Merge pull request #8826 from magento-cia/AC-10685-final

AC-10685: [PCI] CSP enforced on payment pages

Author: nathanjosiah

app/code/Magento/AdminAnalytics/ViewModel/Metadata.php

@@ -9,7 +9,9 @@
 namespace Magento\AdminAnalytics\ViewModel;
 
 use Magento\Config\Model\Config\Backend\Admin\Custom;
+use Magento\Csp\Helper\CspNonceProvider;
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\App\ProductMetadataInterface;
 use Magento\Backend\Model\Auth\Session;
 use Magento\Framework\App\State;
@@ -21,6 +23,11 @@
  */
 class Metadata implements ArgumentInterface
 {
+    /**
+     * @var string
+     */
+    private $nonce;
+
     /**
      * @var State
      */
@@ -41,22 +48,33 @@ class Metadata implements ArgumentInterface
      */
     private $config;
 
+    /**
+     * @var CspNonceProvider
+     */
+    private $nonceProvider;
+
     /**
      * @param ProductMetadataInterface $productMetadata
      * @param Session $authSession
      * @param State $appState
      * @param ScopeConfigInterface $config
+     * @param CspNonceProvider|null $nonceProvider
      */
     public function __construct(
         ProductMetadataInterface $productMetadata,
         Session $authSession,
         State $appState,
-        ScopeConfigInterface $config
+        ScopeConfigInterface $config,
+        CspNonceProvider $nonceProvider = null
     ) {
         $this->productMetadata = $productMetadata;
         $this->authSession = $authSession;
         $this->appState = $appState;
         $this->config = $config;
+
+        $this->nonceProvider = $nonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+
+        $this->nonce = $this->nonceProvider->generateNonce();
     }
 
     /**
@@ -156,4 +174,14 @@ public function getCurrentUserRoleName(): string
     {
         return $this->authSession->getUser()->getRole()->getRoleName();
     }
+
+    /**
+     * Get a random nonce for each request.
+     *
+     * @return string
+     */
+    public function getNonce(): string
+    {
+        return $this->nonce;
+    }
 }

app/code/Magento/AdminAnalytics/composer.json

@@ -11,7 +11,8 @@
         "magento/module-config": "*",
         "magento/module-store": "*",
         "magento/module-ui": "*",
-        "magento/module-release-notification": "*"
+        "magento/module-release-notification": "*",
+        "magento/module-csp": "*"
     },
     "type": "magento2-module",
     "license": [

app/code/Magento/AdminAnalytics/view/adminhtml/templates/tracking.phtml

@@ -6,6 +6,7 @@
 
 /**
  * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
+ * @var \Magento\Framework\Escaper $escaper
  */
 ?>
 
@@ -22,18 +23,25 @@
 <?php
 /** @var \Magento\AdminAnalytics\ViewModel\Metadata $metadata */
 $metadata = $block->getMetadata();
+$nonce = $escaper->escapeJs($metadata->getNonce());
 $scriptString = '
     var adminAnalyticsMetadata = {
-        "secure_base_url": "' . $block->escapeJs($metadata->getSecureBaseUrlForScope()) . '",
-        "version": "' . $block->escapeJs($metadata->getMagentoVersion()) . '",
-        "product_edition": "' . $block->escapeJs($metadata->getProductEdition()) . '",
-        "user": "' . $block->escapeJs($metadata->getCurrentUser()) . '",
-        "mode": "' . $block->escapeJs($metadata->getMode()) . '",
-        "store_name_default": "' . $block->escapeJs($metadata->getStoreNameForScope()) . '",
-        "admin_user_created": "' . $block->escapeJs($metadata->getCurrentUserCreatedDate()) . '",
-        "admin_user_logdate": "' . $block->escapeJs($metadata->getCurrentUserLogDate()) . '",
-        "admin_user_role_name": "' . $block->escapeJs($metadata->getCurrentUserRoleName()) . '"
+        "secure_base_url": "' . $escaper->escapeJs($metadata->getSecureBaseUrlForScope()) . '",
+        "version": "' . $escaper->escapeJs($metadata->getMagentoVersion()) . '",
+        "product_edition": "' . $escaper->escapeJs($metadata->getProductEdition()) . '",
+        "user": "' . $escaper->escapeJs($metadata->getCurrentUser()) . '",
+        "mode": "' . $escaper->escapeJs($metadata->getMode()) . '",
+        "store_name_default": "' . $escaper->escapeJs($metadata->getStoreNameForScope()) . '",
+        "admin_user_created": "' . $escaper->escapeJs($metadata->getCurrentUserCreatedDate()) . '",
+        "admin_user_logdate": "' . $escaper->escapeJs($metadata->getCurrentUserLogDate()) . '",
+        "admin_user_role_name": "' . $escaper->escapeJs($metadata->getCurrentUserRoleName()) . '"
     };
+
+    var digitalData = {
+        "nonce": "' . $nonce . '"
+    };
+
+    var cspNonce = "' . $nonce . '";
 ';
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false); ?>

app/code/Magento/Backend/etc/adminhtml/system.xml

@@ -10,6 +10,9 @@
         <tab id="general" translate="label" sortOrder="100">
             <label>General</label>
         </tab>
+        <tab id="security" translate="label" sortOrder="200">
+            <label>Security</label>
+        </tab>
         <tab id="service" translate="label" sortOrder="99999">
             <label>Services</label>
         </tab>

app/code/Magento/Checkout/Observer/CspPolicyObserver.php

@@ -0,0 +1,69 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Checkout\Observer;
+
+use Magento\Csp\Model\Collector\DynamicCollector;
+use Magento\Csp\Model\Policy\FetchPolicy;
+use Magento\Framework\Event\Observer;
+use Magento\Framework\Event\ObserverInterface;
+use Magento\Framework\Translate\InlineInterface;
+
+/**
+ * Observer for adding CSP policy for inline translation
+ */
+class CspPolicyObserver implements ObserverInterface
+{
+    /**
+     * @var InlineInterface
+     */
+    private InlineInterface $inlineTranslate;
+
+    /**
+     * @var DynamicCollector
+     */
+    private DynamicCollector $dynamicCollector;
+
+    /**
+     * @param InlineInterface $inlineTranslate
+     * @param DynamicCollector $dynamicCollector
+     */
+    public function __construct(InlineInterface $inlineTranslate, DynamicCollector $dynamicCollector)
+    {
+        $this->inlineTranslate = $inlineTranslate;
+        $this->dynamicCollector = $dynamicCollector;
+    }
+
+    /**
+     * Override CSP policy for checkout page wit inline translation
+     *
+     * @param Observer $observer
+     * @return void
+     *
+     * @throws \Exception
+     *
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function execute(Observer $observer): void
+    {
+        if ($this->inlineTranslate->isAllowed()) {
+            $policy = new FetchPolicy(
+                'script-src',
+                false,
+                [],
+                [],
+                true,
+                true,
+                false,
+                [],
+                []
+            );
+
+            $this->dynamicCollector->add($policy);
+        }
+    }
+}

app/code/Magento/Checkout/composer.json

@@ -26,7 +26,8 @@
         "magento/module-tax": "*",
         "magento/module-theme": "*",
         "magento/module-ui": "*",
-        "magento/module-authorization": "*"
+        "magento/module-authorization": "*",
+        "magento/module-csp": "*"
     },
     "suggest": {
         "magento/module-cookie": "*"

app/code/Magento/Checkout/etc/adminhtml/system.xml

@@ -106,5 +106,17 @@
                 </field>
             </group>
         </section>
+        <section id="csp">
+            <group id="mode">
+                <group id="storefront_checkout_index_index" translate="label" sortOrder="4" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>Storefront > One Page Checkout</label>
+                    <field id="report_uri" translate="label" type="text" sortOrder="1" showInDefault="1" showInWebsite="1" showInStore="1">
+                        <label>Report URI</label>
+                        <comment>If empty, Default Report URI for storefront will be used.</comment>
+                        <validate>validate-url</validate>
+                    </field>
+                </group>
+            </group>
+        </section>
     </system>
 </config>

app/code/Magento/Checkout/etc/config.xml

@@ -56,5 +56,20 @@
                 </shown_to_logged_in_user>
             </captcha>
         </customer>
+        <csp>
+            <mode>
+                <storefront_checkout_index_index>
+                    <report_only>0</report_only>
+                </storefront_checkout_index_index>
+            </mode>
+            <policies>
+                <storefront_checkout_index_index>
+                    <scripts>
+                        <inline>0</inline>
+                        <event_handlers>1</event_handlers>
+                    </scripts>
+                </storefront_checkout_index_index>
+            </policies>
+        </csp>
     </default>
 </config>

app/code/Magento/Checkout/etc/frontend/events.xml

@@ -12,4 +12,8 @@
     <event name="customer_logout">
         <observer name="unsetAll" instance="Magento\Checkout\Observer\UnsetAllObserver" />
     </event>
+    <event name="controller_action_predispatch_checkout_index_index">
+        <observer name="cps_storefront_checkout_index_index_predispatch"
+                  instance="Magento\Checkout\Observer\CspPolicyObserver"/>
+    </event>
 </config>

app/code/Magento/Csp/Helper/CspNonceProvider.php

@@ -0,0 +1,86 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Csp\Helper;
+
+use Magento\Csp\Model\Collector\DynamicCollector;
+use Magento\Csp\Model\Policy\FetchPolicy;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Math\Random;
+
+/**
+ * This helper class is used to provide nonce for CSP
+ *
+ * It also adds a nonce to the CSP header.
+ */
+class CspNonceProvider
+{
+    /**
+     * @var string
+     */
+    private const NONCE_LENGTH = 32;
+
+    /**
+     * @var string
+     */
+    private string $nonce;
+
+    /**
+     * @var Random
+     */
+    private Random $random;
+
+    /**
+     * @var DynamicCollector
+     */
+    private DynamicCollector $dynamicCollector;
+
+    /**
+     * @param Random $random
+     * @param DynamicCollector $dynamicCollector
+     */
+    public function __construct(
+        Random $random,
+        DynamicCollector $dynamicCollector
+    ) {
+        $this->random = $random;
+        $this->dynamicCollector = $dynamicCollector;
+    }
+
+    /**
+     * Generate nonce and add it to the CSP header
+     *
+     * @return string
+     * @throws LocalizedException
+     */
+    public function generateNonce(): string
+    {
+        if (empty($this->nonce)) {
+            $this->nonce = $this->random->getRandomString(
+                self::NONCE_LENGTH,
+                Random::CHARS_DIGITS . Random::CHARS_LOWERS
+            );
+
+            $policy = new FetchPolicy(
+                'script-src',
+                false,
+                [],
+                [],
+                false,
+                false,
+                false,
+                [$this->nonce],
+                []
+            );
+
+            $this->dynamicCollector->add($policy);
+        }
+
+        return base64_encode($this->nonce);
+    }
+}