Merge branch 'csp-middleware' into develop

This commit is contained in:
snipe 2017-09-29 04:14:33 -07:00
commit 9ce2d1f560
33 changed files with 107 additions and 38 deletions

View file

@ -63,7 +63,13 @@ ENCRYPT=false
COOKIE_NAME=snipeit_session
COOKIE_DOMAIN=null
SECURE_COOKIES=false
# --------------------------------------------
# OPTIONAL: SECURITY HEADER SETTINGS
# --------------------------------------------
REFERRER_POLICY=strict-origin
DISABLE_CSP=false
# --------------------------------------------

View file

@ -20,6 +20,7 @@ class Kernel extends HttpKernel
\App\Http\Middleware\FrameGuard::class,
\App\Http\Middleware\XssProtectHeader::class,
\App\Http\Middleware\ReferrerPolicyHeader::class,
\App\Http\Middleware\ContentSecurityPolicyHeader::class,
\App\Http\Middleware\NosniffGuard::class,
\App\Http\Middleware\CheckForSetup::class,
\Fideloper\Proxy\TrustProxies::class,

View file

@ -0,0 +1,35 @@
<?php
namespace App\Http\Middleware;
use Closure;
class ContentSecurityPolicyHeader
{
/**
* Handle the given request and get the response.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return \Illuminate\Http\Response
*/
public function handle($request, Closure $next)
{
if (config('app.disable_csp')=='true') {
$response = $next($request);
return $response;
}
$policy[] = "default-src 'self'";
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
$policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
$policy[] = "connect-src 'self'";
$policy[] = "object-src 'none'";
$policy[] = "font-src 'self' data:";
$policy[] = "img-src 'self' data: gravatar.com";
$policy = join(';', $policy);
$response = $next($request);
$response->headers->set('Content-Security-Policy', $policy);
return $response;
}
}

View file

@ -169,6 +169,24 @@ return [
'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
/*
|--------------------------------------------------------------------------
| CSP
|--------------------------------------------------------------------------
|
| Disable the content security policy that restricts what scripts, images
| and styles can load. (This should be left as false if you don't know
| what this means.)
|
| Read more: https://www.w3.org/TR/CSP/
| Read more: https://content-security-policy.com
|
*/
'disable_csp' => env('DISABLE_CSP', false),
/*
|--------------------------------------------------------------------------

View file

@ -5,10 +5,12 @@
RewriteEngine On
# Uncomment these two lines to force SSL redirect
# Uncomment these two lines to force SSL redirect in Apache
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
@ -21,4 +23,11 @@
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Security Headers
Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Permitted-Cross-Domain-Policies "master-only"
</IfModule>

View file

@ -94,7 +94,7 @@
@section('moar_scripts')
<script src="{{ asset('js/signature_pad.min.js') }}"></script>
<script>
<script nonce="{{ csrf_token() }}">
var wrapper = document.getElementById("signature-pad"),
clearButton = wrapper.querySelector("[data-action=clear]"),
saveButton = wrapper.querySelector("[data-action=save]"),

View file

@ -16,7 +16,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
new Vue({
el: "#app",
});

View file

@ -149,7 +149,7 @@
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$( "a[name='Request']").click(function(event) {
// event.preventDefault();

View file

@ -58,7 +58,7 @@
@section('moar_scripts')
@include ('partials.bootstrap-table', ['exportFile' => 'maintenances-export', 'search' => true])
<script>
<script nonce="{{ csrf_token() }}">
function maintenanceActions(value, row) {
var actions = '<nobr>';
if ((row) && (row.available_actions.update === true)) {

View file

@ -134,7 +134,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$(document).ready(function(){
// Only display the custom format field if it's a custom format validation type

View file

@ -82,7 +82,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
var fixHelperModified = function(e, tr) {
var $originals = tr.children();
var $helper = tr.clone();

View file

@ -253,7 +253,7 @@
@endif
<script>
<script nonce="{{ csrf_token() }}">

View file

@ -108,7 +108,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$(function() {
$('#assigned_to').on("change",function () {
// console.warn("Model Id has changed!");

View file

@ -154,7 +154,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$(function() {
$('#assigned_user').on("change",function () {
var userid = $('#assigned_user option:selected').val();

View file

@ -160,7 +160,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">

View file

@ -190,7 +190,7 @@
@endif
</div></div></div>
<script>
<script nonce="{{ csrf_token() }}">
$(document).ready(function(){
$('#generate-password').pGenerator({

View file

@ -125,7 +125,7 @@
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$("#audit-form").submit(function (event) {
$('#audited-div').show();

View file

@ -703,7 +703,7 @@
@section('moar_scripts')
@include ('partials.bootstrap-table', ['simple_view' => true])
<script>
<script nonce="{{ csrf_token() }}">
$(document).delegate('*[data-toggle="lightbox"]', 'click', function(event) {
event.preventDefault();
$(this).ekkoLightbox();

View file

@ -83,7 +83,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
new Vue({
el: '#app'
});

View file

@ -27,13 +27,13 @@
<meta name="csrf-token" content="{{ csrf_token() }}">
<script>
<script nonce="{{ csrf_token() }}">
window.Laravel = { csrfToken: '{{ csrf_token() }}' };
</script>
<style>
<style nonce="{{ csrf_token() }}">
@if ($snipeSettings)
@if ($snipeSettings->header_color)
.main-header .navbar, .main-header .logo {
@ -70,7 +70,7 @@
<script>
<script nonce="{{ csrf_token() }}">
window.snipeit = {
settings: {
"per_page": {{ $snipeSettings->per_page }}
@ -662,7 +662,7 @@
<script src="{{ url(mix('js/dist/all.js')) }}"></script>
<script>
<script nonce="{{ csrf_token() }}">
$(function () {
var datepicker = $.fn.datepicker.noConflict(); // return $.fn.datepicker to previously assigned value
$.fn.bootstrapDP = datepicker;
@ -677,14 +677,14 @@
@section('moar_scripts')
@show
<script>
<script nonce="{{ csrf_token() }}">
$(function () {
$('[data-toggle="tooltip"]').tooltip();
})
</script>
@if ((Session::get('topsearch')=='true') || (Request::is('/')))
<script>
<script nonce="{{ csrf_token() }}">
$("#tagSearch").focus();
</script>
@endif

View file

@ -13,7 +13,7 @@
<script>
<script nonce="{{ csrf_token() }}">
window.snipeit = {
settings: {
"per_page": 20
@ -120,7 +120,7 @@
</div>
<script src="{{ url(mix('js/dist/all.js')) }}"></script>
<script>
<script nonce="{{ csrf_token() }}">
$(function () {
$(".select2").select2();
});

View file

@ -62,7 +62,7 @@
@if (!$item->id)
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
var $eventSelect = $(".parent");
$eventSelect.on("change", function () { parent_details($eventSelect.val()); });

View file

@ -1,7 +1,7 @@
<script src="/js/pGenerator.jquery.js"></script>
<script>
<script nonce="{{ csrf_token() }}">
$(document).ready(function () {
$('#genPassword').pGenerator({

View file

@ -13,7 +13,7 @@
<script src="{{ asset('js/extensions/toolbar/bootstrap-table-toolbar.js') }}"></script>
@endif
<script>
<script nonce="{{ csrf_token() }}">
$('.snipe-table').bootstrapTable({
classes: 'table table-responsive table-no-bordered',
undefinedText: '',

View file

@ -24,7 +24,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
new Vue({
el: "#app",
});

View file

@ -146,7 +146,7 @@
@section('moar_scripts')
<!-- bootstrap color picker -->
<script>
<script nonce="{{ csrf_token() }}">
//color picker with addon
$(".header-color").colorpicker();
// toggle the disabled state of asset id prefix

View file

@ -199,7 +199,7 @@
@section('moar_scripts')
<!-- bootstrap color picker -->
<script>
<script nonce="{{ csrf_token() }}">
//color picker with addon
$(".header-color").colorpicker();
// toggle the disabled state of asset id prefix

View file

@ -372,7 +372,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$("#ldaptest").click(function(){
$("#ldaptestrow").removeClass('success');
$("#ldaptestrow").removeClass('danger');

View file

@ -57,7 +57,7 @@
@section('moar_scripts')
<!-- bootstrap color picker -->
<script>
<script nonce="{{ csrf_token() }}">
//color picker with addon
$(".color").colorpicker();
</script>

View file

@ -54,7 +54,7 @@
@section('moar_scripts')
@include ('partials.bootstrap-table', ['exportFile' => 'statuslabels-export', 'search' => true])
<script>
<script nonce="{{ csrf_token() }}">
function colorSqFormatter(value, row) {
if (value) {
return '<span class="label" style="background-color: ' + value + ';">&nbsp;</span> ' + value;

View file

@ -553,7 +553,7 @@
@stop
@section('moar_scripts')
<script>
<script nonce="{{ csrf_token() }}">
$(document).ready(function() {
$('#email').on('keyup',function(){
@ -570,7 +570,7 @@ $(document).ready(function() {
});
</script>
<script>
<script nonce="{{ csrf_token() }}">
$('tr.header-row input:radio').click(function() {
value = $(this).attr('value');
$(this).parent().parent().siblings().each(function() {
@ -585,7 +585,7 @@ $('.header-name').click(function() {
<script src="{{ asset('js/pGenerator.jquery.js') }}"></script>
<script>
<script nonce="{{ csrf_token() }}">
$(document).ready(function(){

View file

@ -86,7 +86,7 @@
'columns' => \App\Presenters\UserPresenter::dataTableLayout()
])
<script>
<script nonce="{{ csrf_token() }}">
function groupsFormatter(value) {

View file

@ -491,7 +491,7 @@
@section('moar_scripts')
@include ('partials.bootstrap-table', ['simple_view' => true])
<script>
<script nonce="{{ csrf_token() }}">
$(function () {
//binds to onchange event of your input field
var uploadedFileSize = 0;