Merge pull request #944 from cakephp/fix-csp-nonce

Use cspScriptNonce when it is available

Author: markstory

Diff for: src/Middleware/DebugKitMiddleware.php

@@ -69,6 +69,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             return $response;
         }
 
-        return $this->service->injectScripts($row, $response);
+        return $this->service->injectScripts($row, $request, $response);
     }
 }

Diff for: src/ToolbarService.php

@@ -25,6 +25,7 @@
 use DebugKit\Panel\PanelRegistry;
 use PDOException;
 use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
 
 /**
  * Used to create the panels and inject a toolbar into
@@ -337,10 +338,11 @@ public function getToolbarUrl()
      * contains HTML and there is a </body> tag.
      *
      * @param \DebugKit\Model\Entity\Request $row The request data to inject.
+     * @param \Psr\Http\Message\ServerRequestInterface $request The request to augment.
      * @param \Psr\Http\Message\ResponseInterface $response The response to augment.
      * @return \Psr\Http\Message\ResponseInterface The modified response
      */
-    public function injectScripts($row, ResponseInterface $response)
+    public function injectScripts($row, ServerRequestInterface $request, ResponseInterface $response)
     {
         $response = $response->withHeader('X-DEBUGKIT-ID', (string)$row->id);
         if (strpos($response->getHeaderLine('Content-Type'), 'html') === false) {
@@ -357,13 +359,18 @@ public function injectScripts($row, ResponseInterface $response)
         if ($pos === false) {
             return $response;
         }
+        $nonce = $request->getAttribute('cspScriptNonce');
+        if ($nonce) {
+            $nonce = sprintf(' nonce="%s"', $nonce);
+        }
 
         $url = Router::url('/', true);
         $script = sprintf(
-            '<script id="__debug_kit_script" data-id="%s" data-url="%s" type="module" src="%s"></script>',
+            '<script id="__debug_kit_script" data-id="%s" data-url="%s" type="module" src="%s"%s></script>',
             $row->id,
             $url,
-            Router::url($this->getToolbarUrl())
+            Router::url($this->getToolbarUrl()),
+            $nonce
         );
         $contents = substr($contents, 0, $pos) . $script . substr($contents, $pos);
         $body->rewind();

Diff for: tests/TestCase/Middleware/DebugKitMiddlewareTest.php

@@ -50,7 +50,7 @@ public function setUp(): void
         parent::setUp();
 
         $connection = ConnectionManager::get('test');
-        $this->skipIf($connection->getDriver() instanceof Sqlite, 'Schema insertion/removal breaks SQLite');
+        $this->skipIf($connection->getDriver() instanceof Sqlite, 'This test fails in CI with sqlite');
         $this->oldConfig = Configure::read('DebugKit');
         $this->restore = $GLOBALS['__PHPUNIT_BOOTSTRAP'];
         unset($GLOBALS['__PHPUNIT_BOOTSTRAP']);
@@ -132,6 +132,38 @@ public function testInvokeSaveData()
         $this->assertTextEquals($expected, $body);
     }
 
+    /**
+     * Ensure data is saved for HTML requests
+     *
+     * @return void
+     */
+    public function testInvokeInjectCspNonce()
+    {
+        $request = new ServerRequest([
+            'url' => '/articles',
+            'environment' => ['REQUEST_METHOD' => 'GET'],
+        ]);
+        $request = $request->withAttribute('cspScriptNonce', 'csp-nonce');
+
+        $response = new Response([
+            'statusCode' => 200,
+            'type' => 'text/html',
+            'body' => '<html><title>test</title><body><p>some text</p></body>',
+        ]);
+
+        $handler = $this->handler();
+        $handler->expects($this->once())
+            ->method('handle')
+            ->willReturn($response);
+
+        $middleware = new DebugKitMiddleware();
+        $response = $middleware->process($request, $handler);
+        $this->assertInstanceOf(Response::class, $response, 'Should return the response');
+
+        $body = (string)$response->getBody();
+        $this->assertStringContainsString('nonce="csp-nonce"', $body);
+    }
+
     /**
      * Ensure that streaming results are tracked, but not modified.
      *

Diff for: tests/TestCase/ToolbarServiceTest.php

@@ -303,7 +303,7 @@ public function testInjectScriptsLastBodyTag()
         $bar = new ToolbarService($this->events, []);
         $bar->loadPanels();
         $row = $bar->saveData($request, $response);
-        $response = $bar->injectScripts($row, $response);
+        $response = $bar->injectScripts($row, $request, $response);
 
         $timeStamp = filemtime(Plugin::path('DebugKit') . 'webroot' . DS . 'js' . DS . 'main.js');
 
@@ -335,7 +335,7 @@ public function testInjectScriptsFileBodies()
         $bar = new ToolbarService($this->events, []);
         $row = new RequestEntity(['id' => 'abc123']);
 
-        $result = $bar->injectScripts($row, $response);
+        $result = $bar->injectScripts($row, $request, $response);
         $this->assertInstanceOf('Cake\Http\Response', $result);
         $this->assertSame(file_get_contents(__FILE__), '' . $result->getBody());
         $this->assertTrue($result->hasHeader('X-DEBUGKIT-ID'), 'Should have a tracking id');
@@ -361,7 +361,7 @@ public function testInjectScriptsStreamBodies()
         $bar = new ToolbarService($this->events, []);
         $row = new RequestEntity(['id' => 'abc123']);
 
-        $result = $bar->injectScripts($row, $response);
+        $result = $bar->injectScripts($row, $request, $response);
         $this->assertInstanceOf('Cake\Http\Response', $result);
         $this->assertSame('I am a teapot!', (string)$response->getBody());
     }
@@ -385,7 +385,7 @@ public function testInjectScriptsNoModifyResponse()
         $bar->loadPanels();
 
         $row = $bar->saveData($request, $response);
-        $response = $bar->injectScripts($row, $response);
+        $response = $bar->injectScripts($row, $request, $response);
         $this->assertTextEquals('{"some":"json"}', (string)$response->getBody());
         $this->assertTrue($response->hasHeader('X-DEBUGKIT-ID'), 'Should have a tracking id');
     }