[allura] branch gc/8479 updated: fixup! fixup! [#8479] modified exisinting logic on settings and added support for script-src

gcruz Tue, 22 Nov 2022 13:40:30 -0800

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8479
in repository https://gitbox.apache.org/repos/asf/allura.git



The following commit(s) were added to refs/heads/gc/8479 by this push:
     new 4f561c94c fixup! fixup! [#8479] modified exisinting logic on settings 
and added support for script-src
4f561c94c is described below

commit 4f561c94cba853988d42a6de8ca36f580599e450
Author: Guillermo Cruz <[email protected]>
AuthorDate: Tue Nov 22 15:39:36 2022 -0600

    fixup! fixup! [#8479] modified exisinting logic on settings and added 
support for script-src
---
 Allura/allura/lib/custom_middleware.py      |  6 ++---
 Allura/allura/tests/functional/test_root.py | 36 ++++++++++++++++++-----------
 2 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/Allura/allura/lib/custom_middleware.py 
b/Allura/allura/lib/custom_middleware.py
index fa23a74fe..4ea99c6d3 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -503,10 +503,10 @@ class ContentSecurityPolicyMiddleware:
             to the middleware. In this case we pass a custom list of domains 
from google that can't be built
             directly in here.
             """
-            if environ.get('google_domains',''):
-                script_srcs = f"{script_srcs} {' 
'.join(environ['google_domains'])}"
+            if environ.get('csp_script_domains',''):
+                script_srcs = f"{script_srcs} {' 
'.join(environ['csp_script_domains'])}"
 
-            if asbool(self.config.get('csp.script_scr_enforce',False)):
+            if asbool(self.config.get('csp.script_src_enforce',False)):
                 rules.add(f"script-src {script_srcs} 
{self.config.get('csp.script_src.extras','')}")
             else:
                 report_rules.add(f"script-src {script_srcs} 
{self.config.get('csp.script_src.extras','')}")
diff --git a/Allura/allura/tests/functional/test_root.py 
b/Allura/allura/tests/functional/test_root.py
index 6b5f56ca3..9eb9d4eab 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -186,28 +186,36 @@ class TestRootController(TestController):
         r = self.app.get('/error/document')
         r.mustcontain("We're sorry but we weren't able to process")
 
+    @mock.patch.dict(tg.config, {'csp.frame_sources_enforce': True, \
+                                 'csp.report_uri_enforce': 
'https://example.com/r/d/csp/enforce', \
+                                 'csp.form_actions_enforce': True,
+                                 'csp.script_src_enforce': True})
     def test_headers(self):
         resp = self.app.get('/p')
-        assert resp.headers.getall('Content-Security-Policy')[0] == '; 
'.join(["frame-src 'self' www.youtube-nocookie.com",
-                                                                  "form-action 
'self'",
-                                                                  "object-src 
'none'",
-                                                                  
"frame-ancestors 'self'"])
+        expected_headers = "form-action 'self'; frame-src 'self' 
www.youtube-nocookie.com; object-src 'none';"
+        expected_headers += "frame-ancestors 'self'; report-uri 
https://example.com/r/d/csp/enforce; script-src 'self;"
+        csp_headers = resp.headers.getall('Content-Security-Policy')[0]
+        assert all([h.strip() in csp_headers for h in 
expected_headers.split(';')])
 
+    @mock.patch.dict(tg.config, {'csp.frame_sources_enforce': True,
+                                 'csp.report_uri_enforce': 
'https://example.com/r/d/csp/enforce'})
     def test_headers_config(self):
         resp = self.app.get('/p')
-        assert "frame-src 'self' www.youtube-nocookie.com;" in 
resp.headers.getall('Content-Security-Policy')[0]
+        assert "frame-src 'self' www.youtube-nocookie.com" in 
resp.headers.getall('Content-Security-Policy')[0]
 
-    @mock.patch.dict(tg.config, {'csp.report_mode': True, 'csp.report_uri': 
'https://example.com/r/d/csp/reportOnly'})
+    @mock.patch.dict(tg.config, {'csp.report_uri': 
'https://example.com/r/d/csp/reportOnly'})
     def test_headers_report(self):
         resp = self.app.get('/p/wiki/Home/')
-        assert resp.headers.getall('Content-Security-Policy-Report-Only')[0] 
== '; '.join([
-            "report-uri https://example.com/r/d/csp/reportOnly";,
-            "frame-src 'self' www.youtube-nocookie.com",
-            "form-action 'self'",
-        ])
-
-    @mock.patch.dict(tg.config, {'csp.report_uri_enforce': 
'https://example.com/r/d/csp/enforce', 'csp.report_enforce_mode': True})
-    def test_headers_report_enforce(self):
+        expected_headers = "report-uri https://example.com/r/d/csp/reportOnly;";
+        expected_headers += "frame-src 'self' www.youtube-nocookie.com; 
script-src 'self' ;"
+        expected_headers += "form-action 'self'"
+
+        csp_headers = 
resp.headers.getall('Content-Security-Policy-Report-Only')[0]
+        assert all([h.strip() in csp_headers for h in 
expected_headers.split(';')])
+
+
+    @mock.patch.dict(tg.config, {'csp.report_uri_enforce': 
'https://example.com/r/d/csp/enforce', 'csp.frame_sources_enforce': True})
+    def test_headers_frame_sources_enforce(self):
         resp = self.app.get('/p/wiki/Home/')
         assert "report-uri https://example.com/r/d/csp/enforce; frame-src 
'self' www.youtube-nocookie.com;" \
                in resp.headers.getall('Content-Security-Policy')[0]

[allura] branch gc/8479 updated: fixup! fixup! [#8479] modified exisinting logic on settings and added support for script-src

Reply via email to