ContentSecurityPolicyManagerTest.php 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  6. * SPDX-License-Identifier: AGPL-3.0-only
  7. */
  8. namespace Test\Security\CSP;
  9. use OC\Security\CSP\ContentSecurityPolicyManager;
  10. use OCP\EventDispatcher\IEventDispatcher;
  11. use OCP\Security\CSP\AddContentSecurityPolicyEvent;
  12. use Test\TestCase;
  13. class ContentSecurityPolicyManagerTest extends TestCase {
  14. /** @var IEventDispatcher */
  15. private $dispatcher;
  16. /** @var ContentSecurityPolicyManager */
  17. private $contentSecurityPolicyManager;
  18. protected function setUp(): void {
  19. parent::setUp();
  20. $this->dispatcher = \OC::$server->query(IEventDispatcher::class);
  21. $this->contentSecurityPolicyManager = new ContentSecurityPolicyManager($this->dispatcher);
  22. }
  23. public function testAddDefaultPolicy() {
  24. $this->contentSecurityPolicyManager->addDefaultPolicy(new \OCP\AppFramework\Http\ContentSecurityPolicy());
  25. $this->addToAssertionCount(1);
  26. }
  27. public function testGetDefaultPolicyWithPolicies() {
  28. $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
  29. $policy->addAllowedFontDomain('mydomain.com');
  30. $policy->addAllowedImageDomain('anotherdomain.de');
  31. $this->contentSecurityPolicyManager->addDefaultPolicy($policy);
  32. $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
  33. $policy->addAllowedFontDomain('example.com');
  34. $policy->addAllowedImageDomain('example.org');
  35. $policy->allowEvalScript(true);
  36. $this->contentSecurityPolicyManager->addDefaultPolicy($policy);
  37. $policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
  38. $policy->addAllowedChildSrcDomain('childdomain');
  39. $policy->addAllowedFontDomain('anotherFontDomain');
  40. $policy->addAllowedFormActionDomain('thirdDomain');
  41. $this->contentSecurityPolicyManager->addDefaultPolicy($policy);
  42. $expected = new \OC\Security\CSP\ContentSecurityPolicy();
  43. $expected->allowEvalScript(true);
  44. $expected->addAllowedFontDomain('mydomain.com');
  45. $expected->addAllowedFontDomain('example.com');
  46. $expected->addAllowedFontDomain('anotherFontDomain');
  47. $expected->addAllowedFormActionDomain('thirdDomain');
  48. $expected->addAllowedImageDomain('anotherdomain.de');
  49. $expected->addAllowedImageDomain('example.org');
  50. $expected->addAllowedChildSrcDomain('childdomain');
  51. $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
  52. $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
  53. $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
  54. }
  55. public function testGetDefaultPolicyWithPoliciesViaEvent() {
  56. $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function (AddContentSecurityPolicyEvent $e) {
  57. $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
  58. $policy->addAllowedFontDomain('mydomain.com');
  59. $policy->addAllowedImageDomain('anotherdomain.de');
  60. $policy->useStrictDynamic(true);
  61. $policy->allowEvalScript(true);
  62. $e->addPolicy($policy);
  63. });
  64. $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function (AddContentSecurityPolicyEvent $e) {
  65. $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
  66. $policy->addAllowedFontDomain('example.com');
  67. $policy->addAllowedImageDomain('example.org');
  68. $policy->allowEvalScript(false);
  69. $e->addPolicy($policy);
  70. });
  71. $this->dispatcher->addListener(AddContentSecurityPolicyEvent::class, function (AddContentSecurityPolicyEvent $e) {
  72. $policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
  73. $policy->addAllowedChildSrcDomain('childdomain');
  74. $policy->addAllowedFontDomain('anotherFontDomain');
  75. $policy->addAllowedFormActionDomain('thirdDomain');
  76. $e->addPolicy($policy);
  77. });
  78. $expected = new \OC\Security\CSP\ContentSecurityPolicy();
  79. $expected->allowEvalScript(true);
  80. $expected->addAllowedFontDomain('mydomain.com');
  81. $expected->addAllowedFontDomain('example.com');
  82. $expected->addAllowedFontDomain('anotherFontDomain');
  83. $expected->addAllowedImageDomain('anotherdomain.de');
  84. $expected->addAllowedImageDomain('example.org');
  85. $expected->addAllowedChildSrcDomain('childdomain');
  86. $expected->addAllowedFormActionDomain('thirdDomain');
  87. $expected->useStrictDynamic(true);
  88. $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
  89. $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
  90. $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
  91. }
  92. }