Skip to content

[WebProfilerBundle] Disable CSP if dumper was used #40441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 12, 2021
Merged

[WebProfilerBundle] Disable CSP if dumper was used #40441

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Session\Flash\AutoExpireFlashBag;
use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
Expand Down Expand Up @@ -44,15 +45,17 @@ class WebDebugToolbarListener implements EventSubscriberInterface
protected $mode;
protected $excludedAjaxPaths;
private $cspHandler;
private $dumpDataCollector;

public function __construct(Environment $twig, bool $interceptRedirects = false, int $mode = self::ENABLED, UrlGeneratorInterface $urlGenerator = null, string $excludedAjaxPaths = '^/bundles|^/_wdt', ContentSecurityPolicyHandler $cspHandler = null)
public function __construct(Environment $twig, bool $interceptRedirects = false, int $mode = self::ENABLED, UrlGeneratorInterface $urlGenerator = null, string $excludedAjaxPaths = '^/bundles|^/_wdt', ContentSecurityPolicyHandler $cspHandler = null, DumpDataCollector $dumpDataCollector = null)
{
$this->twig = $twig;
$this->urlGenerator = $urlGenerator;
$this->interceptRedirects = $interceptRedirects;
$this->mode = $mode;
$this->excludedAjaxPaths = $excludedAjaxPaths;
$this->cspHandler = $cspHandler;
$this->dumpDataCollector = $dumpDataCollector;
}

public function isEnabled(): bool
Expand Down Expand Up @@ -89,7 +92,14 @@ public function onKernelResponse(ResponseEvent $event)
return;
}

$nonces = $this->cspHandler ? $this->cspHandler->updateResponseHeaders($request, $response) : [];
$nonces = [];
if ($this->cspHandler) {
if ($this->dumpDataCollector && $this->dumpDataCollector->getDumpsCount() > 0) {
$this->cspHandler->disableCsp();
}

$nonces = $this->cspHandler->updateResponseHeaders($request, $response);
}

// do not capture redirects or modify XML HTTP Requests
if ($request->isXmlHttpRequest()) {
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
service('router')->ignoreOnInvalid(),
abstract_arg('paths that should be excluded from the AJAX requests shown in the toolbar'),
service('web_profiler.csp.handler'),
service('data_collector.dump')->ignoreOnInvalid(),
])
->tag('kernel.event_subscriber')
;
Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
use Symfony\Component\ErrorHandler\ErrorRenderer\HtmlErrorRenderer;
use Symfony\Component\EventDispatcher\DependencyInjection\RegisterListenersPass;
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
use Symfony\Component\HttpKernel\KernelInterface;

class WebProfilerExtensionTest extends TestCase
Expand Down Expand Up @@ -55,6 +56,7 @@ protected function setUp(): void
$this->kernel = $this->createMock(KernelInterface::class);

$this->container = new ContainerBuilder();
$this->container->register('data_collector.dump', DumpDataCollector::class)->setPublic(true);
$this->container->register('error_handler.error_renderer.html', HtmlErrorRenderer::class)->setPublic(true);
$this->container->register('event_dispatcher', EventDispatcher::class)->setPublic(true);
$this->container->register('router', $this->getMockClass('Symfony\\Component\\Routing\\RouterInterface'))->setPublic(true);
Expand Down
44 changes: 44 additions & 0 deletions src/Symfony/Bundle/WebProfilerBundle/Tests/EventListener/WebDebugToolbarListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,13 @@
namespace Symfony\Bundle\WebProfilerBundle\Tests\EventListener;

use PHPUnit\Framework\TestCase;
use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
use Symfony\Bundle\WebProfilerBundle\EventListener\WebDebugToolbarListener;
use Symfony\Component\HttpFoundation\HeaderBag;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpKernel\Kernel;
Expand Down Expand Up @@ -300,6 +302,48 @@ public function testThrowingErrorCleanup()
$this->assertEquals('Exception: This multiline tabbed text should come out on a single plain line', $response->headers->get('X-Debug-Error'));
}

public function testCspIsDisabledIfDumperWasUsed()
{
$response = new Response('<html><head></head><body></body></html>');
$response->headers->set('X-Debug-Token', 'xxxxxxxx');

$event = new ResponseEvent($this->createMock(Kernel::class), $this->getRequestMock(), HttpKernelInterface::MASTER_REQUEST, $response);

$cspHandler = $this->createMock(ContentSecurityPolicyHandler::class);
$cspHandler->expects($this->once())
->method('disableCsp');
$dumpDataCollector = $this->createMock(DumpDataCollector::class);
$dumpDataCollector->expects($this->once())
->method('getDumpsCount')
->willReturn(1);

$listener = new WebDebugToolbarListener($this->getTwigMock(), false, WebDebugToolbarListener::ENABLED, null, '', $cspHandler, $dumpDataCollector);
$listener->onKernelResponse($event);

$this->assertEquals("<html><head></head><body>\nWDT\n</body></html>", $response->getContent());
}

public function testCspIsKeptEnabledIfDumperWasNotUsed()
{
$response = new Response('<html><head></head><body></body></html>');
$response->headers->set('X-Debug-Token', 'xxxxxxxx');

$event = new ResponseEvent($this->createMock(Kernel::class), $this->getRequestMock(), HttpKernelInterface::MASTER_REQUEST, $response);

$cspHandler = $this->createMock(ContentSecurityPolicyHandler::class);
$cspHandler->expects($this->never())
->method('disableCsp');
$dumpDataCollector = $this->createMock(DumpDataCollector::class);
$dumpDataCollector->expects($this->once())
->method('getDumpsCount')
->willReturn(0);

$listener = new WebDebugToolbarListener($this->getTwigMock(), false, WebDebugToolbarListener::ENABLED, null, '', $cspHandler, $dumpDataCollector);
$listener->onKernelResponse($event);

$this->assertEquals("<html><head></head><body>\nWDT\n</body></html>", $response->getContent());
}

protected function getRequestMock($isXmlHttpRequest = false, $requestFormat = 'html', $hasSession = true)
{
$request = $this->getMockBuilder(Request::class)->setMethods(['getSession', 'isXmlHttpRequest', 'getRequestFormat'])->disableOriginalConstructor()->getMock();
Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Bundle/WebProfilerBundle/Tests/Functional/WebProfilerBundleKernel.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
use Symfony\Component\Config\Loader\LoaderInterface;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
use Symfony\Component\HttpKernel\Kernel;
use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;

Expand Down Expand Up @@ -65,6 +66,7 @@ public function getLogDir()

protected function build(ContainerBuilder $container)
{
$container->register('data_collector.dump', DumpDataCollector::class);
$container->register('logger', NullLogger::class);
}

Expand Down