nextcloud_server/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OC\Security\CSP;

use OC\AppFramework\Http\Request;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\IRequest;

/**
 * @package OC\Security\CSP
 */
class ContentSecurityPolicyNonceManager {
	private string $nonce = '';

	public function __construct(
		private CsrfTokenManager $csrfTokenManager,
		private IRequest $request,
	) {
	}

	/**
	 * Returns the current CSP nonce
	 */
	public function getNonce(): string {
		if ($this->nonce === '') {
			if (empty($this->request->server['CSP_NONCE'])) {
				// Get the token from the CSRF token, we only use the "shared secret" part
				// as the first part does not add any security / entropy to the token
				// so it can be ignored to keep the nonce short while keeping the same randomness
				$csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));
				$this->nonce = end($csrfSecret);
			} else {
				$this->nonce = $this->request->server['CSP_NONCE'];
			}
		}

		return $this->nonce;
	}

	/**
	 * Check if the browser supports CSP v3
	 */
	public function browserSupportsCspV3(): bool {
		$browserBlocklist = [
			Request::USER_AGENT_IE,
		];

		if ($this->request->isUserAgent($browserBlocklist)) {
			return false;
		}

		return true;
	}
}
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`<?php`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 19:57:53 +01:00
Make OC\Security\CSP strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-03-05 15:27:05 +01:00			`declare(strict_types=1);`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 19:57:53 +01:00
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-23 09:26:56 +02:00			`* SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`*/`
			`namespace OC\Security\CSP;`

Identify Chromium as Chrome Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-10-26 12:07:10 +02:00			`use OC\AppFramework\Http\Request;`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`use OC\Security\CSRF\CsrfTokenManager;`
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 21:36:17 +02:00			`use OCP\IRequest;`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00
			`/**`
			`* @package OC\Security\CSP`
			`*/`
			`class ContentSecurityPolicyNonceManager {`
Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at> 2023-06-26 13:28:09 +03:30			`private string $nonce = '';`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00
Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at> 2023-06-26 13:28:09 +03:30			`public function __construct(`
			`private CsrfTokenManager $csrfTokenManager,`
			`private IRequest $request,`
			`) {`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`}`

			`/**`
Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at> 2023-06-26 13:28:09 +03:30			`* Returns the current CSP nonce`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`*/`
Make OC\Security\CSP strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-03-05 15:27:05 +01:00			`public function getNonce(): string {`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`if ($this->nonce === '') {`
Add support for CSP_NONCE server variable Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-07-08 20:54:45 +01:00			`if (empty($this->request->server['CSP_NONCE'])) {`
fix: Make sure CSP nonce is not double base64 encoded Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-08-01 23:06:23 +02:00			`// Get the token from the CSRF token, we only use the "shared secret" part`
			`// as the first part does not add any security / entropy to the token`
			`// so it can be ignored to keep the nonce short while keeping the same randomness`
feat: Provide CSP nonce as `<meta>` element This way we use the CSP nonce for dynamically loaded scripts. Important to notice: The CSP nonce must NOT be injected in `content` as this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors). Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-08-01 23:06:55 +02:00			`$csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));`
			`$this->nonce = end($csrfSecret);`
Add support for CSP_NONCE server variable Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-07-08 20:54:45 +01:00			`} else {`
			`$this->nonce = $this->request->server['CSP_NONCE'];`
			`}`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`}`

			`return $this->nonce;`
			`}`
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 21:36:17 +02:00
			`/**`
			`* Check if the browser supports CSP v3`
			`*/`
Make OC\Security\CSP strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-03-05 15:27:05 +01:00			`public function browserSupportsCspV3(): bool {`
fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3` to blocklist Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-03-22 16:03:29 +01:00			`$browserBlocklist = [`
			`Request::USER_AGENT_IE,`
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 21:36:17 +02:00			`];`

fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3` to blocklist Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-03-22 16:03:29 +01:00			`if ($this->request->isUserAgent($browserBlocklist)) {`
			`return false;`
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 21:36:17 +02:00			`}`

fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3` to blocklist Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-03-22 16:03:29 +01:00			`return true;`
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 21:36:17 +02:00			`}`
Add ContentSecurityPolicyNonceManager Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2016-10-24 16:31:06 +02:00			`}`
No results found.