Skip to content

Add support for image-src external sources #6355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
labkey-adam merged 3 commits into from
Feb 21, 2025
Merged

Add support for image-src external sources #6355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
62f8499
Add support for image-src external sources
labkey-adam Feb 20, 2025
b1e5b0b
Replace sequences of multiple spaces with single space
labkey-adam Feb 21, 2025
3810123
Update test for no multi-spaces. Finally.
labkey-adam Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions api/src/org/labkey/api/security/Directive.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ public enum Directive
Connection("connect-src"),
Font("font-src"),
Frame("frame-src"),
Image("image-src"),
Style("style-src");

private final String _cspDirective;
Expand Down
116 changes: 64 additions & 52 deletions api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,9 @@ public static String filterPolicy(String policy)
CspCommentScanner scanner = new CspCommentScanner(s);
s = scanner.stripComments().toString();

// Replace sequences of multiple spaces with a single space
s = s.replaceAll(" +", " ");

return s;
}

Expand Down Expand Up @@ -237,15 +240,15 @@ public void testPolicyFiltering()
// Multi-line for readability, but notice that newlines are replaced before assignment
String expected = """
default-src 'self' https: http: ;
connect-src 'self' http://www.labkey.org localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;
object-src https://* 'none' ;
style-src 'self' https: 'unsafe-inline' ;
img-src 'self' https: data: ;
font-src 'self' http://www.labkey.com https://* http: https: data: ;
script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
base-uri 'self' ;
frame-ancestors 'self' ;
report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} https://*;""".replace('\n', ' ');
connect-src 'self' http://www.labkey.org localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;
object-src https://* 'none' ;
style-src 'self' https: 'unsafe-inline' ;
img-src 'self' https: data: ;
font-src 'self' http://www.labkey.com https://* http: https: data: ;
script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
base-uri 'self' ;
frame-ancestors 'self' ;
report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} https://*;""".replace('\n', ' ');

Assert.assertEquals(expected, filterPolicy(fakePolicyForTesting));
}
Expand All @@ -267,50 +270,59 @@ public void testSubstitutionMap()
regenerateSubstitutionMap();
}

assertTrue(ALLOWED_SOURCES.isEmpty());
assertTrue(_substitutionMap.isEmpty());
unregisterAllowedSources(Directive.Connection, "foo");
assertTrue(ALLOWED_SOURCES.isEmpty());
assertTrue(_substitutionMap.isEmpty());
registerAllowedSources(Directive.Connection, "foo", "MySource");
assertEquals(1, ALLOWED_SOURCES.size());
assertEquals(2, _substitutionMap.size()); // Old connection substitution key should be added as well
registerAllowedSources(Directive.Connection, "bar", "MySource");
assertEquals(1, ALLOWED_SOURCES.size());
assertEquals(2, _substitutionMap.size()); // Duplicate source should be filtered out

registerAllowedSources(Directive.Font, "font", "MySource");
assertEquals(2, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());
registerAllowedSources(Directive.Font, "font2", "MyOtherSource");
assertEquals(2, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());
String value = _substitutionMap.get("FONT.SOURCES");
assertEquals("! !", value.replace("MyOtherSource", "!").replace("MySource", "!"));
unregisterAllowedSources(Directive.Font, "font2");
assertEquals(2, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());
unregisterAllowedSources(Directive.Font, "font");
assertEquals(2, ALLOWED_SOURCES.size()); // Font entry still exists, but should be empty
assertTrue(ALLOWED_SOURCES.get(Directive.Font).isEmpty());
assertEquals(2, _substitutionMap.size()); // Back to the way it was

registerAllowedSources(Directive.Frame, "frame", "FrameSource", "FrameStore");
assertEquals(3, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());

registerAllowedSources(Directive.Style, "style", "StyleSource", "MoreStylishStore");
assertEquals(4, ALLOWED_SOURCES.size());
assertEquals(4, _substitutionMap.size());

// Restore the previous ALLOWED_SOURCES
synchronized (ALLOWED_SOURCES_LOCK)
try
{
ALLOWED_SOURCES.clear();
ALLOWED_SOURCES.putAll(savedSources);
regenerateSubstitutionMap();
assertEquals(sourceMapSize, ALLOWED_SOURCES.size());
assertEquals(substitutionMapSize, _substitutionMap.size());
assertTrue(ALLOWED_SOURCES.isEmpty());
assertTrue(_substitutionMap.isEmpty());
unregisterAllowedSources(Directive.Connection, "foo");
assertTrue(ALLOWED_SOURCES.isEmpty());
assertTrue(_substitutionMap.isEmpty());
registerAllowedSources(Directive.Connection, "foo", "MySource");
assertEquals(1, ALLOWED_SOURCES.size());
assertEquals(2, _substitutionMap.size()); // Old connection substitution key should be added as well
registerAllowedSources(Directive.Connection, "bar", "MySource");
assertEquals(1, ALLOWED_SOURCES.size());
assertEquals(2, _substitutionMap.size()); // Duplicate source should be filtered out

registerAllowedSources(Directive.Font, "font", "MySource");
assertEquals(2, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());
registerAllowedSources(Directive.Font, "font2", "MyOtherSource");
assertEquals(2, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());
String value = _substitutionMap.get("FONT.SOURCES");
assertEquals("! !", value.replace("MyOtherSource", "!").replace("MySource", "!"));
unregisterAllowedSources(Directive.Font, "font2");
assertEquals(2, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());
unregisterAllowedSources(Directive.Font, "font");
assertEquals(2, ALLOWED_SOURCES.size()); // Font entry still exists, but should be empty
assertTrue(ALLOWED_SOURCES.get(Directive.Font).isEmpty());
assertEquals(2, _substitutionMap.size()); // Back to the way it was

registerAllowedSources(Directive.Frame, "frame", "FrameSource", "FrameStore");
assertEquals(3, ALLOWED_SOURCES.size());
assertEquals(3, _substitutionMap.size());

registerAllowedSources(Directive.Style, "style", "StyleSource", "MoreStylishStore");
assertEquals(4, ALLOWED_SOURCES.size());
assertEquals(4, _substitutionMap.size());

registerAllowedSources(Directive.Image, "image", "ImageSource", "BetterImageStore");
assertEquals(5, ALLOWED_SOURCES.size());
assertEquals(5, _substitutionMap.size());
}
finally
{
// Restore the previous ALLOWED_SOURCES
synchronized (ALLOWED_SOURCES_LOCK)
{
ALLOWED_SOURCES.clear();
ALLOWED_SOURCES.putAll(savedSources);
regenerateSubstitutionMap();
assertEquals(sourceMapSize, ALLOWED_SOURCES.size());
assertEquals(substitutionMapSize, _substitutionMap.size());
}
}
}
}
Expand Down