IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: allow plugins and themes to extend the default CSP (#6704)

Browse Source 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
This commit is contained in:
Kyle Zhao
2018-11-30 09:51:45 -05:00
committed by GitHub
parent 7dec963f2e
commit 488fba3c5f
13 changed files with 384 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
lib/content_security_policy.rb
View File

@@ -1,107 +1,28 @@
# frozen_string_literal: true
require_dependency 'global_path'
require_dependency 'content_security_policy/builder'
require_dependency 'content_security_policy/extension'
class ContentSecurityPolicy
include GlobalPath
class Middleware
def initialize(app)
@app = app
class << self
def policy
new.build
end
def call(env)
request = Rack::Request.new(env)
_, headers, _ = response = @app.call(env)
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
policy = ContentSecurityPolicy.new(request).build
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
response
def base_url
@base_url || Discourse.base_url
end
private
def html_response?(headers)
headers['Content-Type'] && headers['Content-Type'] =~ /html/
end
end
def self.enabled?
SiteSetting.content_security_policy || SiteSetting.content_security_policy_report_only
end
def initialize(request = nil)
@request = request
@directives = {
script_src: script_src,
worker_src: [:self, :blob],
}
@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
attr_writer :base_url
end
def build
policy = ActionDispatch::ContentSecurityPolicy.new
builder = Builder.new
@directives.each do |directive, sources|
if sources.is_a?(Array)
policy.public_send(directive, *sources)
else
policy.public_send(directive, sources)
end
end
Extension.theme_extensions.each { |extension| builder << extension }
Extension.plugin_extensions.each { |extension| builder << extension }
builder << Extension.site_setting_extension
policy.build
end
private
attr_reader :request
SCRIPT_ASSET_DIRECTORIES = [
# [dir, can_use_s3_cdn, can_use_cdn]
['/assets/', true, true],
['/brotli_asset/', true, true],
['/extra-locales/', false, false],
['/highlight-js/', false, true],
['/javascripts/', false, true],
['/plugins/', false, true],
['/theme-javascripts/', false, true],
['/svg-sprite/', false, true],
]
def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url)
SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn|
if can_use_s3_cdn && s3_cdn
s3_cdn + dir
elsif can_use_cdn && cdn
cdn + dir
else
base + dir
end
end
end
def script_src
sources = [
:unsafe_eval,
"#{base_url}/logs/",
"#{base_url}/sidekiq/",
"#{base_url}/mini-profiler-resources/",
]
sources.concat(script_assets)
sources << 'https://www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
sources.concat(SiteSetting.content_security_policy_script_src.split('|'))
end
def base_url
@base_url ||= Rails.env.development? ? request.host_with_port : Discourse.base_url
builder.build
end
end
CSP = ContentSecurityPolicy

78
lib/content_security_policy/builder.rb Normal file
View File

@@ -0,0 +1,78 @@
# frozen_string_literal: true
require_dependency 'content_security_policy/default'
class ContentSecurityPolicy
class Builder
EXTENDABLE_DIRECTIVES = %i[
script_src
worker_src
].freeze
# Make extending these directives no-op, until core includes them in default CSP
TO_BE_EXTENDABLE = %i[
base_uri
connect_src
default_src
font_src
form_action
frame_ancestors
frame_src
img_src
manifest_src
media_src
object_src
prefetch_src
style_src
].freeze
def initialize
@directives = Default.new.directives
end
def <<(extension)
return unless valid_extension?(extension)
extension.each { |directive, sources| extend_directive(normalize(directive), sources) }
end
def build
policy = ActionDispatch::ContentSecurityPolicy.new
@directives.each do |directive, sources|
if sources.is_a?(Array)
policy.public_send(directive, *sources)
else
policy.public_send(directive, sources)
end
end
policy.build
end
private
def normalize(directive)
directive.to_s.gsub('-', '_').to_sym
end
def extend_directive(directive, sources)
return unless extendable?(directive)
@directives[directive] ||= []
if sources.is_a?(Array)
@directives[directive].concat(sources)
else
@directives[directive] << sources
end
end
def extendable?(directive)
EXTENDABLE_DIRECTIVES.include?(directive)
end
def valid_extension?(extension)
extension.is_a?(Hash)
end
end
end

68
lib/content_security_policy/default.rb Normal file
View File

@@ -0,0 +1,68 @@
# frozen_string_literal: true
require_dependency 'content_security_policy'
class ContentSecurityPolicy
class Default
attr_reader :directives
def initialize
@directives = {}.tap do |directives|
directives[:script_src] = script_src
directives[:worker_src] = worker_src
directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports
end
end
private
delegate :base_url, to: :ContentSecurityPolicy
SCRIPT_ASSET_DIRECTORIES = [
# [dir, can_use_s3_cdn, can_use_cdn]
['/assets/', true, true],
['/brotli_asset/', true, true],
['/extra-locales/', false, false],
['/highlight-js/', false, true],
['/javascripts/', false, true],
['/plugins/', false, true],
['/theme-javascripts/', false, true],
['/svg-sprite/', false, true],
]
def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url)
SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn|
if can_use_s3_cdn && s3_cdn
s3_cdn + dir
elsif can_use_cdn && cdn
cdn + dir
else
base + dir
end
end
end
def script_src
[
:unsafe_eval,
"#{base_url}/logs/",
"#{base_url}/sidekiq/",
"#{base_url}/mini-profiler-resources/",
*script_assets
].tap do |sources|
sources << 'https://www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
end
end
def worker_src
[
:self,
:blob, # ACE editor registers a service worker with a blob for syntax checking
]
end
def report_uri
"#{base_url}/csp_reports"
end
end
end

57
lib/content_security_policy/extension.rb Normal file
View File

@@ -0,0 +1,57 @@
# frozen_string_literal: true
class ContentSecurityPolicy
module Extension
extend self
def site_setting_extension
{ script_src: SiteSetting.content_security_policy_script_src.split('|') }
end
def plugin_extensions
[].tap do |extensions|
Discourse.plugins.each do |plugin|
extensions.concat(plugin.csp_extensions) if plugin.enabled?
end
end
end
THEME_SETTING = 'extend_content_security_policy'
def theme_extensions
cache['theme_extensions'] ||= find_theme_extensions
end
def clear_theme_extensions_cache!
cache['theme_extensions'] = nil
end
private
def cache
@cache ||= DistributedCache.new('csp_extensions')
end
def find_theme_extensions
extensions = []
Theme.find_each do |theme|
theme.cached_settings.each do |setting, value|
extensions << build_theme_extension(value) if setting.to_s == THEME_SETTING
end
end
extensions
end
def build_theme_extension(raw)
{}.tap do |extension|
raw.split('|').each do |entry|
directive, source = entry.split(':', 2).map(&:strip)
extension[directive] ||= []
extension[directive] << source
end
end
end
end
end

32
lib/content_security_policy/middleware.rb Normal file
View File

@@ -0,0 +1,32 @@
# frozen_string_literal: true
require_dependency 'content_security_policy'
class ContentSecurityPolicy
class Middleware
def initialize(app)
@app = app
end
def call(env)
request = Rack::Request.new(env)
_, headers, _ = response = @app.call(env)
return response unless html_response?(headers)
ContentSecurityPolicy.base_url = request.host_with_port if Rails.env.development?
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
response
end
private
delegate :policy, to: :ContentSecurityPolicy
def html_response?(headers)
headers['Content-Type'] && headers['Content-Type'] =~ /html/
end
end
end

8
lib/plugin/instance.rb
View File

@@ -32,7 +32,9 @@ class Plugin::Instance
:locales,
:service_workers,
:styles,
:themes].each do |att|
:themes,
:csp_extensions,
].each do |att|
class_eval %Q{
def #{att}
@#{att} ||= []
@@ -361,6 +363,10 @@ class Plugin::Instance
DiscoursePluginRegistry.register_svg_icon(icon)
end
def extend_content_security_policy(extension)
csp_extensions << extension
end
# @option opts [String] :name
# @option opts [String] :nativeName
# @option opts [String] :fallbackLocale