MC-19927: Implement hash-whitelisting, dynamic CSP

Author: Oleksandr Gorkun

app/code/Magento/Csp/Api/CspAwareActionInterface.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Api;
+
+use Magento\Framework\App\ActionInterface;
+
+/**
+ * Interface for controllers that can provide route-specific CSPs.
+ */
+interface CspAwareActionInterface extends ActionInterface
+{
+    /**
+     * Return CSPs that will be applied to current route (page).
+     *
+     * The array returned will be used as is so if you need to keep policies that have been already applied they need
+     * to be included in the resulting array.
+     *
+     * @param \Magento\Csp\Api\Data\PolicyInterface[] $appliedPolicies
+     * @return \Magento\Csp\Api\Data\PolicyInterface[]
+     */
+    public function modifyCsp(array $appliedPolicies): array;
+}

app/code/Magento/Csp/Api/InlineUtilInterface.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Api;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+
+/**
+ * Utility for classes responsible for rendering and templates that allows whitelist inline sources.
+ */
+interface InlineUtilInterface
+{
+    /**
+     * Render HTML tag and whitelist it as trusted source.
+     *
+     * Use this method to whitelist remote static resources and inline styles/scripts.
+     * Do not use user-provided as any of the parameters.
+     *
+     * @param string $tagName
+     * @param string[] $attributes
+     * @param string|null $content
+     * @return string
+     */
+    public function renderTag(string $tagName, array $attributes, ?string $content = null): string;
+
+    /**
+     * Render event listener as an HTML attribute and whitelist it as trusted source.
+     *
+     * Do not use user-provided as any of the parameters.
+     *
+     * @param string $eventName
+     * @param string $javascript
+     * @return string
+     */
+    public function renderEventListener(string $eventName, string $javascript): string;
+}

app/code/Magento/Csp/Helper/InlineUtil.php

@@ -0,0 +1,134 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Helper;
+
+use Magento\Csp\Api\InlineUtilInterface;
+use Magento\Csp\Model\Collector\DynamicCollector;
+use Magento\Csp\Model\Policy\FetchPolicy;
+
+/**
+ * Helper for classes responsible for rendering and templates.
+ *
+ * Allows to whitelist dynamic sources specific to a certain page.
+ */
+class InlineUtil implements InlineUtilInterface
+{
+    /**
+     * @var DynamicCollector
+     */
+    private $dynamicCollector;
+
+    /**
+     * @var bool
+     */
+    private $eventHandlersEnabled = false;
+
+    /**
+     * @param DynamicCollector $dynamicCollector
+     */
+    public function __construct(DynamicCollector $dynamicCollector)
+    {
+        $this->dynamicCollector = $dynamicCollector;
+    }
+
+    /**
+     * Generate fetch policy hash for some content.
+     *
+     * @param string $content
+     * @return string
+     */
+    private function generateHash(string $content): string
+    {
+        return 'sha256-' .base64_encode(hash('sha256', $content, true));
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function renderTag(string $tagName, array $attributes, ?string $content = null): string
+    {
+        $remote = !empty($attributes['src'])
+            ? $attributes['src'] : (!empty($attributes['href']) ? $attributes['href'] : null);
+        if (!$remote && !$content) {
+            throw new \InvalidArgumentException('Either remote URL or hashable content is required to whitelist');
+        }
+        switch ($tagName) {
+            case 'script':
+                $policyId = 'script-src';
+                break;
+            case 'style':
+                $policyId = 'style-src';
+                break;
+            case 'img':
+                $policyId = 'img-src';
+                break;
+            case 'audio':
+            case 'video':
+            case 'track':
+                $policyId = 'media-src';
+                break;
+            case 'object':
+            case 'embed':
+            case 'applet':
+                $policyId = 'object-src';
+                break;
+            case 'link':
+                if (empty($attributes['rel']) || $attributes['rel'] !== 'stylesheet') {
+                    throw new \InvalidArgumentException('Only remote styles can be whitelisted via "link" tag');
+                }
+                $policyId = 'style-src';
+                break;
+            default:
+                throw new \InvalidArgumentException('Unknown source type - ' .$tagName);
+        }
+
+        if ($remote) {
+            $urlData = parse_url($remote);
+            $this->dynamicCollector->add(
+                new FetchPolicy($policyId, false, [$urlData['scheme'] .'://' .$urlData['host']])
+            );
+        } elseif ($policyId === 'style-src' || $policyId === 'script-src') {
+            $this->dynamicCollector->add(
+                new FetchPolicy($policyId, false, [], [], false, false, false, [], [$this->generateHash($content)])
+            );
+        } else {
+            throw new \InvalidArgumentException('Only inline scripts and styles can be whitelisted');
+        }
+
+        $html = '<' .$tagName;
+        foreach ($attributes as $attribute => $value) {
+            $html .= ' ' .$attribute .'="' .$value .'"';
+        }
+        if ($content) {
+            $html .= '>' .$content .'</' .$tagName .'>';
+        } else {
+            $html .= ' />';
+        }
+
+        return $html;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function renderEventListener(string $eventName, string $javascript): string
+    {
+        if (!$this->eventHandlersEnabled) {
+            $this->dynamicCollector->add(
+                new FetchPolicy('default-src', false, [], [], false, false, false, [], [], false, true)
+            );
+            $this->eventHandlersEnabled = true;
+        }
+
+        $this->dynamicCollector->add(
+            new FetchPolicy('script-src', false, [], [], false, false, false, [], [$this->generateHash($javascript)])
+        );
+
+        return $eventName .'="' .$javascript .'"';
+    }
+}

app/code/Magento/Csp/Model/Collector/ControllerCollector.php

@@ -0,0 +1,45 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\CspAwareActionInterface;
+use Magento\Csp\Api\PolicyCollectorInterface;
+
+/**
+ * Asks for route-specific policies from a compatible controller.
+ */
+class ControllerCollector implements PolicyCollectorInterface
+{
+    /**
+     * @var CspAwareActionInterface|null
+     */
+    private $controller;
+
+    /**
+     * Set the action interface that is responsible for processing current HTTP request.
+     *
+     * @param CspAwareActionInterface $cspAwareAction
+     * @return void
+     */
+    public function setCurrentActionInstance(CspAwareActionInterface $cspAwareAction): void
+    {
+        $this->controller = $cspAwareAction;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function collect(array $defaultPolicies = []): array
+    {
+        if ($this->controller) {
+            return $this->controller->modifyCsp($defaultPolicies);
+        }
+
+        return $defaultPolicies;
+    }
+}

app/code/Magento/Csp/Model/Collector/DynamicCollector.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Api\PolicyCollectorInterface;
+
+/**
+ * CSPs dynamically added during the rendering of current page (from .phtml templates for instance).
+ */
+class DynamicCollector implements PolicyCollectorInterface
+{
+    /**
+     * @var PolicyInterface[]
+     */
+    private $added = [];
+
+    /**
+     * Add a policy for current page.
+     *
+     * @param PolicyInterface $policy
+     * @return void
+     */
+    public function add(PolicyInterface $policy): void
+    {
+        $this->added[] = $policy;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function collect(array $defaultPolicies = []): array
+    {
+        return array_merge($defaultPolicies, $this->added);
+    }
+}

app/code/Magento/Csp/Model/CompositePolicyCollector.php

@@ -32,27 +32,39 @@ class CompositePolicyCollector implements PolicyCollectorInterface
      */
     public function __construct(array $collectors, array $mergers)
     {
+        ksort($collectors);
         $this->collectors = $collectors;
         $this->mergers = $mergers;
     }
 
     /**
-     * Merge 2 policies with the same ID.
+     * Merge policies with same IDs and return a list of policies with 1 DTO per policy ID.
      *
-     * @param PolicyInterface $policy1
-     * @param PolicyInterface $policy2
-     * @return PolicyInterface
+     * @param PolicyInterface[] $collected
+     * @return PolicyInterface[]
      * @throws \RuntimeException When failed to merge.
      */
-    private function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface
+    private function merge(array $collected): array
     {
-        foreach ($this->mergers as $merger) {
-            if ($merger->canMerge($policy1, $policy2)) {
-                return $merger->merge($policy1, $policy2);
+        /** @var PolicyInterface[] $merged */
+        $merged = [];
+
+        foreach ($collected as $policy) {
+            if (array_key_exists($policy->getId(), $merged)) {
+                foreach ($this->mergers as $merger) {
+                    if ($merger->canMerge($merged[$policy->getId()], $policy)) {
+                        $result[$policy->getId()] = $merger->merge($merged[$policy->getId()], $policy);
+                        continue 2;
+                    }
+                }
+
+                throw new \RuntimeException(sprintf('Merge for policies #%s was not found', $policy->getId()));
+            } else {
+                $merged[$policy->getId()] = $policy;
             }
         }
 
-        throw new \RuntimeException(sprintf('Merge for policies #%s was not found', $policy1->getId()));
+        return $merged;
     }
 
     /**
@@ -62,19 +74,9 @@ public function collect(array $defaultPolicies = []): array
     {
         $collected = $defaultPolicies;
         foreach ($this->collectors as $collector) {
-            $collected = $collector->collect($collected);
-        }
-        //Merging policies.
-        /** @var PolicyInterface[] $result */
-        $result = [];
-        foreach ($collected as $policy) {
-            if (array_key_exists($policy->getId(), $result)) {
-                $result[$policy->getId()] = $this->merge($result[$policy->getId()], $policy);
-            } else {
-                $result[$policy->getId()] = $policy;
-            }
+            $collected = $this->merge($collector->collect($collected));
         }
 
-        return array_values($result);
+        return array_values($collected);
     }
 }