symfony · herndlm · Nov 4, 2018 · nicolas-grekas · Feb 4, 2020 · herndlm
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php b/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
@@ -25,6 +25,7 @@ class ContentSecurityPolicyHandler
 {
    private $nonceGenerator;
    private $cspDisabled = false;
+    private $evaluationEnabled = false;

    public function __construct(NonceGenerator $nonceGenerator)
    {
@@ -92,10 +93,25 @@ public function updateResponseHeaders(Request $request, Response $response): arr
        $nonces = $this->getNonces($request, $response);
        $this->cleanHeaders($response);
        $this->updateCspHeaders($response, $nonces);
+        $this->setEvaluationEnabled(false);

        return $nonces;
    }

+    public function isEvaluationEnabled(): bool
+    {
+        return $this->evaluationEnabled;
+    }
+
+    /**
+     * Allows/disallows the evaluation of code via functions like eval().
+     * If enabled 'unsafe-eval' will be set in the Content-Security-Policy.
+     */
+    public function setEvaluationEnabled(bool $enabled): void
+    {
+        $this->evaluationEnabled = $enabled;
+    }
+
    private function cleanHeaders(Response $response)
    {
        $response->headers->remove('X-SymfonyProfiler-Script-Nonce');
@@ -142,6 +158,11 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
                }
                $headers[$header][$type][] = sprintf('\'nonce-%s\'', $nonces[$tokenName]);
            }
+
+            if ($this->evaluationEnabled && !$this->authorizesEval($directives, 'script-src')) {
+                $ruleIsSet = true;
+                $headers[$header]['script-src'][] = '\'unsafe-eval\'';
+            }
        }

        if (!$ruleIsSet) {
@@ -208,6 +229,27 @@ private function authorizesInline(array $directivesSet, string $type): bool
        return \in_array('\'unsafe-inline\'', $directives, true) && !$this->hasHashOrNonce($directives);
    }

+    /**
+     * Detects if the 'unsafe-eval' is prevented for a directive within the directive set.
+     *
+     * @param array  $directivesSet The directive set
+     * @param string $type          The name of the directive to check
+     *
+     * @return bool
+     */
+    private function authorizesEval(array $directivesSet, $type)
+    {
+        if (isset($directivesSet[$type])) {
+            $directives = $directivesSet[$type];
+        } elseif (isset($directivesSet['default-src'])) {
+            $directives = $directivesSet['default-src'];
+        } else {
+            return false;
+        }
+
+        return \in_array('\'unsafe-eval\'', $directives, true);
+    }
+
    private function hasHashOrNonce(array $directives): bool
    {
        foreach ($directives as $directive) {

diff --git a/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php b/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
@@ -19,6 +19,7 @@
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\VarDumper\VarDumper;
 use Twig\Environment;

 /**
@@ -111,6 +112,14 @@ public function onKernelResponse(ResponseEvent $event)
        $this->injectToolbar($response, $request, $nonces);
    }

+    public function onKernelRequest(): void
+    {
+        // Because as of now the dumper embeds scripts they are evaluated in base_js.html.twig
+        VarDumper::setAfterDumpHandlerOnce(function () {
+            $this->cspHandler->setEvaluationEnabled(true);
+        });
+    }
+
    /**
     * Injects the web debug toolbar into the given Response.
     */
@@ -139,6 +148,7 @@ public static function getSubscribedEvents(): array
    {
        return [
            KernelEvents::RESPONSE => ['onKernelResponse', -128],
+            KernelEvents::REQUEST => ['onKernelRequest'],
        ];
    }
 }
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
@@ -45,6 +45,25 @@ public function testOnKernelResponse($nonce, $expectedNonce, Request $request, R
        }
    }

+    /**
+     * @dataProvider provideRequestAndResponsesForOnKernelResponseEvaluation
+     */
+    public function testOnKernelResponseEvaluation($nonce, $expectedNonce, Request $request, Response $response, array $expectedCsp): void
+    {
+        $cspHandler = new ContentSecurityPolicyHandler($this->mockNonceGenerator($nonce));
+
+        $cspHandler->setEvaluationEnabled(true);
+        $this->assertSame($expectedNonce, $cspHandler->updateResponseHeaders($request, $response));
+
+        $this->assertFalse($cspHandler->isEvaluationEnabled(), 'evaluationEnabled has to be disabled again');
+        $this->assertFalse($response->headers->has('X-SymfonyProfiler-Script-Nonce'));
+        $this->assertFalse($response->headers->has('X-SymfonyProfiler-Style-Nonce'));
+
+        foreach ($expectedCsp as $header => $value) {
+            $this->assertSame($value, $response->headers->get($header));
+        }
+    }
+
    public function provideRequestAndResponses()
    {
        $nonce = bin2hex(random_bytes(16));
@@ -178,6 +197,75 @@ public function provideRequestAndResponsesForOnKernelResponse()
        ];
    }

+    /**
+     * @throws \Exception
+     */
+    public function provideRequestAndResponsesForOnKernelResponseEvaluation(): array
+    {
+        $nonce = bin2hex(random_bytes(16));
+
+        return [
+            // Cases where nothing needs to be done because evaluation is already enabled
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(),
+                ['Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null],
+            ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'self\' \'unsafe-inline\' \'unsafe-eval\'']),
+                ['Content-Security-Policy' => 'default-src \'self\' \'unsafe-inline\' \'unsafe-eval\'', 'X-Content-Security-Policy' => null],
+            ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'self\'; script-src \'unsafe-inline\' \'unsafe-eval\'; style-src \'unsafe-inline\'']),
+                ['Content-Security-Policy' => 'default-src \'self\'; script-src \'unsafe-inline\' \'unsafe-eval\'; style-src \'unsafe-inline\'', 'X-Content-Security-Policy' => null],
+            ],
+            // Cases where evaluation needs to be enabled
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'self\' \'unsafe-inline\'']),
+                ['Content-Security-Policy' => 'default-src \'self\' \'unsafe-inline\'; script-src \'unsafe-eval\'', 'X-Content-Security-Policy' => null],
+            ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'']),
+                ['Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'unsafe-eval\'', 'X-Content-Security-Policy' => null],
+            ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'unsafe-inline\'; script-src \'self\' \'unsafe-inline\'']),
+                ['Content-Security-Policy' => 'default-src \'unsafe-inline\'; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\'', 'X-Content-Security-Policy' => null],
+            ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'unsafe-inline\'; script-src \'self\' \'unsafe-inline\'']),
+                ['Content-Security-Policy' => 'default-src \'unsafe-inline\'; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\'', 'X-Content-Security-Policy' => null],
+            ],
+            [
+                $nonce,
+                ['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
+                $this->createRequest(),
+                $this->createResponse(['Content-Security-Policy' => 'default-src \'none\'; script-src \'self\' \'unsafe-inline\'; style-src \'unsafe-inline\'']),
+                ['Content-Security-Policy' => 'default-src \'none\'; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\'; style-src \'unsafe-inline\'', 'X-Content-Security-Policy' => null],
+            ],
+        ];
+    }
+
    private function createRequest(array $headers = [])
    {
        $request = new Request();

diff --git a/src/Symfony/Component/VarDumper/Tests/Dumper/FunctionsTest.php b/src/Symfony/Component/VarDumper/Tests/Dumper/FunctionsTest.php
@@ -46,12 +46,40 @@ public function testDumpReturnsAllArgsInArray()
        $this->assertEquals([$var1, $var2, $var3], $return);
    }

-    protected function setupVarDumper()
+    public function testAfterDumpHandler()
+    {
+        $handlerCalled = false;
+        $this->setupVarDumper(function () use (&$handlerCalled) {
+            $handlerCalled = true;
+        });
+
+        $var1 = 'a';
+
+        ob_start();
+        $return = dump($var1);
+        $out = ob_get_clean();
+
+        $this->assertTrue($handlerCalled);
+        $this->assertEquals($var1, $return);
+
+        // Test if the afterDumpHandlerOnce is only being used once
+        $handlerCalled = false;
+
+        ob_start();
+        $return = dump($var1);
+        $out = ob_get_clean();
+
+        $this->assertFalse($handlerCalled, 'The afterDumpHandlerOnce must only be used once');
+        $this->assertEquals($var1, $return);
+    }
+
+    protected function setupVarDumper(callable $afterDumpHandlerOnce = null)
    {
        $cloner = new VarCloner();
        $dumper = new CliDumper('php://output');
        VarDumper::setHandler(function ($var) use ($cloner, $dumper) {
            $dumper->dump($cloner->cloneVar($var));
        });
+        VarDumper::setAfterDumpHandlerOnce($afterDumpHandlerOnce);
    }
 }
diff --git a/src/Symfony/Component/VarDumper/VarDumper.php b/src/Symfony/Component/VarDumper/VarDumper.php
@@ -27,6 +27,7 @@
 class VarDumper
 {
    private static $handler;
+    private static $afterDumpHandlerOnce;

    public static function dump($var)
    {
@@ -47,7 +48,14 @@ public static function dump($var)
            };
        }

-        return (self::$handler)($var);
+        $output = (self::$handler)($var);
+
+        if (null !== self::$afterDumpHandlerOnce) {
+            (self::$afterDumpHandlerOnce)($var);
+            self::$afterDumpHandlerOnce = null;
+        }
+
+        return $output;
    }

    public static function setHandler(callable $callable = null)
@@ -57,4 +65,12 @@ public static function setHandler(callable $callable = null)

        return $prevHandler;
    }
+
+    public static function setAfterDumpHandlerOnce(callable $callable = null)
+    {
+        $prevHandler = self::$afterDumpHandlerOnce;
+        self::$afterDumpHandlerOnce = $callable;
+
+        return $prevHandler;
+    }
 }
-Original file line number
+Diff line change
@@ -27,6 +27,7 @@
     class VarDumper
     {
         private static $handler;
+        private static $afterDumpHandlerOnce;
         public static function dump($var)
         {
@@ -47,7 +48,14 @@ public static function dump($var)
                 };
             }
-            return (self::$handler)($var);
+            $output = (self::$handler)($var);
+            if (null !== self::$afterDumpHandlerOnce) {
+                (self::$afterDumpHandlerOnce)($var);
+                self::$afterDumpHandlerOnce = null;
+            }
+            return $output;
         }
         public static function setHandler(callable $callable = null)
@@ -57,4 +65,12 @@ public static function setHandler(callable $callable = null)
             return $prevHandler;
         }
+        public static function setAfterDumpHandlerOnce(callable $callable = null)
             Copy link

  
      
    
  

  
      

  
  Member


      

  

  
    
      

      
            nicolas-grekas
  

      

      

      


        Feb 4, 2020


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      this looks like something we'd better avoid IMHO.

I think it's fine if we call setEvaluationEnabled(true) all the time when dump() is called.
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
  


          
          
        
      
    

    



  
        
  
    
        
    
  


      
          
  
      
            Copy link

  
      
    
  

  
      

  
    Contributor


      

  Author


  

  
    
      

      
            herndlm
  

      

      

      


        Apr 17, 2020


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      Sorry for getting back in touch so late. I'm aware this a not-important edge-case and I actually needed this at my old company and currently I don't. Anyways but I still want to finish this :)
Do you mean to adapt this callback to be called every-time instead of that only once logic which simplifies it or something completely different?
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
+        {
+            $prevHandler = self::$afterDumpHandlerOnce;
+            self::$afterDumpHandlerOnce = $callable;
+            return $prevHandler;
+        }
     }