Merge pull request #5111 from magento-qwerty/MC-19927

[CIA] Implement hash-whitelisting, dynamic CSP

Author: dvoskoboinikov

app/code/Magento/Csp/Api/CspAwareActionInterface.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Api;
+
+use Magento\Framework\App\ActionInterface;
+
+/**
+ * Interface for controllers that can provide route-specific CSPs.
+ */
+interface CspAwareActionInterface extends ActionInterface
+{
+    /**
+     * Return CSPs that will be applied to current route (page).
+     *
+     * The array returned will be used as is so if you need to keep policies that have been already applied they need
+     * to be included in the resulting array.
+     *
+     * @param \Magento\Csp\Api\Data\PolicyInterface[] $appliedPolicies
+     * @return \Magento\Csp\Api\Data\PolicyInterface[]
+     */
+    public function modifyCsp(array $appliedPolicies): array;
+}

app/code/Magento/Csp/Api/InlineUtilInterface.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Api;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+
+/**
+ * Utility for classes responsible for rendering and templates that allows whitelist inline sources.
+ */
+interface InlineUtilInterface
+{
+    /**
+     * Render HTML tag and whitelist it as trusted source.
+     *
+     * Use this method to whitelist remote static resources and inline styles/scripts.
+     * Do not use user-provided as any of the parameters.
+     *
+     * @param string $tagName
+     * @param string[] $attributes
+     * @param string|null $content
+     * @return string
+     */
+    public function renderTag(string $tagName, array $attributes, ?string $content = null): string;
+
+    /**
+     * Render event listener as an HTML attribute and whitelist it as trusted source.
+     *
+     * Do not use user-provided values as any of the parameters.
+     *
+     * @param string $eventName Full attribute name like "onclick".
+     * @param string $javascript
+     * @return string
+     */
+    public function renderEventListener(string $eventName, string $javascript): string;
+}

app/code/Magento/Csp/Helper/InlineUtil.php

@@ -0,0 +1,212 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Helper;
+
+use Magento\Csp\Api\InlineUtilInterface;
+use Magento\Csp\Model\Collector\DynamicCollector;
+use Magento\Csp\Model\Policy\FetchPolicy;
+
+/**
+ * Helper for classes responsible for rendering and templates.
+ *
+ * Allows to whitelist dynamic sources specific to a certain page.
+ */
+class InlineUtil implements InlineUtilInterface
+{
+    /**
+     * @var DynamicCollector
+     */
+    private $dynamicCollector;
+
+    /**
+     * @var bool
+     */
+    private $useUnsafeHashes;
+
+    private static $tagMeta = [
+        'script' => ['id' => 'script-src', 'remote' => ['src'], 'hash' => true],
+        'style' => ['id' => 'style-src', 'remote' => [], 'hash' => true],
+        'img' => ['id' => 'img-src', 'remote' => ['src']],
+        'audio' => ['id' => 'media-src', 'remote' => ['src']],
+        'video' => ['id' => 'media-src', 'remote' => ['src']],
+        'track' => ['id' => 'media-src', 'remote' => ['src']],
+        'source' => ['id' => 'media-src', 'remote' => ['src']],
+        'object' => ['id' => 'object-src', 'remote' => ['data', 'archive']],
+        'embed' => ['id' => 'object-src', 'remote' => ['src']],
+        'applet' => ['id' => 'object-src', 'remote' => ['code', 'archive']],
+        'link' => ['id' => 'style-src', 'remote' => ['href']],
+        'form' => ['id' => 'form-action', 'remote' => ['action']],
+        'iframe' => ['id' => 'frame-src', 'remote' => ['src']],
+        'frame' => ['id' => 'frame-src', 'remote' => ['src']]
+    ];
+
+    /**
+     * @param DynamicCollector $dynamicCollector
+     * @param bool $useUnsafeHashes Use 'unsafe-hashes' policy (not supported by CSP v2).
+     */
+    public function __construct(DynamicCollector $dynamicCollector, bool $useUnsafeHashes = false)
+    {
+        $this->dynamicCollector = $dynamicCollector;
+        $this->useUnsafeHashes = $useUnsafeHashes;
+    }
+
+    /**
+     * Generate fetch policy hash for some content.
+     *
+     * @param string $content
+     * @return array Hash data to insert into a FetchPolicy.
+     */
+    private function generateHashValue(string $content): array
+    {
+        return [base64_encode(hash('sha256', $content, true)) => 'sha256'];
+    }
+
+    /**
+     * Extract host for a fetch policy from a URL.
+     *
+     * @param string $url
+     * @return string|null Null is returned when URL does not point to a remote host.
+     */
+    private function extractHost(string $url): ?string
+    {
+        // phpcs:ignore Magento2.Functions.DiscouragedFunction
+        $urlData = parse_url($url);
+        if (!$urlData
+            || empty($urlData['scheme'])
+            || ($urlData['scheme'] !== 'http' && $urlData['scheme'] !== 'https')
+        ) {
+            return null;
+        }
+
+        return $urlData['scheme'] .'://' .$urlData['host'];
+    }
+
+    /**
+     * Extract remote hosts used to get fonts.
+     *
+     * @param string $styleContent
+     * @return string[]
+     */
+    private function extractRemoteFonts(string $styleContent): array
+    {
+        $urlsFound = [[]];
+        preg_match_all('/\@font\-face\s*?\{([^\}]*)[^\}]*?\}/im', $styleContent, $fontFaces);
+        foreach ($fontFaces[1] as $fontFaceContent) {
+            preg_match_all('/url\([\'\"]?(http(s)?\:[^\)]+)[\'\"]?\)/i', $fontFaceContent, $urls);
+            $urlsFound[] = $urls[1];
+        }
+
+        return array_map([$this, 'extractHost'], array_merge(...$urlsFound));
+    }
+
+    /**
+     * Extract remote hosts utilized.
+     *
+     * @param string $tag
+     * @param string[] $attributes
+     * @param string|null $content
+     * @return string[]
+     */
+    private function extractRemoteHosts(string $tag, array $attributes, ?string $content): array
+    {
+        /** @var string[] $remotes */
+        $remotes = [];
+        foreach (self::$tagMeta[$tag]['remote'] as $remoteAttr) {
+            if (!empty($attributes[$remoteAttr]) && $host = $this->extractHost($attributes[$remoteAttr])) {
+                $remotes[] = $host;
+                break;
+            }
+        }
+        if ($tag === 'style' && $content) {
+            $remotes += $this->extractRemoteFonts($content);
+        }
+
+        return $remotes;
+    }
+
+    /**
+     * Render tag.
+     *
+     * @param string $tag
+     * @param string[] $attributes
+     * @param string|null $content
+     * @return string
+     */
+    private function render(string $tag, array $attributes, ?string $content): string
+    {
+        $html = '<' .$tag;
+        foreach ($attributes as $attribute => $value) {
+            $html .= ' ' .$attribute .'="' .$value .'"';
+        }
+        if ($content) {
+            $html .= '>' .$content .'</' .$tag .'>';
+        } else {
+            $html .= ' />';
+        }
+
+        return $html;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function renderTag(string $tagName, array $attributes, ?string $content = null): string
+    {
+        //Processing tag data
+        if (!array_key_exists($tagName, self::$tagMeta)) {
+            throw new \InvalidArgumentException('Unknown source type - ' .$tagName);
+        }
+        /** @var string $policyId */
+        $policyId = self::$tagMeta[$tagName]['id'];
+        $remotes = $this->extractRemoteHosts($tagName, $attributes, $content);
+        if (empty($remotes) && !$content) {
+            throw new \InvalidArgumentException('Either remote URL or hashable content is required to whitelist');
+        }
+
+        //Adding required policies.
+        if ($remotes) {
+            $this->dynamicCollector->add(
+                new FetchPolicy($policyId, false, $remotes)
+            );
+        }
+        if ($content && !empty(self::$tagMeta[$tagName]['hash'])) {
+            $this->dynamicCollector->add(
+                new FetchPolicy($policyId, false, [], [], false, false, false, [], $this->generateHashValue($content))
+            );
+        }
+
+        return $this->render($tagName, $attributes, $content);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function renderEventListener(string $eventName, string $javascript): string
+    {
+        if ($this->useUnsafeHashes) {
+            $policy = new FetchPolicy(
+                'script-src',
+                false,
+                [],
+                [],
+                false,
+                false,
+                false,
+                [],
+                $this->generateHashValue($javascript),
+                false,
+                true
+            );
+        } else {
+            $policy = new FetchPolicy('script-src', false, [], [], false, true);
+        }
+        $this->dynamicCollector->add($policy);
+
+        return $eventName .'="' .$javascript .'"';
+    }
+}

app/code/Magento/Csp/Model/Collector/ControllerCollector.php

@@ -0,0 +1,45 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\CspAwareActionInterface;
+use Magento\Csp\Api\PolicyCollectorInterface;
+
+/**
+ * Asks for route-specific policies from a compatible controller.
+ */
+class ControllerCollector implements PolicyCollectorInterface
+{
+    /**
+     * @var CspAwareActionInterface|null
+     */
+    private $controller;
+
+    /**
+     * Set the action interface that is responsible for processing current HTTP request.
+     *
+     * @param CspAwareActionInterface $cspAwareAction
+     * @return void
+     */
+    public function setCurrentActionInstance(CspAwareActionInterface $cspAwareAction): void
+    {
+        $this->controller = $cspAwareAction;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function collect(array $defaultPolicies = []): array
+    {
+        if ($this->controller) {
+            return $this->controller->modifyCsp($defaultPolicies);
+        }
+
+        return $defaultPolicies;
+    }
+}

app/code/Magento/Csp/Model/Collector/DynamicCollector.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Api\PolicyCollectorInterface;
+
+/**
+ * CSPs dynamically added during the rendering of current page (from .phtml templates for instance).
+ */
+class DynamicCollector implements PolicyCollectorInterface
+{
+    /**
+     * @var PolicyInterface[]
+     */
+    private $added = [];
+
+    /**
+     * Add a policy for current page.
+     *
+     * @param PolicyInterface $policy
+     * @return void
+     */
+    public function add(PolicyInterface $policy): void
+    {
+        $this->added[] = $policy;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function collect(array $defaultPolicies = []): array
+    {
+        return array_merge($defaultPolicies, $this->added);
+    }
+}