From 4ed9b74a6b2b9f0bb79879ee725c133f3ff299c9 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Mon, 5 Mar 2018 15:27:05 +0100 Subject: [PATCH] Make OC\Security\CSP strict Signed-off-by: Roeland Jago Douma --- .../Security/CSP/ContentSecurityPolicy.php | 47 ++++++++++--------- .../CSP/ContentSecurityPolicyManager.php | 11 +++-- .../CSP/ContentSecurityPolicyNonceManager.php | 5 +- 3 files changed, 33 insertions(+), 30 deletions(-) diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index 2adc3d3d12..77e20dedf4 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -1,4 +1,5 @@ inlineScriptAllowed; } /** * @param boolean $inlineScriptAllowed */ - public function setInlineScriptAllowed($inlineScriptAllowed) { + public function setInlineScriptAllowed(bool $inlineScriptAllowed) { $this->inlineScriptAllowed = $inlineScriptAllowed; } /** * @return boolean */ - public function isEvalScriptAllowed() { + public function isEvalScriptAllowed(): bool { return $this->evalScriptAllowed; } /** * @param boolean $evalScriptAllowed */ - public function setEvalScriptAllowed($evalScriptAllowed) { + public function setEvalScriptAllowed(bool $evalScriptAllowed) { $this->evalScriptAllowed = $evalScriptAllowed; } /** * @return array */ - public function getAllowedScriptDomains() { + public function getAllowedScriptDomains(): array { return $this->allowedScriptDomains; } /** * @param array $allowedScriptDomains */ - public function setAllowedScriptDomains($allowedScriptDomains) { + public function setAllowedScriptDomains(array $allowedScriptDomains) { $this->allowedScriptDomains = $allowedScriptDomains; } /** * @return boolean */ - public function isInlineStyleAllowed() { + public function isInlineStyleAllowed(): bool { return $this->inlineStyleAllowed; } /** * @param boolean $inlineStyleAllowed */ - public function setInlineStyleAllowed($inlineStyleAllowed) { + public function setInlineStyleAllowed(bool $inlineStyleAllowed) { $this->inlineStyleAllowed = $inlineStyleAllowed; } /** * @return array */ - public function getAllowedStyleDomains() { + public function getAllowedStyleDomains(): array { return $this->allowedStyleDomains; } /** * @param array $allowedStyleDomains */ - public function setAllowedStyleDomains($allowedStyleDomains) { + public function setAllowedStyleDomains(array $allowedStyleDomains) { $this->allowedStyleDomains = $allowedStyleDomains; } /** * @return array */ - public function getAllowedImageDomains() { + public function getAllowedImageDomains(): array { return $this->allowedImageDomains; } /** * @param array $allowedImageDomains */ - public function setAllowedImageDomains($allowedImageDomains) { + public function setAllowedImageDomains(array $allowedImageDomains) { $this->allowedImageDomains = $allowedImageDomains; } /** * @return array */ - public function getAllowedConnectDomains() { + public function getAllowedConnectDomains(): array { return $this->allowedConnectDomains; } /** * @param array $allowedConnectDomains */ - public function setAllowedConnectDomains($allowedConnectDomains) { + public function setAllowedConnectDomains(array $allowedConnectDomains) { $this->allowedConnectDomains = $allowedConnectDomains; } /** * @return array */ - public function getAllowedMediaDomains() { + public function getAllowedMediaDomains(): array { return $this->allowedMediaDomains; } /** * @param array $allowedMediaDomains */ - public function setAllowedMediaDomains($allowedMediaDomains) { + public function setAllowedMediaDomains(array $allowedMediaDomains) { $this->allowedMediaDomains = $allowedMediaDomains; } /** * @return array */ - public function getAllowedObjectDomains() { + public function getAllowedObjectDomains(): array { return $this->allowedObjectDomains; } /** * @param array $allowedObjectDomains */ - public function setAllowedObjectDomains($allowedObjectDomains) { + public function setAllowedObjectDomains(array $allowedObjectDomains) { $this->allowedObjectDomains = $allowedObjectDomains; } /** * @return array */ - public function getAllowedFrameDomains() { + public function getAllowedFrameDomains(): array { return $this->allowedFrameDomains; } /** * @param array $allowedFrameDomains */ - public function setAllowedFrameDomains($allowedFrameDomains) { + public function setAllowedFrameDomains(array $allowedFrameDomains) { $this->allowedFrameDomains = $allowedFrameDomains; } /** * @return array */ - public function getAllowedFontDomains() { + public function getAllowedFontDomains(): array { return $this->allowedFontDomains; } @@ -187,7 +188,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy /** * @return array */ - public function getAllowedChildSrcDomains() { + public function getAllowedChildSrcDomains(): array { return $this->allowedChildSrcDomains; } @@ -201,7 +202,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy /** * @return array */ - public function getAllowedFrameAncestors() { + public function getAllowedFrameAncestors(): array { return $this->allowedFrameAncestors; } diff --git a/lib/private/Security/CSP/ContentSecurityPolicyManager.php b/lib/private/Security/CSP/ContentSecurityPolicyManager.php index 0e6f0ac615..27a0524d3f 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicyManager.php +++ b/lib/private/Security/CSP/ContentSecurityPolicyManager.php @@ -1,4 +1,5 @@ policies as $policy) { $defaultPolicy = $this->mergePolicies($defaultPolicy, $policy); @@ -57,14 +58,14 @@ class ContentSecurityPolicyManager implements IContentSecurityPolicyManager { * @return ContentSecurityPolicy */ public function mergePolicies(ContentSecurityPolicy $defaultPolicy, - EmptyContentSecurityPolicy $originalPolicy) { + EmptyContentSecurityPolicy $originalPolicy): ContentSecurityPolicy { foreach((object)(array)$originalPolicy as $name => $value) { $setter = 'set'.ucfirst($name); - if(is_array($value)) { + if(\is_array($value)) { $getter = 'get'.ucfirst($name); - $currentValues = is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : []; + $currentValues = \is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : []; $defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value)))); - } elseif (is_bool($value)) { + } elseif (\is_bool($value)) { $defaultPolicy->$setter($value); } } diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php index 266e5809c2..088fb2d859 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php @@ -1,4 +1,5 @@ * @@ -55,7 +56,7 @@ class ContentSecurityPolicyNonceManager { * * @return string */ - public function getNonce() { + public function getNonce(): string { if($this->nonce === '') { $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue()); } @@ -68,7 +69,7 @@ class ContentSecurityPolicyNonceManager { * * @return bool */ - public function browserSupportsCspV3() { + public function browserSupportsCspV3(): bool { $browserWhitelist = [ Request::USER_AGENT_CHROME, // Firefox 45+