github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-02 04:08:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: remove legacy CSP implementation to make strict-dynamic only accepted behaviour (#27486)

Browse Source 
* DEV: remove legacy CSP implementation that allowed for non-strict-dynamic behaviour
This commit is contained in:
Kelv
2024-06-18 16:40:53 +08:00
committed by GitHub
parent b9eb746eea
commit 2393234be5
8 changed files with 9 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

279
spec/lib/content_security_policy_spec.rb
View File

@ -40,153 +40,6 @@ RSpec.describe ContentSecurityPolicy do
end
end
describe "legacy worker-src" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
it "has expected values" do
worker_srcs = parse(policy)["worker-src"]
expect(worker_srcs).to eq(
%w[
'self'
http://test.localhost/assets/
http://test.localhost/javascripts/
http://test.localhost/plugins/
],
)
end
end
describe "legacy script-src" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
it "always has self, logster, sidekiq, and assets" do
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include(
*%w[
http://test.localhost/logs/
http://test.localhost/sidekiq/
http://test.localhost/mini-profiler-resources/
http://test.localhost/assets/
http://test.localhost/extra-locales/
http://test.localhost/highlight-js/
http://test.localhost/javascripts/
http://test.localhost/plugins/
http://test.localhost/theme-javascripts/
http://test.localhost/svg-sprite/
],
)
end
it 'includes "report-sample" when report collection is enabled' do
SiteSetting.content_security_policy_collect_reports = true
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include("'report-sample'")
end
context "for Google Analytics" do
before { SiteSetting.ga_universal_tracking_code = "UA-12345678-9" }
it "allowlists Google Analytics v3 when integrated" do
SiteSetting.ga_version = "v3_analytics"
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include("https://www.google-analytics.com/analytics.js")
expect(script_srcs).not_to include("https://www.googletagmanager.com/gtag/js")
end
it "allowlists Google Analytics v4 when integrated" do
SiteSetting.ga_version = "v4_gtag"
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include("https://www.google-analytics.com/analytics.js")
expect(script_srcs).to include("https://www.googletagmanager.com/gtag/js")
end
end
it "allowlists Google Tag Manager when integrated" do
SiteSetting.gtm_container_id = "GTM-ABCDEF"
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include("https://www.googletagmanager.com/gtm.js")
# nonce is added by the GtmScriptNonceInjector middleware to prevent the
# nonce from getting cached by AnonymousCache
expect(script_srcs.to_s).not_to include("nonce-")
end
it "allowlists CDN assets when integrated" do
set_cdn_url("https://cdn.com")
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include(
*%w[
https://cdn.com/assets/
https://cdn.com/highlight-js/
https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/
],
)
global_setting(:s3_cdn_url, "https://s3-cdn.com")
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include(
*%w[
https://s3-cdn.com/assets/
https://cdn.com/highlight-js/
https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/
],
)
global_setting(:s3_asset_cdn_url, "https://s3-asset-cdn.com")
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include(
*%w[
https://s3-asset-cdn.com/assets/
https://cdn.com/highlight-js/
https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/
],
)
end
it "adds subfolder to CDN assets" do
set_cdn_url("https://cdn.com")
set_subfolder("/forum")
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include(
*%w[
https://cdn.com/forum/assets/
https://cdn.com/forum/highlight-js/
https://cdn.com/forum/javascripts/
https://cdn.com/forum/plugins/
https://cdn.com/forum/theme-javascripts/
http://test.localhost/forum/extra-locales/
],
)
global_setting(:s3_cdn_url, "https://s3-cdn.com")
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include(
*%w[
https://s3-cdn.com/assets/
https://cdn.com/forum/highlight-js/
https://cdn.com/forum/javascripts/
https://cdn.com/forum/plugins/
https://cdn.com/forum/theme-javascripts/
http://test.localhost/forum/extra-locales/
],
)
end
end
describe "strict-dynamic script-src and worker-src" do
it "includes strict-dynamic keyword" do
script_srcs = parse(policy)["script-src"]
@ -197,6 +50,12 @@ RSpec.describe ContentSecurityPolicy do
worker_src = parse(policy)["worker-src"]
expect(worker_src).to eq(nil)
end
it 'includes "report-sample" when report collection is enabled' do
SiteSetting.content_security_policy_collect_reports = true
script_srcs = parse(policy)["script-src"]
expect(script_srcs).to include("'report-sample'")
end
end
describe "manifest-src" do
@ -245,30 +104,6 @@ RSpec.describe ContentSecurityPolicy do
end
end
it "can extend script-src, object-src, manifest-src - legacy" do
SiteSetting.content_security_policy_strict_dynamic = false
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
plugin.activate!
Discourse.plugins << plugin
plugin.enabled = true
expect(parse(policy)["script-src"]).to include("https://from-plugin.com")
expect(parse(policy)["script-src"]).to include("http://test.localhost/local/path")
expect(parse(policy)["object-src"]).to include("https://test-stripping.com")
expect(parse(policy)["object-src"]).to_not include("'none'")
expect(parse(policy)["manifest-src"]).to include("'self'")
expect(parse(policy)["manifest-src"]).to include("https://manifest-src.com")
plugin.enabled = false
expect(parse(policy)["script-src"]).to_not include("https://from-plugin.com")
expect(parse(policy)["manifest-src"]).to_not include("https://manifest-src.com")
Discourse.plugins.delete plugin
DiscoursePluginRegistry.reset!
end
it "can extend frame_ancestors" do
SiteSetting.content_security_policy_frame_ancestors = true
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
@ -288,108 +123,6 @@ RSpec.describe ContentSecurityPolicy do
end
end
context "with a theme - legacy" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
let!(:theme) do
Fabricate(:theme).tap do |t|
settings = <<~YML
extend_content_security_policy:
type: list
default: 'script-src: from-theme.com'
YML
t.set_field(target: :settings, name: :yaml, value: settings)
t.save!
end
end
def theme_policy
policy(theme.id)
end
it "can be extended by themes" do
policy # call this first to make sure further actions clear the cache
expect(parse(policy)["script-src"]).not_to include("from-theme.com")
expect(parse(theme_policy)["script-src"]).to include("from-theme.com")
theme.update_setting(
:extend_content_security_policy,
"script-src: https://from-theme.net|worker-src: from-theme.com",
)
theme.save!
expect(parse(theme_policy)["script-src"]).to_not include("from-theme.com")
expect(parse(theme_policy)["script-src"]).to include("https://from-theme.net")
expect(parse(theme_policy)["worker-src"]).to include("from-theme.com")
theme.destroy!
expect(parse(theme_policy)["script-src"]).to_not include("https://from-theme.net")
expect(parse(theme_policy)["worker-src"]).to_not include("from-theme.com")
end
it "can be extended by theme modifiers" do
policy # call this first to make sure further actions clear the cache
theme.theme_modifier_set.csp_extensions = [
"script-src: https://from-theme-flag.script",
"worker-src: from-theme-flag.worker",
]
theme.save!
child_theme = Fabricate(:theme, component: true)
theme.add_relative_theme!(:child, child_theme)
child_theme.theme_modifier_set.csp_extensions = [
"script-src: https://child-theme-flag.script",
"worker-src: child-theme-flag.worker",
]
child_theme.save!
expect(parse(theme_policy)["script-src"]).to include("https://from-theme-flag.script")
expect(parse(theme_policy)["script-src"]).to include("https://child-theme-flag.script")
expect(parse(theme_policy)["worker-src"]).to include("from-theme-flag.worker")
expect(parse(theme_policy)["worker-src"]).to include("child-theme-flag.worker")
theme.destroy!
child_theme.destroy!
expect(parse(theme_policy)["script-src"]).to_not include("https://from-theme-flag.script")
expect(parse(theme_policy)["worker-src"]).to_not include("from-theme-flag.worker")
expect(parse(theme_policy)["worker-src"]).to_not include("from-theme-flag.worker")
expect(parse(theme_policy)["worker-src"]).to_not include("child-theme-flag.worker")
end
it "is extended automatically when themes reference external scripts" do
policy # call this first to make sure further actions clear the cache
theme.set_field(target: :common, name: "header", value: <<~HTML)
<script src='https://example.com/myscript.js'></script>
<script src='https://example.com/myscript2.js?with=query'></script>
<script src='//example2.com/protocol-less-script.js'></script>
<script src='domain-only.com'></script>
<script>console.log('inline script')</script>
HTML
theme.set_field(target: :desktop, name: "header", value: "")
theme.save!
expect(parse(theme_policy)["script-src"]).to include("https://example.com/myscript.js")
expect(parse(theme_policy)["script-src"]).to include("https://example.com/myscript2.js")
expect(parse(theme_policy)["script-src"]).not_to include("?")
expect(parse(theme_policy)["script-src"]).to include("example2.com/protocol-less-script.js")
expect(parse(theme_policy)["script-src"]).not_to include("domain-only.com")
expect(parse(theme_policy)["script-src"]).not_to include(
a_string_matching %r{^/theme-javascripts}
)
theme.destroy!
expect(parse(theme_policy)["script-src"]).to_not include("https://example.com/myscript.js")
end
end
it "can be extended by site setting" do
SiteSetting.content_security_policy_script_src = "'unsafe-eval'"