public CspConfiguration(bool initializeDirectives=true)
{
if (!initializeDirectives)
{
return;
}
DefaultSrcDirective = new CspDirectiveConfiguration();
ScriptSrcDirective = new CspDirectiveConfiguration();
ObjectSrcDirective = new CspDirectiveConfiguration();
StyleSrcDirective = new CspDirectiveConfiguration();
ImgSrcDirective = new CspDirectiveConfiguration();
MediaSrcDirective = new CspDirectiveConfiguration();
FrameSrcDirective = new CspDirectiveConfiguration();
FontSrcDirective = new CspDirectiveConfiguration();
ConnectSrcDirective = new CspDirectiveConfiguration();
BaseUriDirective = new CspDirectiveConfiguration();
ChildSrcDirective = new CspDirectiveConfiguration();
FormActionDirective = new CspDirectiveConfiguration();
FrameAncestorsDirective = new CspDirectiveConfiguration();
PluginTypesDirective = new CspPluginTypesDirectiveConfiguration();
SandboxDirective = new CspSandboxDirectiveConfiguration();
UpgradeInsecureRequestsDirective = new CspUpgradeDirectiveConfiguration();
ReportUriDirective = new CspReportUriDirectiveConfiguration();
}
public void GetCspScriptNonce_ScriptNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride()
{
var overrideConfig = new CspOverrideConfiguration();
var overrideConfigReportOnly = new CspOverrideConfiguration();
var overrideCspDirective = new CspDirectiveConfiguration();
var overrideCspReportOnlyDirective = new CspDirectiveConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), false, false)).Returns(overrideConfig);
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), true, false)).Returns(overrideConfigReportOnly);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.ScriptSrc)).Returns(overrideCspDirective);
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.ScriptSrc)).Returns(overrideCspReportOnlyDirective);
var nonce = _cspConfigurationOverrideHelper.GetCspScriptNonce(MockContext);
Assert.Equal(nonce, overrideCspDirective.Nonce);
Assert.Equal(nonce, overrideCspReportOnlyDirective.Nonce);
}
public void GetOverridenCspDirectiveConfig_NoneDisabledOverride_OverridesNoneAndKeepsOtherSources()
{
var directiveConfig = new CspDirectiveConfiguration
{
NoneSrc = false,
SelfSrc = true,
Nonce = "hei",
UnsafeInlineSrc = true,
UnsafeEvalSrc = true,
StrictDynamicSrc = true,
CustomSources = new[] { "nwebsec.com" }
};
var directiveOverride = new CspDirectiveOverride {
None = false
};
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.Equal(newConfig, directiveConfig, new CspDirectiveConfigurationEqualityComparer());
}
public ICspDirectiveConfiguration GetCspDirectiveConfigCloned(ICspConfiguration cspConfig, CspDirectives directive)
{
var oldDirective = GetCspDirectiveConfig(cspConfig, directive);
if (oldDirective == null)
{
return(null);
}
var newConfig = new CspDirectiveConfiguration
{
Enabled = oldDirective.Enabled,
NoneSrc = oldDirective.NoneSrc,
SelfSrc = oldDirective.SelfSrc,
UnsafeEvalSrc = oldDirective.UnsafeEvalSrc,
UnsafeInlineSrc = oldDirective.UnsafeInlineSrc,
Nonce = oldDirective.Nonce,
CustomSources = oldDirective.CustomSources == null ? new List <string>(0) : oldDirective.CustomSources.ToList()
};
return(newConfig);
}
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride(bool reportOnly, CspDirectives directive)
{
var overrideConfig = new CspOverrideConfiguration();
_contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, false)).Returns(overrideConfig);
//There's an override for directive
var currentDirectiveOverride = new CspDirectiveConfiguration();
_directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride);
//We need an override and a result.
var directiveOverride = new CspDirectiveOverride();
var directiveOverrideResult = new CspDirectiveConfiguration();
_directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult);
//This should be called at the very end
_directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult));
_cspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly);
//Verify that the override result was set on the override config.
_directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once);
}
public void GetCspDirectiveConfigCloned_Configured_ClonesDirective()
{
var directive = new CspDirectiveConfiguration
{
Enabled = false,
NoneSrc = true,
SelfSrc = true,
UnsafeEvalSrc = true,
UnsafeInlineSrc = false,
CustomSources = new[] { "https://www.nwebsec.com", "www.klings.org" }
};
var config = new CspConfiguration(false)
{
ScriptSrcDirective = directive
};
var mapper = new CspConfigMapper();
var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc);
Assert.AreNotSame(directive, clone);
Assert.That(clone, Is.EqualTo(directive).Using(new CspDirectiveConfigurationComparer()));
}
public void GetOverridenCspDirectiveConfig_NoneEnabledOverride_OverridesNoneAndDropsOtherSources()
{
//Overriding with 'none' should clear all other sources.
var directiveConfig = new CspDirectiveConfiguration
{
NoneSrc = false,
SelfSrc = true,
Nonce = "hei",
UnsafeEvalSrc = true,
UnsafeInlineSrc = true,
CustomSources = new[] { "nwebsec.com" }
};
var directiveOverride = new CspDirectiveOverride {
None = true
};
var expectedConfig = new CspDirectiveConfiguration {
NoneSrc = true
};
var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig);
Assert.That(newConfig, Is.EqualTo(expectedConfig).Using(new CspDirectiveConfigurationComparer()));
}
public CspConfiguration(bool initializeDirectives = true)
{
if (!initializeDirectives)
{
return;
}
DefaultSrcDirective = new CspDirectiveConfiguration();
ScriptSrcDirective = new CspDirectiveConfiguration();
ObjectSrcDirective = new CspDirectiveConfiguration();
StyleSrcDirective = new CspDirectiveConfiguration();
ImgSrcDirective = new CspDirectiveConfiguration();
MediaSrcDirective = new CspDirectiveConfiguration();
FrameSrcDirective = new CspDirectiveConfiguration();
FontSrcDirective = new CspDirectiveConfiguration();
ConnectSrcDirective = new CspDirectiveConfiguration();
BaseUriDirective = new CspDirectiveConfiguration();
ChildSrcDirective = new CspDirectiveConfiguration();
FormActionDirective = new CspDirectiveConfiguration();
FrameAncestorsDirective = new CspDirectiveConfiguration();
PluginTypesDirective = new CspPluginTypesDirectiveConfiguration();
SandboxDirective = new CspSandboxDirectiveConfiguration();
ReportUriDirective = new CspReportUriDirectiveConfiguration();
}
