forked from BookStackApp/BookStack
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCspService.php
More file actions
167 lines (139 loc) · 4.28 KB
/
CspService.php
File metadata and controls
167 lines (139 loc) · 4.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
<?php
namespace BookStack\Util;
use Illuminate\Support\Str;
class CspService
{
protected string $nonce;
public function __construct(string $nonce = '')
{
$this->nonce = $nonce ?: Str::random(24);
}
/**
* Get the nonce value for CSP.
*/
public function getNonce(): string
{
return $this->nonce;
}
/**
* Get the CSP headers for the application.
*/
public function getCspHeader(): string
{
$headers = [
$this->getFrameAncestors(),
$this->getFrameSrc(),
$this->getScriptSrc(),
$this->getObjectSrc(),
$this->getBaseUri(),
];
return implode('; ', array_filter($headers));
}
/**
* Get the CSP rules for the application for a HTML meta tag.
*/
public function getCspMetaTagValue(): string
{
$headers = [
$this->getFrameSrc(),
$this->getScriptSrc(),
$this->getObjectSrc(),
$this->getBaseUri(),
];
return implode('; ', array_filter($headers));
}
/**
* Check if the user has configured some allowed iframe hosts.
*/
public function allowedIFrameHostsConfigured(): bool
{
return count($this->getAllowedIframeHosts()) > 0;
}
/**
* Create CSP 'script-src' rule to restrict the forms of script that can run on the page.
*/
protected function getScriptSrc(): string
{
if ($this->scriptFilteringDisabled()) {
return '';
}
$parts = [
'http:',
'https:',
'\'nonce-' . $this->nonce . '\'',
'\'strict-dynamic\'',
];
return 'script-src ' . implode(' ', $parts);
}
/**
* Create CSP "frame-ancestors" rule to restrict the hosts that BookStack can be iframed within.
*/
protected function getFrameAncestors(): string
{
$iframeHosts = $this->getAllowedIframeHosts();
array_unshift($iframeHosts, "'self'");
return 'frame-ancestors ' . implode(' ', $iframeHosts);
}
/**
* Creates CSP "frame-src" rule to restrict what hosts/sources can be loaded
* within iframes to provide an allow-list-style approach to iframe content.
*/
protected function getFrameSrc(): string
{
$iframeHosts = $this->getAllowedIframeSources();
array_unshift($iframeHosts, "'self'");
return 'frame-src ' . implode(' ', $iframeHosts);
}
/**
* Creates CSP 'object-src' rule to restrict the types of dynamic content
* that can be embedded on the page.
*/
protected function getObjectSrc(): string
{
if ($this->scriptFilteringDisabled()) {
return '';
}
return "object-src 'self'";
}
/**
* Creates CSP 'base-uri' rule to restrict what base tags can be set on
* the page to prevent manipulation of relative links.
*/
protected function getBaseUri(): string
{
return "base-uri 'self'";
}
protected function scriptFilteringDisabled(): bool
{
return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
}
protected function getAllowedIframeHosts(): array
{
$hosts = config('app.iframe_hosts') ?? '';
return array_filter(explode(' ', $hosts));
}
protected function getAllowedIframeSources(): array
{
$sources = explode(' ', config('app.iframe_sources', ''));
$sources[] = $this->getDrawioHost();
return array_filter($sources);
}
/**
* Extract the host name of the configured drawio URL for use in CSP.
* Returns empty string if not in use.
*/
protected function getDrawioHost(): string
{
$drawioConfigValue = config('services.drawio');
if (!$drawioConfigValue) {
return '';
}
$drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
$drawioSourceParsed = parse_url($drawioSource);
$drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
if (isset($drawioSourceParsed['port'])) {
$drawioHost .= ':' . $drawioSourceParsed['port'];
}
return $drawioHost;
}
}