Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
0.00% |
0 / 45 |
|
0.00% |
0 / 6 |
CRAP | |
0.00% |
0 / 1 |
| CspHeaderValidator | |
0.00% |
0 / 45 |
|
0.00% |
0 / 6 |
380 | |
0.00% |
0 / 1 |
| getDefaultMessage | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| evaluate | |
0.00% |
0 / 24 |
|
0.00% |
0 / 1 |
90 | |||
| getNormalizedDirective | |
0.00% |
0 / 4 |
|
0.00% |
0 / 1 |
6 | |||
| isValidDirective | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
6 | |||
| isValidDomain | |
0.00% |
0 / 4 |
|
0.00% |
0 / 1 |
6 | |||
| getErrorMessage | |
0.00% |
0 / 9 |
|
0.00% |
0 / 1 |
12 | |||
| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * This program is free software; you can redistribute it and/or |
| 5 | * modify it under the terms of the GNU General Public License |
| 6 | * as published by the Free Software Foundation; under version 2 |
| 7 | * of the License (non-upgradable). |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU General Public License |
| 15 | * along with this program; if not, write to the Free Software |
| 16 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 17 | * |
| 18 | * Copyright (c) 2017 (original work) Open Assessment Technologies SA; |
| 19 | * |
| 20 | */ |
| 21 | |
| 22 | namespace oat\tao\helpers\form\validators; |
| 23 | |
| 24 | /** |
| 25 | * Validates the given CSP headers |
| 26 | * |
| 27 | * @author Martijn Swinkels <m.swinkels@taotesting.com> |
| 28 | */ |
| 29 | class CspHeaderValidator extends \tao_helpers_form_Validator |
| 30 | { |
| 31 | public const DIRECTIVES = [ |
| 32 | 'self', |
| 33 | 'none', |
| 34 | '*' |
| 35 | ]; |
| 36 | |
| 37 | /** |
| 38 | * @var string[][] |
| 39 | */ |
| 40 | private $invalidValues; |
| 41 | |
| 42 | /** |
| 43 | * Overrides parent default message |
| 44 | * |
| 45 | * @return string |
| 46 | */ |
| 47 | protected function getDefaultMessage() |
| 48 | { |
| 49 | return __('Invalid CSP header.'); |
| 50 | } |
| 51 | |
| 52 | /** |
| 53 | * Validates the list of domains and directives for the CSP Header. |
| 54 | * |
| 55 | * @param string $values |
| 56 | * @return bool |
| 57 | */ |
| 58 | public function evaluate($values) |
| 59 | { |
| 60 | // Only validate if the source is set to 'list' |
| 61 | $sourceElement = $this->getOption('sourceElement'); |
| 62 | $sourceElementValue = $sourceElement->getEvaluatedValue(); |
| 63 | if ($sourceElementValue !== 'list') { |
| 64 | return true; |
| 65 | } |
| 66 | |
| 67 | $this->invalidValues = []; |
| 68 | $values = trim(str_replace("\r", '', $values)); |
| 69 | |
| 70 | if (!$values) { |
| 71 | $this->setMessage('Please add at least one domain or directive.'); |
| 72 | return false; |
| 73 | } |
| 74 | |
| 75 | $sources = explode("\n", $values); |
| 76 | |
| 77 | foreach ($sources as $key => $source) { |
| 78 | if ($source === '') { |
| 79 | unset($sources[$key]); |
| 80 | } |
| 81 | |
| 82 | if (in_array($source, self::DIRECTIVES, true)) { |
| 83 | if ($this->isValidDirective($source) === false) { |
| 84 | $this->invalidValues['domain'][] = $source; |
| 85 | } |
| 86 | $sources[$key] = $this->getNormalizedDirective($source); |
| 87 | |
| 88 | continue; |
| 89 | } |
| 90 | |
| 91 | if ($this->isValidDomain($source) === false) { |
| 92 | $this->invalidValues['domain'][] = $source; |
| 93 | } |
| 94 | } |
| 95 | |
| 96 | $isValid = empty($this->invalidValues); |
| 97 | if (!$isValid) { |
| 98 | $this->setMessage($this->getErrorMessage()); |
| 99 | } |
| 100 | |
| 101 | return $isValid; |
| 102 | } |
| 103 | |
| 104 | /** |
| 105 | * Check if the given directive need to be converted. |
| 106 | * |
| 107 | * @param string $directive |
| 108 | * @return string |
| 109 | */ |
| 110 | private function getNormalizedDirective($directive) |
| 111 | { |
| 112 | $directive = strtolower($directive); |
| 113 | |
| 114 | if (ctype_alpha($directive) === true) { |
| 115 | $directive = "'" . $directive . "'"; |
| 116 | } |
| 117 | |
| 118 | return $directive; |
| 119 | } |
| 120 | |
| 121 | /** |
| 122 | * Check if the given directive is valid |
| 123 | * |
| 124 | * @param string $directive |
| 125 | * @return bool |
| 126 | */ |
| 127 | private function isValidDirective($directive) |
| 128 | { |
| 129 | if ($directive === '*') { |
| 130 | return true; |
| 131 | } |
| 132 | return preg_match('/^(\'[a-z]+\'|[a-z]+)$/i', $directive) !== false; |
| 133 | } |
| 134 | |
| 135 | /** |
| 136 | * Check if the given domain is valid. |
| 137 | * |
| 138 | * @param string $domain |
| 139 | * @return bool |
| 140 | */ |
| 141 | private function isValidDomain($domain) |
| 142 | { |
| 143 | if (filter_var($domain, FILTER_VALIDATE_URL)) { |
| 144 | return true; |
| 145 | } |
| 146 | |
| 147 | $regex = '~^(https?:\/\/|(\*\.){1})?(\w.+)(\.)(?!\s)(?!\.\*)(\w{2,})$~i'; |
| 148 | return (bool) preg_match($regex, $domain); |
| 149 | } |
| 150 | |
| 151 | /** |
| 152 | * Get the error messages. |
| 153 | */ |
| 154 | private function getErrorMessage() |
| 155 | { |
| 156 | $directivesMessage = ''; |
| 157 | $domainsMessage = ''; |
| 158 | |
| 159 | if (!empty($this->invalidValues['directives'])) { |
| 160 | $directivesMessage = "The following directives are invalid:\n- "; |
| 161 | $directivesMessage .= implode("\n- ", $this->invalidValues['directives']); |
| 162 | } |
| 163 | |
| 164 | if (!empty($this->invalidValues['domain'])) { |
| 165 | $domainsMessage = "The following domains are invalid:\n- "; |
| 166 | $domainsMessage .= implode("\n- ", $this->invalidValues['domain']); |
| 167 | } |
| 168 | |
| 169 | return $domainsMessage . "\n" . $directivesMessage; |
| 170 | } |
| 171 | } |