Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

CSP: Updated handling of drawio URL to consider port

Browse Source 
Previously if a custom port was used in the DRAWIO option it would not
be considered in the CSP handling, which would block loading.

Added test to cover.
For #5107
This commit is contained in:
Dan Brown 2024-07-14 16:06:18 +01:00
parent 767699a066
commit 897bb338f9
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
app/Util/CspService.php
View File

@ -133,18 +133,30 @@ class CspService
protected function getAllowedIframeSources(): array protected function getAllowedIframeSources(): array
{ {
$sources = config('app.iframe_sources', ''); $sources = explode(' ', config('app.iframe_sources', ''));
$hosts = array_filter(explode(' ', $sources)); $sources[] = $this->getDrawioHost();
// Extract drawing service url to allow embedding if active return array_filter($sources);
}
/**
* Extract the host name of the configured drawio URL for use in CSP.
* Returns empty string if not in use.
*/
protected function getDrawioHost(): string
{
$drawioConfigValue = config('services.drawio'); $drawioConfigValue = config('services.drawio');
if ($drawioConfigValue) { if (!$drawioConfigValue) {
$drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/'; return '';
$drawioSourceParsed = parse_url($drawioSource);
$drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
$hosts[] = $drawioHost;
} }
return $hosts; $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
$drawioSourceParsed = parse_url($drawioSource);
$drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
if (isset($drawioSourceParsed['port'])) {
$drawioHost .= ':' . $drawioSourceParsed['port'];
}
return $drawioHost;
} }
} }

12
tests/SecurityHeaderTest.php
View File

@ -139,6 +139,18 @@ class SecurityHeaderTest extends TestCase
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader); $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
} }
public function test_frame_src_csp_header_drawio_host_includes_port_if_existing()
{
config()->set([
'app.iframe_sources' => 'https://example.com',
'services.drawio' => 'https://diagrams.example.com:8080/testing?cat=dog',
]);
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'frame-src');
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com:8080', $scriptHeader);
}
public function test_cache_control_headers_are_set_on_responses() public function test_cache_control_headers_are_set_on_responses()
{ {
// Public access // Public access