Add csp rules for api (#1882)

* disable csp when query for docs/api --------- Co-authored-by: Benoît Viguier <ildyria@users.noreply.github.com> Co-authored-by: Martin Stone <1611702+d7415@users.noreply.github.com>
LycheeOrg · Jun 24, 2023 · 055d4e1 · 055d4e1
1 parent 82681d7
commit 055d4e1
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 11 deletions.
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -42,6 +42,7 @@ class Kernel extends HttpKernel
 			\Illuminate\View\Middleware\ShareErrorsFromSession::class,
 			\App\Http\Middleware\VerifyCsrfToken::class,
 			\Illuminate\Routing\Middleware\SubstituteBindings::class,
+			\App\Http\Middleware\DisableCSP::class,
 		],
 
 		'web-admin' => [
@@ -53,6 +54,7 @@ class Kernel extends HttpKernel
 			\Illuminate\View\Middleware\ShareErrorsFromSession::class,
 			\App\Http\Middleware\VerifyCsrfToken::class,
 			\Illuminate\Routing\Middleware\SubstituteBindings::class,
+			\App\Http\Middleware\DisableCSP::class,
 		],
 
 		'web-install' => [

diff --git a/app/Http/Middleware/DisableCSP.php b/app/Http/Middleware/DisableCSP.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Contracts\Exceptions\LycheeException;
+use Illuminate\Http\Request;
+
+/**
+ * Class DisableCSP.
+ *
+ * This middleware disables the CSP when needed.
+ * This ensures that some external dependencies are loaded for e.g.
+ * docs/api or log-viewer
+ */
+class DisableCSP
+{
+	/**
+	 * Handles an incoming request.
+	 *
+	 * @param Request  $request the incoming request to serve
+	 * @param \Closure $next    the next operation to be applied to the
+	 *                          request
+	 *
+	 * @return mixed
+	 *
+	 * @throws LycheeException
+	 */
+	public function handle(Request $request, \Closure $next): mixed
+	{
+		if (
+			config('debugbar.enabled', false) === true ||
+			$request->getRequestUri() === '/docs/api'
+		) {
+			config(['secure-headers.csp.enable' => false]);
+		}
+
+		if ($request->getRequestUri() === '/' . config('log-viewer.route_path', 'Logs')) {
+			// We must disable unsafe-eval because vue3 used by log-viewer requires it.
+			// We must disable unsafe-inline (and hashes) because log-viewer uses inline script with parameter to boot.
+			// Those parameters are not know by Lychee if someone modifies the config.
+			// We only do that in that specific case. It is disabled by default otherwise.
+			config(['secure-headers.csp.script-src.unsafe-eval' => true]);
+			config(['secure-headers.csp.script-src.unsafe-inline' => true]);
+			config(['secure-headers.csp.script-src.hashes.sha256' => []]);
+		}
+
+		return $next($request);
+	}
+}
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
@@ -114,14 +114,6 @@ public function boot()
 		 * Set up the Authorization layer for accessing Logs in LogViewer.
 		 */
 		LogViewer::auth(function ($request) {
-			// We must disable unsafe-eval because vue3 used by log-viewer requires it.
-			// We must disable unsafe-inline (and hashes) because log-viewer uses inline script with parameter to boot.
-			// Those parameters are not know by Lychee if someone modifies the config.
-			// We only do that in that specific case. It is disabled by default otherwise.
-			config(['secure-headers.csp.script-src.unsafe-eval' => true]);
-			config(['secure-headers.csp.script-src.unsafe-inline' => true]);
-			config(['secure-headers.csp.script-src.hashes.sha256' => []]);
-
 			// Allow to bypass when debug is ON and when env is dev
 			// At this point, it is no longer our fault if the Lychee admin have their logs publically accessible.
 			if (config('app.debug', false) === true && config('app.env', 'production') === 'dev') {

diff --git a/config/secure-headers.php b/config/secure-headers.php
@@ -317,7 +317,7 @@
 	 * There is no easy way to use CSP with debug bar at the moment, so we disable CSP if debug bar is enabled.
 	 */
 	'csp' => [
-		'enable' => ((bool) env('DEBUGBAR_ENABLED', false)) === false,
+		'enable' => true,
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 		'report-only' => false,
@@ -347,7 +347,7 @@
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
 		'connect-src' => array_merge(
 			['https://lycheeorg.github.io/update.json'],
-			explode(",", env('SECURITY_HEADER_CSP_CONNECT_SRC', ''))
+			explode(',', env('SECURITY_HEADER_CSP_CONNECT_SRC', ''))
 		),
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
@@ -470,7 +470,7 @@
 
 			'allow' => array_merge(
 				['https://www.dropbox.com/static/api/1/dropins.js'],
-				explode(",", env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', ''))
+				explode(',', env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', ''))
 			),
 
 			'schemes' => [