fix: Add proper feature policy

Signed-off-by: Julius Härtl <[email protected]>
nextcloud · Oct 20, 2023 · 619b6da · 619b6da
1 parent c64b603
commit 619b6da
Show file tree

Hide file tree

Showing 9 changed files with 311 additions and 151 deletions.
diff --git a/composer/composer/autoload_classmap.php b/composer/composer/autoload_classmap.php
@@ -37,8 +37,9 @@
     'OCA\\Richdocuments\\Exceptions\\ExpiredTokenException' => $baseDir . '/../lib/Exceptions/ExpiredTokenException.php',
     'OCA\\Richdocuments\\Exceptions\\UnknownTokenException' => $baseDir . '/../lib/Exceptions/UnknownTokenException.php',
     'OCA\\Richdocuments\\Helper' => $baseDir . '/../lib/Helper.php',
+    'OCA\\Richdocuments\\Listener\\AddContentSecurityPolicyListener' => $baseDir . '/../lib/Listener/AddContentSecurityPolicyListener.php',
+    'OCA\\Richdocuments\\Listener\\AddFeaturePolicyListener' => $baseDir . '/../lib/Listener/AddFeaturePolicyListener.php',
     'OCA\\Richdocuments\\Listener\\BeforeFetchPreviewListener' => $baseDir . '/../lib/Listener/BeforeFetchPreviewListener.php',
-    'OCA\\Richdocuments\\Listener\\CSPListener' => $baseDir . '/../lib/Listener/CSPListener.php',
     'OCA\\Richdocuments\\Listener\\FileCreatedFromTemplateListener' => $baseDir . '/../lib/Listener/FileCreatedFromTemplateListener.php',
     'OCA\\Richdocuments\\Listener\\LoadViewerListener' => $baseDir . '/../lib/Listener/LoadViewerListener.php',
     'OCA\\Richdocuments\\Listener\\ReferenceListener' => $baseDir . '/../lib/Listener/ReferenceListener.php',

diff --git a/composer/composer/autoload_static.php b/composer/composer/autoload_static.php
@@ -52,8 +52,9 @@ class ComposerStaticInitRichdocuments
         'OCA\\Richdocuments\\Exceptions\\ExpiredTokenException' => __DIR__ . '/..' . '/../lib/Exceptions/ExpiredTokenException.php',
         'OCA\\Richdocuments\\Exceptions\\UnknownTokenException' => __DIR__ . '/..' . '/../lib/Exceptions/UnknownTokenException.php',
         'OCA\\Richdocuments\\Helper' => __DIR__ . '/..' . '/../lib/Helper.php',
+        'OCA\\Richdocuments\\Listener\\AddContentSecurityPolicyListener' => __DIR__ . '/..' . '/../lib/Listener/AddContentSecurityPolicyListener.php',
+        'OCA\\Richdocuments\\Listener\\AddFeaturePolicyListener' => __DIR__ . '/..' . '/../lib/Listener/AddFeaturePolicyListener.php',
         'OCA\\Richdocuments\\Listener\\BeforeFetchPreviewListener' => __DIR__ . '/..' . '/../lib/Listener/BeforeFetchPreviewListener.php',
-        'OCA\\Richdocuments\\Listener\\CSPListener' => __DIR__ . '/..' . '/../lib/Listener/CSPListener.php',
         'OCA\\Richdocuments\\Listener\\FileCreatedFromTemplateListener' => __DIR__ . '/..' . '/../lib/Listener/FileCreatedFromTemplateListener.php',
         'OCA\\Richdocuments\\Listener\\LoadViewerListener' => __DIR__ . '/..' . '/../lib/Listener/LoadViewerListener.php',
         'OCA\\Richdocuments\\Listener\\ReferenceListener' => __DIR__ . '/..' . '/../lib/Listener/ReferenceListener.php',

diff --git a/lib/AppConfig.php b/lib/AppConfig.php
@@ -13,6 +13,9 @@
 
 use \OCP\IConfig;
 use OCA\Richdocuments\AppInfo\Application;
+use OCA\Richdocuments\Service\FederationService;
+use OCP\App\IAppManager;
+use OCP\GlobalScale\IConfig as GlobalScaleConfig;
 
 class AppConfig {
 	public const WOPI_URL = 'wopi_url';
@@ -28,7 +31,7 @@ class AppConfig {
 	// Default: 'no', set to 'yes' to enable
 	public const USE_SECURE_VIEW_ADDITIONAL_MIMES = 'use_secure_view_additional_mimes';
 
-	private $defaults = [
+	private array $defaults = [
 		'wopi_url' => '',
 		'timeout' => 15,
 		'watermark_text' => '{userId}',
@@ -46,15 +49,15 @@ class AppConfig {
 		'watermark_linkTagsList' => 'array'
 	];
 
-	/** @var IConfig */
-	private $config;
-
-	public function __construct(IConfig $config) {
-		$this->config = $config;
+	public function __construct(
+		private IConfig $config,
+		private IAppManager $appManager,
+		private GlobalScaleConfig $globalScaleConfig,
+	) {
 	}
 
 	public function getAppNamespace($key) {
-		if (strpos($key, 'watermark_') === 0) {
+		if (str_starts_with($key, 'watermark_')) {
 			return self::WATERMARK_APP_NAMESPACE;
 		}
 		return Application::APPNAME;
@@ -186,4 +189,57 @@ public function getWopiOverride(): array {
 	public function useSecureViewAdditionalMimes(): bool {
 		return $this->config->getAppValue(Application::APPNAME, self::USE_SECURE_VIEW_ADDITIONAL_MIMES, 'no') === 'yes';
 	}
+
+	public function getDomainList(): array {
+		$urls = array_merge(
+			[ $this->domainOnly($this->getCollaboraUrlPublic()) ],
+			$this->getFederationDomains(),
+			$this->getGSDomains()
+		);
+
+		return array_filter($urls);
+	}
+
+	private function getFederationDomains(): array {
+		if (!$this->appManager->isEnabledForUser('federation')) {
+			return [];
+		}
+
+		$federationService = \OCP\Server::get(FederationService::class);
+		$trustedNextcloudDomains = array_filter(array_map(function ($server) use ($federationService) {
+			return $federationService->isTrustedRemote($server) ? $server : null;
+		}, $federationService->getTrustedServers()));
+
+		$trustedCollaboraDomains = array_filter(array_map(function ($server) use ($federationService) {
+			try {
+				return $federationService->getRemoteCollaboraURL($server);
+			} catch (\Exception $e) {
+				// If there is no remote collabora server we can just skip that
+				return null;
+			}
+		}, $trustedNextcloudDomains));
+
+		return array_map(function ($url) {
+			return $this->domainOnly($url);
+		}, array_merge($trustedNextcloudDomains, $trustedCollaboraDomains));
+	}
+
+	private function getGSDomains(): array {
+		if (!$this->globalScaleConfig->isGlobalScaleEnabled()) {
+			return [];
+		}
+
+		return $this->getGlobalScaleTrustedHosts();
+	}
+
+	/**
+	 * Strips the path and query parameters from the URL.
+	 */
+	private function domainOnly(string $url): string {
+		$parsedUrl = parse_url($url);
+		$scheme = isset($parsedUrl['scheme']) ? $parsedUrl['scheme'] . '://' : '';
+		$host = $parsedUrl['host'] ?? '';
+		$port = isset($parsedUrl['port']) ? ':' . $parsedUrl['port'] : '';
+		return "$scheme$host$port";
+	}
 }
diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
@@ -28,8 +28,9 @@
 use OCA\Richdocuments\AppConfig;
 use OCA\Richdocuments\Capabilities;
 use OCA\Richdocuments\Db\WopiMapper;
+use OCA\Richdocuments\Listener\AddContentSecurityPolicyListener;
+use OCA\Richdocuments\Listener\AddFeaturePolicyListener;
 use OCA\Richdocuments\Listener\BeforeFetchPreviewListener;
-use OCA\Richdocuments\Listener\CSPListener;
 use OCA\Richdocuments\Listener\FileCreatedFromTemplateListener;
 use OCA\Richdocuments\Listener\LoadViewerListener;
 use OCA\Richdocuments\Listener\ReferenceListener;
@@ -60,6 +61,7 @@
 use OCP\IPreview;
 use OCP\Preview\BeforePreviewFetchedEvent;
 use OCP\Security\CSP\AddContentSecurityPolicyEvent;
+use OCP\Security\FeaturePolicy\AddFeaturePolicyEvent;
 use OCP\Server;
 
 class Application extends App implements IBootstrap {
@@ -75,7 +77,8 @@ public function register(IRegistrationContext $context): void {
 		$context->registerCapability(Capabilities::class);
 		$context->registerMiddleWare(WOPIMiddleware::class);
 		$context->registerEventListener(FileCreatedFromTemplateEvent::class, FileCreatedFromTemplateListener::class);
-		$context->registerEventListener(AddContentSecurityPolicyEvent::class, CSPListener::class);
+		$context->registerEventListener(AddContentSecurityPolicyEvent::class, AddContentSecurityPolicyListener::class);
+		$context->registerEventListener(AddFeaturePolicyEvent::class, AddFeaturePolicyListener::class);
 		$context->registerEventListener(LoadViewer::class, LoadViewerListener::class);
 		$context->registerEventListener(ShareLinkAccessedEvent::class, ShareLinkListener::class);
 		$context->registerEventListener(BeforePreviewFetchedEvent::class, BeforeFetchPreviewListener::class);

diff --git a/lib/Listener/AddContentSecurityPolicyListener.php b/lib/Listener/AddContentSecurityPolicyListener.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2022 Julius Härtl <[email protected]>
+ *
+ * @author Julius Härtl <[email protected]>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Richdocuments\Listener;
+
+use OCA\Richdocuments\AppConfig;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\IRequest;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
+
+/** @template-implements IEventListener<Event|AddContentSecurityPolicyEvent> */
+class AddContentSecurityPolicyListener implements IEventListener {
+	public function __construct(
+		private IRequest $request,
+		private AppConfig $config,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!$event instanceof AddContentSecurityPolicyEvent) {
+			return;
+		}
+
+		if (!$this->isPageLoad()) {
+			return;
+		}
+
+		$policy = new EmptyContentSecurityPolicy();
+		$policy->addAllowedFrameDomain("'self'");
+		$policy->addAllowedFrameDomain("nc:");
+
+		foreach ($this->config->getDomainList() as $url) {
+			$policy->addAllowedFrameDomain($url);
+			$policy->addAllowedFormActionDomain($url);
+			$policy->addAllowedFrameAncestorDomain($url);
+			$policy->addAllowedImageDomain($url);
+		}
+
+		$event->addPolicy($policy);
+	}
+
+	private function isPageLoad(): bool {
+		$scriptNameParts = explode('/', $this->request->getScriptName());
+		return end($scriptNameParts) === 'index.php';
+	}
+}
diff --git a/lib/Listener/AddFeaturePolicyListener.php b/lib/Listener/AddFeaturePolicyListener.php
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2022 Julius Härtl <[email protected]>
+ *
+ * @author Julius Härtl <[email protected]>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Richdocuments\Listener;
+
+use OCA\Richdocuments\AppConfig;
+use OCP\AppFramework\Http\FeaturePolicy;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\IRequest;
+use OCP\Security\FeaturePolicy\AddFeaturePolicyEvent;
+
+/** @template-implements IEventListener<Event|AddFeaturePolicyEvent> */
+class AddFeaturePolicyListener implements IEventListener {
+	public function __construct(
+		private IRequest $request,
+		private AppConfig $config,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!$event instanceof AddFeaturePolicyEvent) {
+			return;
+		}
+
+		if (!$this->isPageLoad()) {
+			return;
+		}
+
+		$policy = new FeaturePolicy();
+
+		foreach ($this->config->getDomainList() as $url) {
+			$policy->addAllowedFullScreenDomain($url);
+		}
+
+		$event->addPolicy($policy);
+	}
+
+	private function isPageLoad(): bool {
+		$scriptNameParts = explode('/', $this->request->getScriptName());
+		return end($scriptNameParts) === 'index.php';
+	}
+}