bookstack/tests/SecurityHeaderTest.php

<?php

namespace Tests;

use BookStack\Util\CspService;
use Illuminate\Testing\TestResponse;

class SecurityHeaderTest extends TestCase
{
    public function test_cookies_samesite_lax_by_default()
    {
        $resp = $this->get('/');
        foreach ($resp->headers->getCookies() as $cookie) {
            $this->assertEquals('lax', $cookie->getSameSite());
        }
    }

    public function test_cookies_samesite_none_when_iframe_hosts_set()
    {
        $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'http://example.com', function () {
            $resp = $this->get('/');
            foreach ($resp->headers->getCookies() as $cookie) {
                $this->assertEquals('none', $cookie->getSameSite());
            }
        });
    }

    public function test_secure_cookies_controlled_by_app_url()
    {
        $this->runWithEnv('APP_URL', 'http://example.com', function () {
            $resp = $this->get('/');
            foreach ($resp->headers->getCookies() as $cookie) {
                $this->assertFalse($cookie->isSecure());
            }
        });

        $this->runWithEnv('APP_URL', 'https://example.com', function () {
            $resp = $this->get('/');
            foreach ($resp->headers->getCookies() as $cookie) {
                $this->assertTrue($cookie->isSecure());
            }
        });
    }

    public function test_iframe_csp_self_only_by_default()
    {
        $resp = $this->get('/');
        $frameHeader = $this->getCspHeader($resp, 'frame-ancestors');

        $this->assertEquals('frame-ancestors \'self\'', $frameHeader);
    }

    public function test_iframe_csp_includes_extra_hosts_if_configured()
    {
        $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'https://a.example.com https://b.example.com', function () {
            $resp = $this->get('/');
            $frameHeader = $this->getCspHeader($resp, 'frame-ancestors');

            $this->assertNotEmpty($frameHeader);
            $this->assertEquals('frame-ancestors \'self\' https://a.example.com https://b.example.com', $frameHeader);
        });
    }

    public function test_script_csp_set_on_responses()
    {
        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'script-src');
        $this->assertStringContainsString('\'strict-dynamic\'', $scriptHeader);
        $this->assertStringContainsString('\'nonce-', $scriptHeader);
    }

    public function test_script_csp_nonce_matches_nonce_used_in_custom_head()
    {
        $this->setSettings(['app-custom-head' => '<script>console.log("cat");</script>']);
        $resp = $this->get('/login');
        $scriptHeader = $this->getCspHeader($resp, 'script-src');

        $nonce = app()->make(CspService::class)->getNonce();
        $this->assertStringContainsString('nonce-' . $nonce, $scriptHeader);
        $resp->assertSee('<script nonce="' . $nonce . '">console.log("cat");</script>', false);
    }

    public function test_script_csp_nonce_changes_per_request()
    {
        $resp = $this->get('/');
        $firstHeader = $this->getCspHeader($resp, 'script-src');

        $this->refreshApplication();

        $resp = $this->get('/');
        $secondHeader = $this->getCspHeader($resp, 'script-src');

        $this->assertNotEquals($firstHeader, $secondHeader);
    }

    public function test_allow_content_scripts_settings_controls_csp_script_headers()
    {
        config()->set('app.allow_content_scripts', true);
        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'script-src');
        $this->assertEmpty($scriptHeader);

        config()->set('app.allow_content_scripts', false);
        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'script-src');
        $this->assertNotEmpty($scriptHeader);
    }

    public function test_object_src_csp_header_set()
    {
        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'object-src');
        $this->assertEquals('object-src \'self\'', $scriptHeader);
    }

    public function test_base_uri_csp_header_set()
    {
        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'base-uri');
        $this->assertEquals('base-uri \'self\'', $scriptHeader);
    }

    public function test_frame_src_csp_header_set()
    {
        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'frame-src');
        $this->assertEquals('frame-src \'self\' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com', $scriptHeader);
    }

    public function test_frame_src_csp_header_has_drawio_host_added()
    {
        config()->set([
            'app.iframe_sources' => 'https://example.com',
            'services.drawio'    => 'https://diagrams.example.com/testing?cat=dog',
        ]);

        $resp = $this->get('/');
        $scriptHeader = $this->getCspHeader($resp, 'frame-src');
        $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
    }

    public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
    {
        $this->asEditor();
        $resp = $this->get('/');
        $resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
        $resp->assertHeader('Pragma', 'no-cache');
        $resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
    }

    /**
     * Get the value of the first CSP header of the given type.
     */
    protected function getCspHeader(TestResponse $resp, string $type): string
    {
        $cspHeaders = explode('; ', $resp->headers->get('Content-Security-Policy'));

        foreach ($cspHeaders as $cspHeader) {
            if (strpos($cspHeader, $type) === 0) {
                return $cspHeader;
            }
        }

        return '';
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`namespace Tests;`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`use BookStack\Util\CspService;`
Updated tests to use ssddanbrown/asserthtml package Closes #3519 2022-07-23 22:10:18 +08:00			`use Illuminate\Testing\TestResponse;`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00
			`class SecurityHeaderTest extends TestCase`
			`{`
			`public function test_cookies_samesite_lax_by_default()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`foreach ($resp->headers->getCookies() as $cookie) {`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$this->assertEquals('lax', $cookie->getSameSite());`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`}`
			`}`

			`public function test_cookies_samesite_none_when_iframe_hosts_set()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'http://example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`foreach ($resp->headers->getCookies() as $cookie) {`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$this->assertEquals('none', $cookie->getSameSite());`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`}`
			`});`
			`}`

			`public function test_secure_cookies_controlled_by_app_url()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$this->runWithEnv('APP_URL', 'http://example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`foreach ($resp->headers->getCookies() as $cookie) {`
			`$this->assertFalse($cookie->isSecure());`
			`}`
			`});`

Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$this->runWithEnv('APP_URL', 'https://example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`foreach ($resp->headers->getCookies() as $cookie) {`
			`$this->assertTrue($cookie->isSecure());`
			`}`
			`});`
			`}`

			`public function test_iframe_csp_self_only_by_default()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$resp = $this->get('/');`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$frameHeader = $this->getCspHeader($resp, 'frame-ancestors');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$this->assertEquals('frame-ancestors \'self\'', $frameHeader);`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`}`

			`public function test_iframe_csp_includes_extra_hosts_if_configured()`
			`{`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'https://a.example.com https://b.example.com', function () {`
			`$resp = $this->get('/');`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$frameHeader = $this->getCspHeader($resp, 'frame-ancestors');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$this->assertNotEmpty($frameHeader);`
			`$this->assertEquals('frame-ancestors \'self\' https://a.example.com https://b.example.com', $frameHeader);`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-02 10:43:50 +08:00			`});`
			`}`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00
			`public function test_script_csp_set_on_responses()`
			`{`
			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'script-src');`
			`$this->assertStringContainsString('\'strict-dynamic\'', $scriptHeader);`
			`$this->assertStringContainsString('\'nonce-', $scriptHeader);`
			`}`

			`public function test_script_csp_nonce_matches_nonce_used_in_custom_head()`
			`{`
			`$this->setSettings(['app-custom-head' => '<script>console.log("cat");</script>']);`
			`$resp = $this->get('/login');`
			`$scriptHeader = $this->getCspHeader($resp, 'script-src');`

			`$nonce = app()->make(CspService::class)->getNonce();`
			`$this->assertStringContainsString('nonce-' . $nonce, $scriptHeader);`
Laravel 7.x Shift (#3011) * Apply Laravel coding style * Shift bindings * Shift core files * Shift to Throwable * Add laravel/ui dependency * Shift Eloquent methods * Shift config files * Shift Laravel dependencies * Shift cleanup * Shift test config and references * Applied styleci changes * Applied fixes post shift to laravel 7 Co-authored-by: Shift <shift@laravelshift.com> 2021-10-27 05:04:18 +08:00			`$resp->assertSee('<script nonce="' . $nonce . '">console.log("cat");</script>', false);`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`}`

			`public function test_script_csp_nonce_changes_per_request()`
			`{`
			`$resp = $this->get('/');`
			`$firstHeader = $this->getCspHeader($resp, 'script-src');`

			`$this->refreshApplication();`

			`$resp = $this->get('/');`
			`$secondHeader = $this->getCspHeader($resp, 'script-src');`

			`$this->assertNotEquals($firstHeader, $secondHeader);`
			`}`

			`public function test_allow_content_scripts_settings_controls_csp_script_headers()`
			`{`
			`config()->set('app.allow_content_scripts', true);`
			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'script-src');`
			`$this->assertEmpty($scriptHeader);`

			`config()->set('app.allow_content_scripts', false);`
			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'script-src');`
			`$this->assertNotEmpty($scriptHeader);`
			`}`

Added a couple of additional CSP rules As per guidance from google's CSP evaluator. 2021-09-04 21:34:43 +08:00			`public function test_object_src_csp_header_set()`
			`{`
			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'object-src');`
			`$this->assertEquals('object-src \'self\'', $scriptHeader);`
			`}`

			`public function test_base_uri_csp_header_set()`
			`{`
			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'base-uri');`
			`$this->assertEquals('base-uri \'self\'', $scriptHeader);`
			`}`

Updated CSP with frame-src rules - Configurable via 'ALLOWED_IFRAME_SOURCES' .env option. - Also updated how CSP rules are set, with a single header being used instead of many. - Also applied CSP rules to HTML export outputs. - Updated tests to cover. For #3314 2022-03-07 22:27:41 +08:00			`public function test_frame_src_csp_header_set()`
			`{`
			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'frame-src');`
			`$this->assertEquals('frame-src \'self\' https://.draw.io https://.youtube.com https://.youtube-nocookie.com https://.vimeo.com', $scriptHeader);`
			`}`

			`public function test_frame_src_csp_header_has_drawio_host_added()`
			`{`
			`config()->set([`
			`'app.iframe_sources' => 'https://example.com',`
Applied latest styleCI changes 2022-03-09 22:30:36 +08:00			`'services.drawio' => 'https://diagrams.example.com/testing?cat=dog',`
Updated CSP with frame-src rules - Configurable via 'ALLOWED_IFRAME_SOURCES' .env option. - Also updated how CSP rules are set, with a single header being used instead of many. - Also applied CSP rules to HTML export outputs. - Updated tests to cover. For #3314 2022-03-07 22:27:41 +08:00			`]);`

			`$resp = $this->get('/');`
			`$scriptHeader = $this->getCspHeader($resp, 'frame-src');`
			`$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);`
			`}`

Forced response cache revalidation on logged-in responses - Prevents authenticated responses being visible when back button pressed in browser. - Previously, 'no-cache, private' was added by default by Symfony which would have prevents proxy cache issues but this adds no-store and a max-age option to also invalidate all caching. Thanks to @haxatron via huntr.dev Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/ 2021-10-08 22:22:09 +08:00			`public function test_cache_control_headers_are_strict_on_responses_when_logged_in()`
			`{`
			`$this->asEditor();`
			`$resp = $this->get('/');`
			`$resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');`
			`$resp->assertHeader('Pragma', 'no-cache');`
			`$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');`
			`}`

Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`/**`
			`* Get the value of the first CSP header of the given type.`
			`*/`
			`protected function getCspHeader(TestResponse $resp, string $type): string`
			`{`
Updated CSP with frame-src rules - Configurable via 'ALLOWED_IFRAME_SOURCES' .env option. - Also updated how CSP rules are set, with a single header being used instead of many. - Also applied CSP rules to HTML export outputs. - Updated tests to cover. For #3314 2022-03-07 22:27:41 +08:00			`$cspHeaders = explode('; ', $resp->headers->get('Content-Security-Policy'));`

			`foreach ($cspHeaders as $cspHeader) {`
			`if (strpos($cspHeader, $type) === 0) {`
			`return $cspHeader;`
			`}`
			`}`
Applied latest styleci changes 2021-09-07 05:19:06 +08:00
Updated CSP with frame-src rules - Configurable via 'ALLOWED_IFRAME_SOURCES' .env option. - Also updated how CSP rules are set, with a single header being used instead of many. - Also applied CSP rules to HTML export outputs. - Updated tests to cover. For #3314 2022-03-07 22:27:41 +08:00			`return '';`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`}`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`}`