BookStack Code Mirror - bookstack/blob - tests/SecurityHeaderTest.php

1 <?php

3 namespace Tests;

5 use BookStack\Util\CspService;

7 class SecurityHeaderTest extends TestCase

8 {

9 public function test_cookies_samesite_lax_by_default()

10 {

11 $resp = $this->get('/');

12 foreach ($resp->headers->getCookies() as $cookie) {

13 $this->assertEquals('lax', $cookie->getSameSite());

14 }

15 }

17 public function test_cookies_samesite_none_when_iframe_hosts_set()

18 {

19 $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'http://example.com', function () {

20 $resp = $this->get('/');

21 foreach ($resp->headers->getCookies() as $cookie) {

22 $this->assertEquals('none', $cookie->getSameSite());

23 }

24 });

25 }

27 public function test_secure_cookies_controlled_by_app_url()

28 {

29 $this->runWithEnv('APP_URL', 'http://example.com', function () {

30 $resp = $this->get('/');

31 foreach ($resp->headers->getCookies() as $cookie) {

32 $this->assertFalse($cookie->isSecure());

33 }

34 });

36 $this->runWithEnv('APP_URL', 'https://example.com', function () {

37 $resp = $this->get('/');

38 foreach ($resp->headers->getCookies() as $cookie) {

39 $this->assertTrue($cookie->isSecure());

40 }

41 });

42 }

44 public function test_iframe_csp_self_only_by_default()

45 {

46 $resp = $this->get('/');

47 $frameHeader = $this->getCspHeader($resp, 'frame-ancestors');

49 $this->assertEquals('frame-ancestors \'self\'', $frameHeader);

50 }

52 public function test_iframe_csp_includes_extra_hosts_if_configured()

53 {

54 $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'https://a.example.com https://b.example.com', function () {

55 $resp = $this->get('/');

56 $frameHeader = $this->getCspHeader($resp, 'frame-ancestors');

58 $this->assertNotEmpty($frameHeader);

59 $this->assertEquals('frame-ancestors \'self\' https://a.example.com https://b.example.com', $frameHeader);

60 });

61 }

63 public function test_script_csp_set_on_responses()

64 {

65 $resp = $this->get('/');

66 $scriptHeader = $this->getCspHeader($resp, 'script-src');

67 $this->assertStringContainsString('\'strict-dynamic\'', $scriptHeader);

68 $this->assertStringContainsString('\'nonce-', $scriptHeader);

69 }

71 public function test_script_csp_nonce_matches_nonce_used_in_custom_head()

72 {

73 $this->setSettings(['app-custom-head' => '<script>console.log("cat");</script>']);

74 $resp = $this->get('/login');

75 $scriptHeader = $this->getCspHeader($resp, 'script-src');

77 $nonce = app()->make(CspService::class)->getNonce();

78 $this->assertStringContainsString('nonce-' . $nonce, $scriptHeader);

79 $resp->assertSee('<script nonce="' . $nonce . '">console.log("cat");</script>', false);

80 }

82 public function test_script_csp_nonce_changes_per_request()

83 {

84 $resp = $this->get('/');

85 $firstHeader = $this->getCspHeader($resp, 'script-src');

87 $this->refreshApplication();

89 $resp = $this->get('/');

90 $secondHeader = $this->getCspHeader($resp, 'script-src');

92 $this->assertNotEquals($firstHeader, $secondHeader);

93 }

95 public function test_allow_content_scripts_settings_controls_csp_script_headers()

96 {

97 config()->set('app.allow_content_scripts', true);

98 $resp = $this->get('/');

99 $scriptHeader = $this->getCspHeader($resp, 'script-src');

100 $this->assertEmpty($scriptHeader);

101

102 config()->set('app.allow_content_scripts', false);

103 $resp = $this->get('/');

104 $scriptHeader = $this->getCspHeader($resp, 'script-src');

105 $this->assertNotEmpty($scriptHeader);

106 }

107

108 public function test_object_src_csp_header_set()

109 {

110 $resp = $this->get('/');

111 $scriptHeader = $this->getCspHeader($resp, 'object-src');

112 $this->assertEquals('object-src \'self\'', $scriptHeader);

113 }

114

115 public function test_base_uri_csp_header_set()

116 {

117 $resp = $this->get('/');

118 $scriptHeader = $this->getCspHeader($resp, 'base-uri');

119 $this->assertEquals('base-uri \'self\'', $scriptHeader);

120 }

121

122 public function test_frame_src_csp_header_set()

123 {

124 $resp = $this->get('/');

125 $scriptHeader = $this->getCspHeader($resp, 'frame-src');

126 $this->assertEquals('frame-src \'self\' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com', $scriptHeader);

127 }

128

129 public function test_frame_src_csp_header_has_drawio_host_added()

130 {

131 config()->set([

132 'app.iframe_sources' => 'https://example.com',

133 'services.drawio' => 'https://diagrams.example.com/testing?cat=dog',

134 ]);

135

136 $resp = $this->get('/');

137 $scriptHeader = $this->getCspHeader($resp, 'frame-src');

138 $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);

139 }

140

141 public function test_cache_control_headers_are_strict_on_responses_when_logged_in()

142 {

143 $this->asEditor();

144 $resp = $this->get('/');

145 $resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');

146 $resp->assertHeader('Pragma', 'no-cache');

147 $resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');

148 }

149

150 /**

151 * Get the value of the first CSP header of the given type.

152 */

153 protected function getCspHeader(TestResponse $resp, string $type): string

154 {

155 $cspHeaders = explode('; ', $resp->headers->get('Content-Security-Policy'));

156

157 foreach ($cspHeaders as $cspHeader) {

158 if (strpos($cspHeader, $type) === 0) {

159 return $cspHeader;

160 }

161 }

162

163 return '';

164 }

165 }