TestCase("*.example.io")]
+    [TestCase("http://*.example.co")]
+    [TestCase("http://*.example.io")]
+    [TestCase("http://www.example.co")]
+    [TestCase("http://www.example.io")]
+    [TestCase("https://www.example.co")]
+    [TestCase("https://www.example.io")]
     public void ShouldValidateUrlsWithOrWithoutWildcards(string source)
     {
         // Arrange

src/Stott.Security.Optimizely.Test/Features/Pages/PageCspSourceMappingValidationTests.cs

@@ -14,13 +14,15 @@ public static class CspConstants
 
     public const string NoncePlaceholder = "##NONCE##";
 
+    public const string InternalReportingPlaceholder = "##INTERNAL_REPORTING##";
+
     public const string StrictDynamic = "'strict-dynamic'";
 
     public static int LogRetentionDays => 30;
 
     public const int TwoYearsInSeconds = 63072000;
 
-    public const int SplitThreshold = 8000;
+    public const int SplitThreshold = 8100;
 
     public const int SimplifyThreshold = 12000;
 
@@ -43,7 +45,6 @@ public static class CspConstants
         Directives.ManifestSource,
         Directives.MediaSource,
         Directives.ObjectSource,
-        Directives.PreFetchSource,
         Directives.ScriptSourceAttribute,
         Directives.ScriptSourceElement,
         Directives.ScriptSource,
@@ -141,8 +142,6 @@ public static class Directives
 
         public const string ObjectSource = "object-src";
 
-        public const string PreFetchSource = "prefetch-src";
-
         public const string Sandbox = "sandbox";
 
         public const string ScriptSourceAttribute = "script-src-attr";
@@ -196,7 +195,7 @@ public static class CacheKeys
 
     public static class RegexPatterns
     {
-        public const string UrlDomain = "^([a-z0-9\\/\\-\\._\\:\\*\\[\\]\\@]{3,}\\.{1}[a-z0-9\\/\\-\\._\\:\\*\\[\\]\\@]{2,})$";
+        public const string UrlDomain = @"^(?:[a-zA-Z][a-zA-Z0-9+\-.]*:\/\/)?(?:\*\.[a-zA-Z0-9\-]+(?:\.[a-zA-Z0-9\-]+)+|[a-zA-Z0-9\-]+(?:\.[a-zA-Z0-9\-]+)+|\*)(?::\d+|:\*)?(?:\/[^\s]*)?$";
 
         public const string UrlLocalHost = "^([a-z]{2,5}\\:{1}\\/\\/localhost\\:([0-9]{1,5}|\\*{1}))$";
     }