Allow modules to adjust the CSP headers through a dedicated hook.

Author: w1ll-i-code

application/controllers/NavigationController.php

@@ -7,9 +7,9 @@
 use Icinga\Application\Config;
 use Icinga\Exception\NotFoundError;
 use Icinga\Data\DataArray\ArrayDatasource;
-use Icinga\Data\Filter\FilterMatchCaseInsensitive;
 use Icinga\Forms\ConfirmRemovalForm;
 use Icinga\Forms\Navigation\NavigationConfigForm;
+use Icinga\Util\NavigationItemHelper;
 use Icinga\Web\Controller;
 use Icinga\Web\Form;
 use Icinga\Web\Menu;
@@ -65,63 +65,12 @@ protected function listItemTypes()
         return $types;
     }
 
-    /**
-     * Return all shared navigation item configurations
-     *
-     * @param   string  $owner  A username if only items shared by a specific user are desired
-     *
-     * @return  array
-     */
-    protected function fetchSharedNavigationItemConfigs($owner = null)
-    {
-        $configs = array();
-        foreach ($this->itemTypeConfig as $type => $_) {
-            $config = Config::navigation($type);
-            $config->getConfigObject()->setKeyColumn('name');
-            $query = $config->select();
-            if ($owner !== null) {
-                $query->applyFilter(new FilterMatchCaseInsensitive('owner', '=', $owner));
-            }
-
-            foreach ($query as $itemConfig) {
-                $configs[] = $itemConfig;
-            }
-        }
-
-        return $configs;
-    }
-
-    /**
-     * Return all user navigation item configurations
-     *
-     * @param   string  $username
-     *
-     * @return  array
-     */
-    protected function fetchUserNavigationItemConfigs($username)
-    {
-        $configs = array();
-        foreach ($this->itemTypeConfig as $type => $_) {
-            $config = Config::navigation($type, $username);
-            $config->getConfigObject()->setKeyColumn('name');
-            foreach ($config->select() as $itemConfig) {
-                $configs[] = $itemConfig;
-            }
-        }
-
-        return $configs;
-    }
-
     /**
      * Show the current user a list of their navigation items
      */
     public function indexAction()
     {
-        $user = $this->Auth()->getUser();
-        $ds = new ArrayDatasource(array_merge(
-            $this->fetchSharedNavigationItemConfigs($user->getUsername()),
-            $this->fetchUserNavigationItemConfigs($user->getUsername())
-        ));
+        $ds = new ArrayDatasource(NavigationItemHelper::fetchUserNavigationItems($this->Auth()->getUser()));
         $query = $ds->select();
 
         $this->view->types = $this->listItemTypes();

application/forms/Config/General/ApplicationConfigForm.php

@@ -4,8 +4,10 @@
 namespace Icinga\Forms\Config\General;
 
 use Icinga\Application\Icinga;
+use Icinga\Authentication\Auth;
 use Icinga\Data\ResourceFactory;
 use Icinga\Web\Form;
+use Icinga\Util\Csp;
 
 /**
  * Configuration form for general application options
@@ -60,13 +62,20 @@ public function createElements(array $formData)
             'security_use_strict_csp',
             [
                 'label'         => $this->translate('Enable strict content security policy'),
+                'autosubmit'    => true,
                 'description'   => $this->translate(
                     'Set whether to use strict content security policy (CSP).'
                     . ' This setting helps to protect from cross-site scripting (XSS).'
                 )
             ]
         );
 
+        if ($formData['security_use_strict_csp']) {
+            Csp::createNonce();
+            $header = Csp::getContentSecurityPolicy(Auth::getInstance()->getUser());
+            $this->addHint("Content-Security-Policy: $header");
+        }
+
         $this->addElement(
             'text',
             'global_module_path',

library/Icinga/Application/Hook/CspDirectiveHook.php

@@ -0,0 +1,18 @@
+<?php
+/* Icinga Web 2 | (c) 2022 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Application\Hook;
+
+abstract class CspDirectiveHook
+{
+    /**
+     * Allow the module to provide custom directives for the CSP header. The return value should be an array
+     * with directive as the key and the policies in an array as the value. The valid values can either be
+     * a concrete host, whitelisting subdomains for hosts or a custom nonce for that module.
+     *
+     * Example: [ 'img-src' => [ 'https://*.media.tumblr.com', 'https://http.cat/' ] ]
+     *
+     * @return array<string, string[]> The CSP directives are the keys and the policies the values.
+     */
+    abstract public function getCspDirectives(): array;
+}

library/Icinga/Util/Csp.php

@@ -4,6 +4,13 @@
 
 namespace Icinga\Util;
 
+use Icinga\Application\Hook;
+use Icinga\Application\Hook\CspDirectiveHook;
+use Icinga\Application\Icinga;
+use Icinga\Application\Logger;
+use Icinga\Authentication\Auth;
+use Icinga\Data\ConfigObject;
+use Icinga\User;
 use Icinga\Web\Response;
 use Icinga\Web\Window;
 use RuntimeException;
@@ -45,17 +52,131 @@ private function __construct()
      */
     public static function addHeader(Response $response): void
     {
+        $user = Auth::getInstance()->getUser();
+        $header = static::getContentSecurityPolicy($user);
+        Logger::debug("Setting Content-Security-Policy header for user {$user->getUsername()} to $header");
+        $response->setHeader('Content-Security-Policy', $header, true);
+    }
+
+    /**
+     * Get the Content-Security-Policy for a specific user.
+     *
+     * @param User $user
+     *
+     * @throws RuntimeException If no nonce set for CSS
+     *
+     * @return string Returns the generated header value.
+     */
+    public static function getContentSecurityPolicy(User $user): string {
         $csp = static::getInstance();
 
         if (empty($csp->styleNonce)) {
             throw new RuntimeException('No nonce set for CSS');
         }
 
-        $response->setHeader(
-            'Content-Security-Policy',
-            "script-src 'self'; style-src 'self' 'nonce-$csp->styleNonce';",
-            true
-        );
+        // These are the default directives that should always be enforced. 'self' is valid for all
+        // directives and will therefor not be listed here.
+        $cspDirectives = [
+            'style-src' => ["'nonce-{$csp->styleNonce}'"],
+            'font-src' => ["data:"],
+            'img-src' => ["data:"],
+            'frame-src' => []
+        ];
+
+        // Whitelist the hosts in the custom NavigationItems configured for the user,
+        // so that the iframes can be rendered properly.
+        /** @var array<ConfigObject> $navigationItems */
+        $navigationItems = NavigationItemHelper::fetchUserNavigationItems($user);
+        foreach ($navigationItems as $navigationItem) {
+
+            // Skip the host if the link gets opened in a new window.
+            if ($navigationItem->get("target", "") === "_blank") {
+                continue;
+            }
+
+            $name = $navigationItem->get("name", "");
+            $url = $navigationItem->get("url", "");
+
+            $scheme = parse_url($url, PHP_URL_SCHEME);
+            $host = parse_url($url, PHP_URL_HOST);
+
+            if ($host === null || !static::validateCspPolicy("NavigationItem '$name'", "frame-src", $host)) {
+                continue;
+            }
+
+            $policy = $host;
+            if ($scheme !== null) {
+                $policy = "$scheme://$host";
+            }
+
+            $cspDirectives['frame-src'][] = $policy;
+        }
+
+        // Allow modules to add their own csp directives in a limited fashion.
+        /** @var CspDirectiveHook $hook */
+        foreach (Hook::all('CspDirective') as $hook) {
+            foreach ($hook->getCspDirectives() as $directive => $policies) {
+
+                // policy names contain only lowercase letters and '-'. Reject anything else.
+                if (!preg_match('|^[a-z\-]+$|', $directive)) {
+                    $errorSource = get_class($hook);
+                    Logger::debug("$errorSource: Invalid CSP directive found: $directive");
+                    continue;
+                }
+
+                // The default-src can only ever be 'self'. Disallow any updates to it.
+                if ($directive === "default-src") {
+                    $errorSource = get_class($hook);
+                    Logger::debug("$errorSource: Changing default-src is forbidden.");
+                    continue;
+                }
+
+                $cspDirectives[$directive] = $cspDirectives[$directive] ?? [];
+                foreach ($policies as $policy) {
+                    $source = get_class($hook);
+                    if (!static::validateCspPolicy($source, $directive, $policy)) {
+                        continue;
+                    }
+
+                    $cspDirectives[$directive][] = $policy;
+                }
+            }
+        }
+
+        $header = "default-src 'self'; ";
+        foreach ($cspDirectives as $directive => $policies) {
+            if (!empty($policies)) {
+                $header .= ' ' . implode(' ', array_merge([$directive, "'self'"], array_unique($policies))) . ';';
+            }
+        }
+
+        return $header;
+    }
+
+    public static function validateCspPolicy(string $source, string $directive, string $policy): bool {
+        // We accept the following policies:
+        //     1. Hosts: Modules can whitelist certain domains as sources for the CSP header directives.
+        //         - A host can have a specific scheme (http or https).
+        //         - A host can whitelist all subdomains with *
+        //         - A host can contain all alphanumeric characters as well as '+', '-', '_', '.', and ':'
+        //     2. Nonce: Modules are allowed to specify custom nonce for some directives.
+        //         - A nonce is enclosed in single-quotes: "'"
+        //         - A nonce begins with 'nonce-' followed by at least 22 significant characters of base64 encoded data.
+        //           as recommended by the standard: https://content-security-policy.com/nonce/
+        if (! preg_match("/^((https?:\/\/)?\*?[a-zA-Z0-9+._\-:]+|'nonce-[a-zA-Z0-9+\/]{22,}={0,3}')$/", $policy)) {
+            Logger::debug("$source: Invalid CSP policy found: $directive $policy");
+            return false;
+        }
+
+        // We refuse all overly aggressive whitelisting by default. This includes:
+        //     1. Whitelisting all Hosts with '*'
+        //     2. Whitelisting all Hosts in a tld, e.g. 'http://*.com'
+        if (preg_match('|\*(\.[a-zA-Z]+)?$|', $directive)) {
+            Logger::debug("$source: Disallowing whitelisting all hosts. $directive");
+            return false;
+        }
+
+        return true;
     }
 
     /**
@@ -67,9 +188,10 @@ public static function addHeader(Response $response): void
     public static function createNonce(): void
     {
         $csp = static::getInstance();
-        $csp->styleNonce = base64_encode(random_bytes(16));
-
-        Window::getInstance()->getSessionNamespace('csp')->set('style_nonce', $csp->styleNonce);
+        if ($csp->styleNonce === null) {
+            $csp->styleNonce = base64_encode(random_bytes(16));
+            Window::getInstance()->getSessionNamespace('csp')->set('style_nonce', $csp->styleNonce);
+        }
     }
 
     /**
@@ -79,7 +201,10 @@ public static function createNonce(): void
      */
     public static function getStyleNonce(): ?string
     {
-        return static::getInstance()->styleNonce;
+        if (Icinga::app()->isWeb()) {
+            return static::getInstance()->styleNonce;
+        }
+        return null;
     }
 
     /**

library/Icinga/Util/NavigationItemHelper.php

@@ -0,0 +1,78 @@
+<?php
+
+namespace Icinga\Util;
+
+use Icinga\Application\Config;
+use Icinga\Data\Filter\FilterMatchCaseInsensitive;
+use Icinga\User;
+use Icinga\Web\Navigation\Navigation;
+
+class NavigationItemHelper
+{
+
+    protected static $navigationItemCache = null;
+
+    public static function fetchUserNavigationItems(User $user)
+    {
+        if (self::$navigationItemCache !== null) {
+            return self::$navigationItemCache;
+        }
+
+        $itemTypeConfig = Navigation::getItemTypeConfiguration();
+        $username = $user->getUsername();
+        self::$navigationItemCache = array_merge(
+            static::fetchSharedNavigationItemConfigs($itemTypeConfig, $username),
+            static::fetchUserNavigationItemConfigs($itemTypeConfig, $username)
+        );
+
+        return self::$navigationItemCache;
+    }
+
+    /**
+     * Return all shared navigation item configurations
+     *
+     * @param   string  $owner  A username if only items shared by a specific user are desired
+     *
+     * @return  array
+     */
+    protected static function fetchSharedNavigationItemConfigs($itemTypeConfig, string $owner)
+    {
+        $configs = array();
+        foreach ($itemTypeConfig as $type => $_) {
+            $config = Config::navigation($type);
+            $config->getConfigObject()->setKeyColumn('name');
+            $query = $config->select();
+            if ($owner !== null) {
+                $query->applyFilter(new FilterMatchCaseInsensitive('owner', '=', $owner));
+            }
+
+            foreach ($query as $itemConfig) {
+                $configs[] = $itemConfig;
+            }
+        }
+
+        return $configs;
+    }
+
+    /**
+     * Return all user navigation item configurations
+     *
+     * @param   string  $username
+     *
+     * @return  array
+     */
+    protected static function fetchUserNavigationItemConfigs($itemTypeConfig, string $username)
+    {
+        $configs = array();
+        foreach ($itemTypeConfig as $type => $_) {
+            $config = Config::navigation($type, $username);
+            $config->getConfigObject()->setKeyColumn('name');
+            foreach ($config->select() as $itemConfig) {
+                $configs[] = $itemConfig;
+            }
+        }
+
+        return $configs;
+    }
+
+}