From 7c7cbbe15924408c407082fb824c7ce38be9176d Mon Sep 17 00:00:00 2001 From: Florent Morselli Date: Mon, 17 Jun 2024 19:14:08 +0200 Subject: [PATCH] Add nonce support to PwaRuntime The update includes the use of Nelmio SecurityBundle for Content Security Policy management. Specifically, it checks if the 'nonce' attribute exists in the PwaRuntime and if not, it retrieves a nonce from ContentSecurityPolicyListener for 'script'. This ensures the secure execution of scripts. In addition, if the 'nonce' attribute is set with the value 'false', the attribute is disabled. --- phpstan-baseline.neon | 32 +++++++++++++++++++++++++++++++- src/Twig/PwaRuntime.php | 13 ++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon index 27b867b..b56c54a 100644 --- a/phpstan-baseline.neon +++ b/phpstan-baseline.neon @@ -430,6 +430,21 @@ parameters: count: 1 path: src/ImageProcessor/GDImageProcessor.php + - + message: "#^Parameter \\#2 \\$red of function imagecolorallocate expects int\\<0, 255\\>, int given\\.$#" + count: 1 + path: src/ImageProcessor/GDImageProcessor.php + + - + message: "#^Parameter \\#3 \\$green of function imagecolorallocate expects int\\<0, 255\\>, int given\\.$#" + count: 1 + path: src/ImageProcessor/GDImageProcessor.php + + - + message: "#^Parameter \\#4 \\$blue of function imagecolorallocate expects int\\<0, 255\\>, int given\\.$#" + count: 1 + path: src/ImageProcessor/GDImageProcessor.php + - message: "#^Should not use node with type \"Stmt_Echo\", please change the code\\.$#" count: 3 @@ -638,4 +653,19 @@ parameters: - message: "#^Attribute class Symfony\\\\Component\\\\DependencyInjection\\\\Attribute\\\\TaggedIterator is deprecated\\: since Symfony 7\\.1, use \\{@see AutowireIterator\\} instead\\.$#" count: 1 - path: src/Subscriber/PwaDevServerSubscriber.php \ No newline at end of file + path: src/Subscriber/PwaDevServerSubscriber.php + + - + message: "#^Call to method getNonce\\(\\) on an unknown class Nelmio\\\\SecurityBundle\\\\EventListener\\\\ContentSecurityPolicyListener\\.$#" + count: 1 + path: src/Twig/PwaRuntime.php + + - + message: "#^Parameter \\$cspListener of method SpomkyLabs\\\\PwaBundle\\\\Twig\\\\PwaRuntime\\:\\:__construct\\(\\) has invalid type Nelmio\\\\SecurityBundle\\\\EventListener\\\\ContentSecurityPolicyListener\\.$#" + count: 1 + path: src/Twig/PwaRuntime.php + + - + message: "#^Property SpomkyLabs\\\\PwaBundle\\\\Twig\\\\PwaRuntime\\:\\:\\$cspListener has unknown class Nelmio\\\\SecurityBundle\\\\EventListener\\\\ContentSecurityPolicyListener as its type\\.$#" + count: 1 + path: src/Twig/PwaRuntime.php \ No newline at end of file diff --git a/src/Twig/PwaRuntime.php b/src/Twig/PwaRuntime.php index 8b7db30..bbcb3d4 100644 --- a/src/Twig/PwaRuntime.php +++ b/src/Twig/PwaRuntime.php @@ -5,6 +5,7 @@ namespace SpomkyLabs\PwaBundle\Twig; use InvalidArgumentException; +use Nelmio\SecurityBundle\EventListener\ContentSecurityPolicyListener; use SpomkyLabs\PwaBundle\Dto\Favicons; use SpomkyLabs\PwaBundle\Dto\Icon; use SpomkyLabs\PwaBundle\Dto\Manifest; @@ -13,6 +14,7 @@ use Symfony\Component\AssetMapper\MappedAsset; use Symfony\Component\DependencyInjection\Attribute\Autowire; use Symfony\Component\Mime\MimeTypes; +use function array_key_exists; use const ENT_COMPAT; use const ENT_SUBSTITUTE; use const PHP_EOL; @@ -28,6 +30,8 @@ public function __construct( private FaviconsCompiler $faviconsCompiler, #[Autowire('%spomky_labs_pwa.manifest.public_url%')] string $manifestPublicUrl, + #[Autowire(service: 'nelmio_security.csp_listener')] + private ?ContentSecurityPolicyListener $cspListener = null, ) { $this->manifestPublicUrl = '/' . trim($manifestPublicUrl, '/'); } @@ -122,7 +126,7 @@ private function injectServiceWorker(string $output, bool $injectSW, array $swAt if ($serviceWorker->workbox->enabled === true) { $workboxUrl = sprintf('%s%s', $serviceWorker->workbox->workboxPublicUrl, '/workbox-window.prod.mjs'); $declaration = << +