MC-19927: Implement hash-whitelisting, dynamic CSP

Author: Oleksandr Gorkun

app/code/Magento/Csp/Helper/InlineUtil.php

@@ -75,9 +75,9 @@ private function generateHashValue(string $content): array
      */
     private function extractHost(string $url): ?string
     {
+        // phpcs:ignore Magento2.Functions.DiscouragedFunction
         $urlData = parse_url($url);
-        if (
-            !$urlData
+        if (!$urlData
             || empty($urlData['scheme'])
             || ($urlData['scheme'] !== 'http' && $urlData['scheme'] !== 'https')
         ) {
@@ -106,31 +106,69 @@ private function extractRemoteFonts(string $styleContent): array
     }
 
     /**
-     * @inheritDoc
+     * Extract remote hosts utilized.
+     *
+     * @param string $tag
+     * @param string|null $content
+     * @return string[]
      */
-    public function renderTag(string $tagName, array $attributes, ?string $content = null): string
+    private function extractRemoteHosts(string $tag, ?string $content): array
     {
-        if (!array_key_exists($tagName, self::$tagMeta)) {
-            throw new \InvalidArgumentException('Unknown source type - ' .$tagName);
-        }
         /** @var string[] $remotes */
         $remotes = [];
-        foreach (self::$tagMeta[$tagName]['remote'] as $remoteAttr) {
+        foreach (self::$tagMeta[$tag]['remote'] as $remoteAttr) {
             if (!empty($attributes[$remoteAttr]) && $host = $this->extractHost($attributes[$remoteAttr])) {
                 $remotes[] = $host;
                 break;
             }
         }
-        /** @var string $policyId */
-        $policyId = self::$tagMeta[$tagName]['id'];
-        if ($tagName === 'style' && $content) {
+        if ($tag === 'style' && $content) {
             $remotes += $this->extractRemoteFonts($content);
         }
 
+        return $remotes;
+    }
+
+    /**
+     * Render tag.
+     *
+     * @param string $tag
+     * @param string[] $attributes
+     * @param string|null $content
+     * @return string
+     */
+    private function render(string $tag, array $attributes, ?string $content): string
+    {
+        $html = '<' .$tag;
+        foreach ($attributes as $attribute => $value) {
+            $html .= ' ' .$attribute .'="' .$value .'"';
+        }
+        if ($content) {
+            $html .= '>' .$content .'</' .$tag .'>';
+        } else {
+            $html .= ' />';
+        }
+
+        return $html;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function renderTag(string $tagName, array $attributes, ?string $content = null): string
+    {
+        //Processing tag data
+        if (!array_key_exists($tagName, self::$tagMeta)) {
+            throw new \InvalidArgumentException('Unknown source type - ' .$tagName);
+        }
+        /** @var string $policyId */
+        $policyId = self::$tagMeta[$tagName]['id'];
+        $remotes = $this->extractRemoteHosts($tagName, $content);
         if (empty($remotes) && !$content) {
             throw new \InvalidArgumentException('Either remote URL or hashable content is required to whitelist');
         }
 
+        //Adding required policies.
         if ($remotes) {
             $this->dynamicCollector->add(
                 new FetchPolicy($policyId, false, $remotes)
@@ -142,17 +180,8 @@ public function renderTag(string $tagName, array $attributes, ?string $content =
             );
         }
 
-        $html = '<' .$tagName;
-        foreach ($attributes as $attribute => $value) {
-            $html .= ' ' .$attribute .'="' .$value .'"';
-        }
-        if ($content) {
-            $html .= '>' .$content .'</' .$tagName .'>';
-        } else {
-            $html .= ' />';
-        }
 
-        return $html;
+        return $this->render($tagName, $attributes, $content);
     }
 
     /**

app/code/Magento/Csp/Plugin/CspAwareControllerPlugin.php

@@ -36,6 +36,7 @@ public function __construct(ControllerCollector $collector)
      * @param RouterInterface $router
      * @param ActionInterface|null $matched
      * @return ActionInterface|null
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function afterMatch(RouterInterface $router, ?ActionInterface $matched): ?ActionInterface
     {

app/code/Magento/Csp/Plugin/PhtmlRenderingPlugin.php renamed to app/code/Magento/Csp/Plugin/TemplateRenderingPlugin.php

@@ -12,9 +12,9 @@
 use Magento\Framework\View\TemplateEngine\Php;
 
 /**
- * Plugin that adds CSP utility to .phtml templates context.
+ * Plugin that adds CSP utility to templates context.
  */
-class PhtmlRenderingPlugin
+class TemplateRenderingPlugin
 {
     /**
      * @var InlineUtilInterface
@@ -37,6 +37,7 @@ public function __construct(InlineUtilInterface $util)
      * @param string $fileName
      * @param array $dictionary
      * @return array
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function beforeRender(Php $renderer, BlockInterface $block, $fileName, array $dictionary): array
     {

app/code/Magento/Csp/etc/di.xml

@@ -50,7 +50,7 @@
         </arguments>
     </type>
     <type name="Magento\Framework\View\TemplateEngine\Php">
-        <plugin name="csp_helper_plugin" type="Magento\Csp\Plugin\PhtmlRenderingPlugin" />
+        <plugin name="csp_helper_plugin" type="Magento\Csp\Plugin\TemplateRenderingPlugin" />
     </type>
     <type name="Magento\Framework\App\RouterInterface">
         <plugin name="csp_aware_plugin" type="Magento\Csp\Plugin\CspAwareControllerPlugin" />

dev/tests/integration/_files/Magento/TestModuleCspUtil/Controller/Csp/Aware.php

@@ -32,7 +32,9 @@ public function modifyCsp(array $appliedPolicies): array
     {
         $policies = [];
         foreach ($appliedPolicies as $policy) {
-            if ($policy instanceof FetchPolicy && in_array('http://controller.magento.com', $policy->getHostSources(), true)) {
+            if ($policy instanceof FetchPolicy
+                && in_array('http://controller.magento.com', $policy->getHostSources(), true)
+            ) {
                 $policies[] = new FetchPolicy(
                     'script-src',
                     false,

dev/tests/integration/_files/Magento/TestModuleCspUtil/view/frontend/templates/helper.phtml

@@ -1,7 +1,12 @@
 <?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
 /** @var \Magento\Csp\Api\InlineUtilInterface $csp */
 ?>
 <h1>Hello there!</h1>
-<?= $csp->renderTag('script', ['src' => 'http://my.magento.com/static/script.js']); ?>
-<?= $csp->renderTag('script', [], "\n    let myVar = 1;\n") ?>
+<?= /* @noEscape */ $csp->renderTag('script', ['src' => 'http://my.magento.com/static/script.js']); ?>
+<?= /* @noEscape */ $csp->renderTag('script', [], "\n    let myVar = 1;\n") ?>
 

dev/tests/integration/testsuite/Magento/Csp/Helper/InlineUtilTest.php

@@ -70,6 +70,7 @@ public function testRenderTag(
      * Test data for tag rendering test.
      *
      * @return array
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
      */
     public function getTags(): array
     {