(wicket) branch master updated: WICKET-7107 configure ContentSecurityPolicySettings to protect buffered pages

pedro Thu, 05 Dec 2024 05:39:18 -0800

This is an automated email from the ASF dual-hosted git repository.

pedro pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git



The following commit(s) were added to refs/heads/master by this push:
     new 6f1d6a2ce7 WICKET-7107 configure ContentSecurityPolicySettings to 
protect buffered pages
6f1d6a2ce7 is described below

commit 6f1d6a2ce7046f446c52e977ac4c9edb5d201471
Author: Pedro Santos <[email protected]>
AuthorDate: Wed Nov 27 16:06:34 2024 -0300

    WICKET-7107 configure ContentSecurityPolicySettings to protect buffered 
pages
---
 .../csp/CSPSettingRequestCycleListenerTest.java    | 75 +++++++++++++++-------
 .../wicket/csp/ContentSecurityPolicySettings.java  |  9 ++-
 2 files changed, 60 insertions(+), 24 deletions(-)

diff --git 
a/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
 
b/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
index 1fdd8cb92c..28c5efd738 100644
--- 
a/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
+++ 
b/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
@@ -16,19 +16,21 @@
  */
 package org.apache.wicket.csp;
 
-import static org.apache.wicket.csp.CSPDirective.CHILD_SRC;
-import static org.apache.wicket.csp.CSPDirective.DEFAULT_SRC;
-import static org.apache.wicket.csp.CSPDirective.FRAME_SRC;
-import static org.apache.wicket.csp.CSPDirective.IMG_SRC;
-import static org.apache.wicket.csp.CSPDirective.REPORT_URI;
-import static org.apache.wicket.csp.CSPDirective.SANDBOX;
-import static org.apache.wicket.csp.CSPDirectiveSandboxValue.ALLOW_FORMS;
-import static org.apache.wicket.csp.CSPDirectiveSandboxValue.EMPTY;
-import static org.apache.wicket.csp.CSPDirectiveSrcValue.NONE;
-import static org.apache.wicket.csp.CSPDirectiveSrcValue.SELF;
-import static org.apache.wicket.csp.CSPDirectiveSrcValue.WILDCARD;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import org.apache.wicket.MarkupContainer;
+import org.apache.wicket.RestartResponseException;
+import org.apache.wicket.markup.IMarkupResourceStreamProvider;
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.mock.MockApplication;
+import org.apache.wicket.protocol.http.WebApplication;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.util.resource.IResourceStream;
+import org.apache.wicket.util.resource.StringResourceStream;
+import org.apache.wicket.util.tester.DummyHomePage;
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -39,15 +41,14 @@ import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import org.apache.wicket.mock.MockApplication;
-import org.apache.wicket.protocol.http.WebApplication;
-import org.apache.wicket.request.cycle.RequestCycle;
-import org.apache.wicket.util.tester.DummyHomePage;
-import org.apache.wicket.util.tester.WicketTestCase;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.ValueSource;
+import static org.apache.wicket.csp.CSPDirective.*;
+import static org.apache.wicket.csp.CSPDirectiveSandboxValue.ALLOW_FORMS;
+import static org.apache.wicket.csp.CSPDirectiveSandboxValue.EMPTY;
+import static org.apache.wicket.csp.CSPDirectiveSrcValue.*;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 class CSPSettingRequestCycleListenerTest extends WicketTestCase
 {
@@ -381,6 +382,36 @@ class CSPSettingRequestCycleListenerTest extends 
WicketTestCase
                assertThrows(IllegalArgumentException.class, () -> 
settings.add(IMG_SRC, source + ":"));
        }
 
+       @Test
+       void addCspDirectiveInBufferedPageResponses()
+       {
+               tester.setFollowRedirects(true);
+               
tester.getApplication().getCspSettings().blocking().add(STYLE_SRC, SELF);
+
+               tester.startPage(RedirectPage.class);
+
+               
assertThat(tester.getLastResponse().getHeader("Content-Security-Policy"),
+                       containsString(STYLE_SRC.getValue()));
+       }
+
+       public static class Page extends WebPage implements 
IMarkupResourceStreamProvider
+       {
+               @Override
+               public IResourceStream getMarkupResourceStream(MarkupContainer 
container,
+                       Class<?> containerClass)
+               {
+                       return new 
StringResourceStream("<html><head></head><body></body></html>");
+               }
+       }
+
+       public static class RedirectPage extends Page
+       {
+               public RedirectPage()
+               {
+                       throw new RestartResponseException(new Page());
+               }
+       }
+
 
        private String renderDirective(List<CSPRenderable> values,
                ContentSecurityPolicySettings settings, RequestCycle cycle)
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
 
b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
index 65b510b7f4..4c3ba85b45 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
@@ -25,6 +25,7 @@ import java.util.function.Supplier;
 import org.apache.wicket.Application;
 import org.apache.wicket.MetaDataKey;
 import org.apache.wicket.Page;
+import org.apache.wicket.core.request.handler.BufferedResponseRequestHandler;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
 import org.apache.wicket.protocol.http.WebApplication;
@@ -69,14 +70,18 @@ public class ContentSecurityPolicySettings
        private final Map<CSPHeaderMode, CSPHeaderConfiguration> configs = new 
EnumMap<>(
                CSPHeaderMode.class);
 
-       private Predicate<IRequestHandler> protectedFilter = 
RenderPageRequestHandler.class::isInstance;
+       private Predicate<IRequestHandler> protectedFilter;
 
        private Supplier<String> nonceCreator;
        
        public ContentSecurityPolicySettings(Application application)
        {
                Args.notNull(application, "application");
-               
+
+               Predicate<IRequestHandler> isPage = 
RenderPageRequestHandler.class::isInstance;
+               Predicate<IRequestHandler> isBufferedPage = 
BufferedResponseRequestHandler.class::isInstance;
+               protectedFilter = isPage.or(isBufferedPage);
+
                nonceCreator = () ->
                                
application.getSecuritySettings().getRandomSupplier().getRandomBase64(NONCE_LENGTH);
        }

(wicket) branch master updated: WICKET-7107 configure ContentSecurityPolicySettings to protect buffered pages

Reply via email to