From 579822b6a5639ee608e11ed23760d481a4a78f4b Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 16 Oct 2018 14:04:22 +0200
Subject: [PATCH] Add report-uri to CSP

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 .../Security/CSP/ContentSecurityPolicy.php    |  8 ++++++++
 .../Http/ContentSecurityPolicy.php            |  3 +++
 .../Http/EmptyContentSecurityPolicy.php       | 20 +++++++++++++++++++
 .../Http/EmptyContentSecurityPolicyTest.php   | 15 ++++++++++++++
 4 files changed, 46 insertions(+)

diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index cae247f9f4..8fd4df05c3 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -223,4 +223,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 		$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
 	}
 
+	public function getReportTo(): array {
+		return $this->reportTo;
+	}
+
+	public function setReportTo(array $reportTo) {
+		$this->reportTo = $reportTo;
+	}
+
 }
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 02a52c6c49..597069fdaa 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -90,4 +90,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 
 	/** @var array Domains from which web-workers can be loaded */
 	protected $allowedWorkerSrcDomains = [];
+
+	/** @var array Locations to report violations to */
+	protected $reportTo = [];
 }
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index ddc7918d09..3fcef1d0ef 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -76,6 +76,9 @@ class EmptyContentSecurityPolicy {
 	/** @var array Domains from which web-workers can be loaded */
 	protected $allowedWorkerSrcDomains = null;
 
+	/** @var array Locations to report violations to */
+	protected $reportTo = null;
+
 	/**
 	 * Whether inline JavaScript snippets are allowed or forbidden
 	 * @param bool $state
@@ -383,6 +386,18 @@ class EmptyContentSecurityPolicy {
 		return $this;
 	}
 
+	/**
+	 * Add location to report CSP violations to
+	 *
+	 * @param string $location
+	 * @return $this
+	 * @since 15.0.0
+	 */
+	public function addReportTo(string $location) {
+		$this->reportTo[] = $location;
+		return $this;
+	}
+
 	/**
 	 * Get the generated Content-Security-Policy as a string
 	 * @return string
@@ -472,6 +487,11 @@ class EmptyContentSecurityPolicy {
 			$policy .= ';';
 		}
 
+		if (!empty($this->reportTo)) {
+			$policy .= 'report-uri ' . implode(' ', $this->reportTo);
+			$policy .= ';';
+		}
+
 		return rtrim($policy, ';');
 	}
 }
diff --git a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
index 7c30df730d..7e86903892 100644
--- a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
+++ b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
@@ -451,4 +451,19 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
 		$this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
 		$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
 	}
+
+	public function testGetPolicyWithReportUri() {
+		$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com";
+
+		$this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
+		$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
+	}
+
+	public function testGetPolicyWithMultipleReportUri() {
+		$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com https://my-other-report-uri.com";
+
+		$this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
+		$this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com");
+		$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
+	}
 }