Skip to content

Commit 1a3f08d

Browse files
markstorymarkstory
committed
Read cspScriptNonce from latest request
Use Router::getRequest() to access the request from before controllers were dispatched and after middleware have been run. This should ensure that the CSP script nonce is present in the request. Refs #943
1 parent dda757e commit 1a3f08d

File tree

2 files changed

+15
-20
lines changed

2 files changed

+15
-20
lines changed

src/ToolbarService.php

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@
2525
use DebugKit\Panel\PanelRegistry;
2626
use PDOException;
2727
use Psr\Http\Message\ResponseInterface;
28-
use Psr\Http\Message\ServerRequestInterface;
2928

3029
/**
3130
* Used to create the panels and inject a toolbar into
@@ -338,11 +337,10 @@ public function getToolbarUrl()
338337
* contains HTML and there is a </body> tag.
339338
*
340339
* @param \DebugKit\Model\Entity\Request $row The request data to inject.
341-
* @param \Psr\Http\Message\ServerRequestInterface $request The request to augment.
342340
* @param \Psr\Http\Message\ResponseInterface $response The response to augment.
343341
* @return \Psr\Http\Message\ResponseInterface The modified response
344342
*/
345-
public function injectScripts($row, ServerRequestInterface $request, ResponseInterface $response)
343+
public function injectScripts($row, ResponseInterface $response)
346344
{
347345
$response = $response->withHeader('X-DEBUGKIT-ID', (string)$row->id);
348346
if (strpos($response->getHeaderLine('Content-Type'), 'html') === false) {
@@ -359,9 +357,14 @@ public function injectScripts($row, ServerRequestInterface $request, ResponseInt
359357
if ($pos === false) {
360358
return $response;
361359
}
362-
$nonce = $request->getAttribute('cspScriptNonce');
363-
if ($nonce) {
364-
$nonce = sprintf(' nonce="%s"', $nonce);
360+
// Use Router to get the request so that we can see the
361+
// state after other middleware have been applied.
362+
$request = Router::getRequest();
363+
if ($request) {
364+
$nonce = $request->getAttribute('cspScriptNonce');
365+
if ($nonce) {
366+
$nonce = sprintf(' nonce="%s"', $nonce);
367+
}
365368
}
366369

367370
$url = Router::url('/', true);

tests/TestCase/ToolbarServiceTest.php

Lines changed: 6 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
use Cake\Http\Response;
2323
use Cake\Http\ServerRequest as Request;
2424
use Cake\Log\Log;
25+
use Cake\Routing\Router;
2526
use Cake\TestSuite\TestCase;
2627
use DebugKit\Model\Entity\Request as RequestEntity;
2728
use DebugKit\ToolbarService;
@@ -294,6 +295,7 @@ public function testInjectScriptsLastBodyTag()
294295
'url' => '/articles',
295296
'environment' => ['REQUEST_METHOD' => 'GET'],
296297
]);
298+
Router::setRequest($request);
297299
$response = new Response([
298300
'statusCode' => 200,
299301
'type' => 'text/html',
@@ -303,7 +305,7 @@ public function testInjectScriptsLastBodyTag()
303305
$bar = new ToolbarService($this->events, []);
304306
$bar->loadPanels();
305307
$row = $bar->saveData($request, $response);
306-
$response = $bar->injectScripts($row, $request, $response);
308+
$response = $bar->injectScripts($row, response);
307309

308310
$timeStamp = filemtime(Plugin::path('DebugKit') . 'webroot' . DS . 'js' . DS . 'main.js');
309311

@@ -322,10 +324,6 @@ public function testInjectScriptsLastBodyTag()
322324
*/
323325
public function testInjectScriptsFileBodies()
324326
{
325-
$request = new Request([
326-
'url' => '/articles',
327-
'params' => ['plugin' => null],
328-
]);
329327
$response = new Response([
330328
'statusCode' => 200,
331329
'type' => 'text/html',
@@ -335,7 +333,7 @@ public function testInjectScriptsFileBodies()
335333
$bar = new ToolbarService($this->events, []);
336334
$row = new RequestEntity(['id' => 'abc123']);
337335

338-
$result = $bar->injectScripts($row, $request, $response);
336+
$result = $bar->injectScripts($row, $response);
339337
$this->assertInstanceOf('Cake\Http\Response', $result);
340338
$this->assertSame(file_get_contents(__FILE__), '' . $result->getBody());
341339
$this->assertTrue($result->hasHeader('X-DEBUGKIT-ID'), 'Should have a tracking id');
@@ -348,10 +346,6 @@ public function testInjectScriptsFileBodies()
348346
*/
349347
public function testInjectScriptsStreamBodies()
350348
{
351-
$request = new Request([
352-
'url' => '/articles',
353-
'params' => ['plugin' => null],
354-
]);
355349
$response = new Response([
356350
'statusCode' => 200,
357351
'type' => 'text/html',
@@ -361,7 +355,7 @@ public function testInjectScriptsStreamBodies()
361355
$bar = new ToolbarService($this->events, []);
362356
$row = new RequestEntity(['id' => 'abc123']);
363357

364-
$result = $bar->injectScripts($row, $request, $response);
358+
$result = $bar->injectScripts($row, $response);
365359
$this->assertInstanceOf('Cake\Http\Response', $result);
366360
$this->assertSame('I am a teapot!', (string)$response->getBody());
367361
}
@@ -373,8 +367,6 @@ public function testInjectScriptsStreamBodies()
373367
*/
374368
public function testInjectScriptsNoModifyResponse()
375369
{
376-
$request = new Request(['url' => '/articles']);
377-
378370
$response = new Response([
379371
'statusCode' => 200,
380372
'type' => 'application/json',
@@ -385,7 +377,7 @@ public function testInjectScriptsNoModifyResponse()
385377
$bar->loadPanels();
386378

387379
$row = $bar->saveData($request, $response);
388-
$response = $bar->injectScripts($row, $request, $response);
380+
$response = $bar->injectScripts($row, $response);
389381
$this->assertTextEquals('{"some":"json"}', (string)$response->getBody());
390382
$this->assertTrue($response->hasHeader('X-DEBUGKIT-ID'), 'Should have a tracking id');
391383
}

0 commit comments

Comments
 (0)