MC-19926: Implement CSP

Author: Oleksandr Gorkun

app/code/Magento/Csp/Model/Collector/Config/FetchPolicyReader.php

@@ -30,7 +30,8 @@ public function read(string $id, $value): PolicyInterface
             !empty($value['eval']),
             [],
             [],
-            !empty($value['dynamic'])
+            !empty($value['dynamic']),
+            !empty($value['event_handlers'])
         );
     }
 

app/code/Magento/Csp/Model/Collector/CspWhitelistXmlCollector.php

@@ -47,7 +47,9 @@ public function collect(array $defaultPolicies = []): array
                 false,
                 false,
                 [],
-                $values['hashes']
+                $values['hashes'],
+                false,
+                false
             );
         }
 

app/code/Magento/Csp/Model/Collector/FetchPolicyMerger.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Model\Policy\FetchPolicy;
+
+/**
+ * @inheritDoc
+ */
+class FetchPolicyMerger implements MergerInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface
+    {
+        /** @var FetchPolicy $policy1 */
+        /** @var FetchPolicy $policy2 */
+        return new FetchPolicy(
+            $policy1->getId(),
+            $policy1->isNoneAllowed() || $policy2->isNoneAllowed(),
+            array_unique(array_merge($policy1->getHostSources(), $policy2->getHostSources())),
+            array_unique(array_merge($policy1->getSchemeSources(), $policy2->getSchemeSources())),
+            $policy1->isSelfAllowed() || $policy2->isSelfAllowed(),
+            $policy1->isInlineAllowed() || $policy2->isInlineAllowed(),
+            $policy1->isEvalAllowed() || $policy2->isEvalAllowed(),
+            array_unique(array_merge($policy1->getNonceValues(), $policy2->getNonceValues())),
+            array_merge($policy1->getHashes(), $policy2->getHashes()),
+            $policy1->isDynamicAllowed() || $policy2->isDynamicAllowed(),
+            $policy1->areEventHandlersAllowed() || $policy2->areEventHandlersAllowed()
+        );
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function canMerge(PolicyInterface $policy1, PolicyInterface $policy2): bool
+    {
+        return ($policy1 instanceof FetchPolicy) && ($policy2 instanceof FetchPolicy);
+    }
+}

app/code/Magento/Csp/Model/Collector/FlagPolicyMerger.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Model\Policy\FlagPolicy;
+
+/**
+ * @inheritDoc
+ */
+class FlagPolicyMerger implements MergerInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface
+    {
+        return $policy1;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function canMerge(PolicyInterface $policy1, PolicyInterface $policy2): bool
+    {
+        return ($policy1 instanceof FlagPolicy) && ($policy2 instanceof FlagPolicy);
+    }
+}

app/code/Magento/Csp/Model/Collector/MergerInterface.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+
+/**
+ * Merges policies with the same ID in order to have only 1 policy DTO-per-policy.
+ */
+interface MergerInterface
+{
+    /**
+     * Merges 2 found policies into 1.
+     *
+     * @param PolicyInterface $policy1
+     * @param PolicyInterface $policy2
+     * @return PolicyInterface
+     */
+    public function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface;
+
+    /**
+     * Whether current merger can merge given 2 policies.
+     *
+     * @param PolicyInterface $policy1
+     * @param PolicyInterface $policy2
+     * @return bool
+     */
+    public function canMerge(PolicyInterface $policy1, PolicyInterface $policy2): bool;
+}

app/code/Magento/Csp/Model/Collector/PluginTypesPolicyMerger.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Model\Policy\PluginTypesPolicy;
+
+/**
+ * @inheritDoc
+ */
+class PluginTypesPolicyMerger implements MergerInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface
+    {
+        /** @var PluginTypesPolicy $policy1 */
+        /** @var PluginTypesPolicy $policy2 */
+        return new PluginTypesPolicy(array_unique(array_merge($policy1->getTypes(), $policy2->getTypes())));
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function canMerge(PolicyInterface $policy1, PolicyInterface $policy2): bool
+    {
+        return ($policy1 instanceof PluginTypesPolicy) && ($policy2 instanceof PluginTypesPolicy);
+    }
+}

app/code/Magento/Csp/Model/Collector/SandboxPolicyMerger.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Model\Collector;
+
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Model\Policy\SandboxPolicy;
+
+/**
+ * @inheritDoc
+ */
+class SandboxPolicyMerger implements MergerInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface
+    {
+        /** @var SandboxPolicy $policy1 */
+        /** @var SandboxPolicy $policy2 */
+        return new SandboxPolicy(
+            $policy1->isFormAllowed() || $policy2->isFormAllowed(),
+            $policy1->isModalsAllowed() || $policy2->isModalsAllowed(),
+            $policy1->isOrientationLockAllowed() || $policy2->isOrientationLockAllowed(),
+            $policy1->isPointerLockAllowed() || $policy2->isPointerLockAllowed(),
+            $policy1->isPopupsAllowed() || $policy2->isPopupsAllowed(),
+            $policy1->isPopupsToEscapeSandboxAllowed() || $policy2->isPopupsToEscapeSandboxAllowed(),
+            $policy1->isPresentationAllowed() || $policy2->isPresentationAllowed(),
+            $policy1->isSameOriginAllowed() || $policy2->isSameOriginAllowed(),
+            $policy1->isScriptsAllowed() || $policy2->isScriptsAllowed(),
+            $policy1->isTopNavigationAllowed() || $policy2->isTopNavigationAllowed(),
+            $policy1->isTopNavigationByUserActivationAllowed() || $policy2->isTopNavigationByUserActivationAllowed()
+        );
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function canMerge(PolicyInterface $policy1, PolicyInterface $policy2): bool
+    {
+        return ($policy1 instanceof SandboxPolicy) && ($policy2 instanceof SandboxPolicy);
+    }
+}

app/code/Magento/Csp/Model/CompositePolicyCollector.php

@@ -7,7 +7,9 @@
 
 namespace Magento\Csp\Model;
 
+use Magento\Csp\Api\Data\PolicyInterface;
 use Magento\Csp\Api\PolicyCollectorInterface;
+use Magento\Csp\Model\Collector\MergerInterface;
 
 /**
  * Delegates collecting to multiple collectors.
@@ -19,12 +21,38 @@ class CompositePolicyCollector implements PolicyCollectorInterface
      */
     private $collectors;
 
+    /**
+     * @var MergerInterface[]
+     */
+    private $mergers;
+
     /**
      * @param PolicyCollectorInterface[] $collectors
+     * @param MergerInterface[] $mergers
      */
-    public function __construct(array $collectors)
+    public function __construct(array $collectors, array $mergers)
     {
         $this->collectors = $collectors;
+        $this->mergers = $mergers;
+    }
+
+    /**
+     * Merge 2 policies with the same ID.
+     *
+     * @param PolicyInterface $policy1
+     * @param PolicyInterface $policy2
+     * @return PolicyInterface
+     * @throws \RuntimeException When failed to merge.
+     */
+    private function merge(PolicyInterface $policy1, PolicyInterface $policy2): PolicyInterface
+    {
+        foreach ($this->mergers as $merger) {
+            if ($merger->canMerge($policy1, $policy2)) {
+                return $merger->merge($policy1, $policy2);
+            }
+        }
+
+        throw new \RuntimeException(sprintf('Merge for policies #%s was not found', $policy1->getId()));
     }
 
     /**
@@ -36,7 +64,17 @@ public function collect(array $defaultPolicies = []): array
         foreach ($this->collectors as $collector) {
             $collected = $collector->collect($collected);
         }
+        //Merging policies.
+        /** @var PolicyInterface[] $result */
+        $result = [];
+        foreach ($collected as $policy) {
+            if (array_key_exists($policy->getId(), $result)) {
+                $result[$policy->getId()] = $this->merge($result[$policy->getId()], $policy);
+            } else {
+                $result[$policy->getId()] = $policy;
+            }
+        }
 
-        return $collected;
+        return array_values($result);
     }
 }

app/code/Magento/Csp/Model/Policy/FetchPolicy.php

@@ -82,6 +82,11 @@ class FetchPolicy implements SimplePolicyInterface
      */
     private $dynamicAllowed;
 
+    /**
+     * @var bool
+     */
+    private $eventHandlersAllowed;
+
     /**
      * @param string $id
      * @param bool $noneAllowed
@@ -93,6 +98,7 @@ class FetchPolicy implements SimplePolicyInterface
      * @param string[] $nonceValues
      * @param string[] $hashValues
      * @param bool $dynamicAllowed
+     * @param bool $eventHandlersAllowed
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -105,7 +111,8 @@ public function __construct(
         bool $evalAllowed = false,
         array $nonceValues = [],
         array $hashValues = [],
-        bool $dynamicAllowed = false
+        bool $dynamicAllowed = false,
+        bool $eventHandlersAllowed = false
     ) {
         $this->id = $id;
         $this->noneAllowed = $noneAllowed;
@@ -117,6 +124,7 @@ public function __construct(
         $this->nonceValues = array_unique($nonceValues);
         $this->hashes = $hashValues;
         $this->dynamicAllowed = $dynamicAllowed;
+        $this->eventHandlersAllowed = $eventHandlersAllowed;
     }
 
     /**
@@ -213,6 +221,9 @@ public function getValue(): string
             if ($this->isDynamicAllowed()) {
                 $sources[] = '\'strict-dynamic\'';
             }
+            if ($this->areEventHandlersAllowed()) {
+                $sources[] = '\'unsafe-hashes\'';
+            }
             foreach ($this->getNonceValues() as $nonce) {
                 $sources[] = '\'nonce-' .base64_encode($nonce) .'\'';
             }
@@ -257,4 +268,14 @@ public function isDynamicAllowed(): bool
     {
         return $this->dynamicAllowed;
     }
+
+    /**
+     * Allows to whitelist event handlers (but not javascript: URLs) with hashes.
+     *
+     * @return bool
+     */
+    public function areEventHandlersAllowed(): bool
+    {
+        return $this->eventHandlersAllowed;
+    }
 }

app/code/Magento/Csp/etc/config.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
+    <default>
+        <csp>
+            <mode>
+                <storefront>
+                    <report_only>1</report_only>
+                </storefront>
+                <admin>
+                    <report_only>1</report_only>
+                </admin>
+            </mode>
+        </csp>
+    </default>
+</config>