MC-19927: Implement hash-whitelisting, dynamic CSP

Author: Oleksandr Gorkun

app/code/Magento/Csp/Api/InlineUtilInterface.php

@@ -30,9 +30,9 @@ public function renderTag(string $tagName, array $attributes, ?string $content =
     /**
      * Render event listener as an HTML attribute and whitelist it as trusted source.
      *
-     * Do not use user-provided as any of the parameters.
+     * Do not use user-provided values as any of the parameters.
      *
-     * @param string $eventName
+     * @param string $eventName Full attribute name like "onclick".
      * @param string $javascript
      * @return string
      */

app/code/Magento/Csp/Helper/InlineUtil.php

@@ -10,6 +10,7 @@
 use Magento\Csp\Api\InlineUtilInterface;
 use Magento\Csp\Model\Collector\DynamicCollector;
 use Magento\Csp\Model\Policy\FetchPolicy;
+use ParagonIE\Sodium\Core\Curve25519\Fe;
 
 /**
  * Helper for classes responsible for rendering and templates.
@@ -26,78 +27,119 @@ class InlineUtil implements InlineUtilInterface
     /**
      * @var bool
      */
-    private $eventHandlersEnabled = false;
+    private $useUnsafeHashes;
+
+    private static $tagMeta = [
+        'script' => ['id' => 'script-src', 'remote' => ['src'], 'hash' => true],
+        'style' => ['id' => 'style-src', 'remote' => [], 'hash' => true],
+        'img' => ['id' => 'img-src', 'remote' => ['src']],
+        'audio' => ['id' => 'media-src', 'remote' => ['src']],
+        'video' => ['id' => 'media-src', 'remote' => ['src']],
+        'track' => ['id' => 'media-src', 'remote' => ['src']],
+        'source' => ['id' => 'media-src', 'remote' => ['src']],
+        'object' => ['id' => 'object-src', 'remote' => ['data', 'archive']],
+        'embed' => ['id' => 'object-src', 'remote' => ['src']],
+        'applet' => ['id' => 'object-src', 'remote' => ['code', 'archive']],
+        'link' => ['id' => 'style-src', 'remote' => ['href']],
+        'form' => ['id' => 'form-action', 'remote' => ['action']],
+        'iframe' => ['id' => 'frame-src', 'remote' => ['src']],
+        'frame' => ['id' => 'frame-src', 'remote' => ['src']]
+    ];
 
     /**
      * @param DynamicCollector $dynamicCollector
+     * @param bool $useUnsafeHashes Use 'unsafe-hashes' policy (not supported by CSP v2).
      */
-    public function __construct(DynamicCollector $dynamicCollector)
+    public function __construct(DynamicCollector $dynamicCollector, bool $useUnsafeHashes = false)
     {
         $this->dynamicCollector = $dynamicCollector;
+        $this->useUnsafeHashes = $useUnsafeHashes;
     }
 
     /**
      * Generate fetch policy hash for some content.
      *
      * @param string $content
-     * @return string
+     * @return array Hash data to insert into a FetchPolicy.
+     */
+    private function generateHashValue(string $content): array
+    {
+        return [base64_encode(hash('sha256', $content, true)) => 'sha256'];
+    }
+
+    /**
+     * Extract host for a fetch policy from a URL.
+     *
+     * @param string $url
+     * @return string|null Null is returned when URL does not point to a remote host.
+     */
+    private function extractHost(string $url): ?string
+    {
+        $urlData = parse_url($url);
+        if (
+            !$urlData
+            || empty($urlData['scheme'])
+            || ($urlData['scheme'] !== 'http' && $urlData['scheme'] !== 'https')
+        ) {
+            return null;
+        }
+
+        return $urlData['scheme'] .'://' .$urlData['host'];
+    }
+
+    /**
+     * Extract remote hosts used to get fonts.
+     *
+     * @param string $styleContent
+     * @return string[]
      */
-    private function generateHash(string $content): string
+    private function extractRemoteFonts(string $styleContent): array
     {
-        return 'sha256-' .base64_encode(hash('sha256', $content, true));
+        $urlsFound = [[]];
+        preg_match_all('/\@font\-face\s*?\{([^\}]*)[^\}]*?\}/im', $styleContent, $fontFaces);
+        foreach ($fontFaces[1] as $fontFaceContent) {
+            preg_match_all('/url\((http(s)?\:[^\)]+)\)/i', $fontFaceContent, $urls);
+            $urlsFound[] = $urls[1];
+        }
+
+        return array_map([$this, 'extractHost'], array_merge(...$urlsFound));
     }
 
     /**
      * @inheritDoc
      */
     public function renderTag(string $tagName, array $attributes, ?string $content = null): string
     {
-        $remote = !empty($attributes['src'])
-            ? $attributes['src'] : (!empty($attributes['href']) ? $attributes['href'] : null);
-        if (!$remote && !$content) {
-            throw new \InvalidArgumentException('Either remote URL or hashable content is required to whitelist');
+        if (!array_key_exists($tagName, self::$tagMeta)) {
+            throw new \InvalidArgumentException('Unknown source type - ' .$tagName);
         }
-        switch ($tagName) {
-            case 'script':
-                $policyId = 'script-src';
-                break;
-            case 'style':
-                $policyId = 'style-src';
-                break;
-            case 'img':
-                $policyId = 'img-src';
+        /** @var string[] $remotes */
+        $remotes = [];
+        foreach (self::$tagMeta[$tagName]['remote'] as $remoteAttr) {
+            if (!empty($attributes[$remoteAttr]) && $host = $this->extractHost($attributes[$remoteAttr])) {
+                $remotes[] = $host;
                 break;
-            case 'audio':
-            case 'video':
-            case 'track':
-                $policyId = 'media-src';
-                break;
-            case 'object':
-            case 'embed':
-            case 'applet':
-                $policyId = 'object-src';
-                break;
-            case 'link':
-                if (empty($attributes['rel']) || $attributes['rel'] !== 'stylesheet') {
-                    throw new \InvalidArgumentException('Only remote styles can be whitelisted via "link" tag');
-                }
-                $policyId = 'style-src';
-                break;
-            default:
-                throw new \InvalidArgumentException('Unknown source type - ' .$tagName);
+            }
+        }
+        /** @var string $policyId */
+        $policyId = self::$tagMeta[$tagName]['id'];
+        if ($tagName === 'style' && $content) {
+            $remotes += $this->extractRemoteFonts($content);
         }
 
-        if ($remote) {
-            $urlData = parse_url($remote);
+        if (empty($remotes) && !$content) {
+            throw new \InvalidArgumentException('Either remote URL or hashable content is required to whitelist');
+        }
+
+        if ($remotes) {
             $this->dynamicCollector->add(
-                new FetchPolicy($policyId, false, [$urlData['scheme'] .'://' .$urlData['host']])
+                new FetchPolicy($policyId, false, $remotes)
             );
-        } elseif ($policyId === 'style-src' || $policyId === 'script-src') {
+        }
+        if ($content && !empty(self::$tagMeta[$tagName]['hash'])) {
             $this->dynamicCollector->add(
-                new FetchPolicy($policyId, false, [], [], false, false, false, [], [$this->generateHash($content)])
+                new FetchPolicy($policyId, false, [], [], false, false, false, [], $this->generateHashValue($content))
             );
-        } else {
-            throw new \InvalidArgumentException('Only inline scripts and styles can be whitelisted');
         }
 
         $html = '<' .$tagName;
@@ -118,16 +160,24 @@ public function renderTag(string $tagName, array $attributes, ?string $content =
      */
     public function renderEventListener(string $eventName, string $javascript): string
     {
-        if (!$this->eventHandlersEnabled) {
-            $this->dynamicCollector->add(
-                new FetchPolicy('default-src', false, [], [], false, false, false, [], [], false, true)
+        if ($this->useUnsafeHashes) {
+            $policy = new FetchPolicy(
+                'script-src',
+                false,
+                [],
+                [],
+                false,
+                false,
+                false,
+                [],
+                $this->generateHashValue($javascript),
+                false,
+                true
             );
-            $this->eventHandlersEnabled = true;
+        } else {
+            $policy = new FetchPolicy('script-src', false, [], [], false, true);
         }
-
-        $this->dynamicCollector->add(
-            new FetchPolicy('script-src', false, [], [], false, false, false, [], [$this->generateHash($javascript)])
-        );
+        $this->dynamicCollector->add($policy);
 
         return $eventName .'="' .$javascript .'"';
     }

app/code/Magento/Csp/etc/di.xml

@@ -18,10 +18,10 @@
     <type name="Magento\Csp\Model\CompositePolicyCollector">
         <arguments>
             <argument name="collectors" xsi:type="array">
-                <item name="config" xsi:type="object">Magento\Csp\Model\Collector\ConfigCollector</item>
-                <item name="csp_whitelist" xsi:type="object">Magento\Csp\Model\Collector\CspWhitelistXmlCollector</item>
-                <item name="dynamic" xsi:type="object">Magento\Csp\Model\Collector\DynamicCollector</item>
-                <item name="controller" xsi:type="object">Magento\Csp\Model\Collector\ControllerCollector</item>
+                <item name="1" xsi:type="object">Magento\Csp\Model\Collector\ConfigCollector</item>
+                <item name="2" xsi:type="object">Magento\Csp\Model\Collector\CspWhitelistXmlCollector</item>
+                <item name="3" xsi:type="object">Magento\Csp\Model\Collector\DynamicCollector</item>
+                <item name="100" xsi:type="object">Magento\Csp\Model\Collector\ControllerCollector</item>
             </argument>
             <argument name="mergers" xsi:type="array">
                 <item name="fetch" xsi:type="object">Magento\Csp\Model\Collector\FetchPolicyMerger</item>