Merge pull request #10360 from NuGet/dev-vhus-strictCSP

[VHUS] add strict CSP in report-only mode

Author: enema17484

src/Bootstrap/less/theme/page-upload.less

@@ -1,80 +1,83 @@
 .page-upload {
-    #browse-for-package-button {
-        margin: 0;
+  #browse-for-package-button {
+    margin: 0;
+  }
+
+  #input-select-file {
+    display: none;
+  }
+
+  .readme-tabs {
+    margin-top: 0.5em;
+
+    .nav-tabs > li {
+      padding-right: 2px;
     }
-    
-    .readme-tabs {
-        margin-top: 0.5em;
-  
-        .nav-tabs > li {
-          padding-right: 2px;
-        }
-          
-        .nav-tabs > li.active > a {
-          border-bottom-color: var(--brandStrokeCompoundRest);
-          border-bottom-width: 2px;
-          -webkit-text-stroke-width: calc(0.5 * 0.04ex);
-                  text-shadow: calc(0.5 * -0.03ex) 0 0 currentColor,
-                                calc(0.5 * 0.03ex) 0 0 currentColor;
-          margin-bottom: -1px;
-          background-color: transparent;
-    
-          &:hover {
-            border-bottom-color: var(--brandStrokeCompoundHover);
-            border-bottom-width: 2px;
-          }
-    
-          &:active {
-            border-bottom-color: var(--brandStrokeCompoundPressed);
-            border-bottom-width: 2px;
-          }
-    
-          &:focus {
-            border-radius: 2px;
-            outline: 3px solid var(--neutralStrokeFocus2Rest);
-            outline-offset: 1px;
-          }
-        }
-    
-        .nav-tabs > li.active > a.body-warning-tab > {
-          background-color: var(--statusWarningBackground1Rest);
-          border-bottom-color: var(--statusWarningStroke1Rest);
-          border-bottom-width: 2px;
-        }
-    
-        .nav-tabs > li > a {
-          border-left: 0px;
-          border-right: 0px;
-          border-top: 0px;
-          border-bottom-width: 2px;
-          font-size: 14px;
-          font-family: @font-family-base;
-          color: var(--neutralForeground1Rest);
-          background-color: transparent;
-          
-          &:hover {
-            border-bottom-color: var(--neutralStroke1Hover);
-            border-bottom-width: 2px;
-            background-color: var(--neutralBackgroundSubtleHover);
-            border-radius: 2px 2px 0px 0px;
-          }
-          
-          &:active {
-            border-bottom-color: var(--neutralStroke1Pressed);
-            border-bottom-width: 2px;
-            background-color: var(--neutralBackgroundSubtlePressed);
-          }
-          
-          &:focus {
-            border-radius: 2px;
-            outline: 3px solid var(--neutralStrokeFocus2Rest);
-            outline-offset: 1px;
-          }
-    
-          .ms-Icon {
-            position: relative;
-            top: 2px;
-          }
-        }
+
+    .nav-tabs > li.active > a {
+      border-bottom-color: var(--brandStrokeCompoundRest);
+      border-bottom-width: 2px;
+      -webkit-text-stroke-width: calc(0.5 * 0.04ex);
+      text-shadow: calc(0.5 * -0.03ex) 0 0 currentColor, calc(0.5 * 0.03ex) 0 0 currentColor;
+      margin-bottom: -1px;
+      background-color: transparent;
+
+      &:hover {
+        border-bottom-color: var(--brandStrokeCompoundHover);
+        border-bottom-width: 2px;
       }
-}
+
+      &:active {
+        border-bottom-color: var(--brandStrokeCompoundPressed);
+        border-bottom-width: 2px;
+      }
+
+      &:focus {
+        border-radius: 2px;
+        outline: 3px solid var(--neutralStrokeFocus2Rest);
+        outline-offset: 1px;
+      }
+    }
+
+    .nav-tabs > li.active > a.body-warning-tab > {
+      background-color: var(--statusWarningBackground1Rest);
+      border-bottom-color: var(--statusWarningStroke1Rest);
+      border-bottom-width: 2px;
+    }
+
+    .nav-tabs > li > a {
+      border-left: 0px;
+      border-right: 0px;
+      border-top: 0px;
+      border-bottom-width: 2px;
+      font-size: 14px;
+      font-family: @font-family-base;
+      color: var(--neutralForeground1Rest);
+      background-color: transparent;
+
+      &:hover {
+        border-bottom-color: var(--neutralStroke1Hover);
+        border-bottom-width: 2px;
+        background-color: var(--neutralBackgroundSubtleHover);
+        border-radius: 2px 2px 0px 0px;
+      }
+
+      &:active {
+        border-bottom-color: var(--neutralStroke1Pressed);
+        border-bottom-width: 2px;
+        background-color: var(--neutralBackgroundSubtlePressed);
+      }
+
+      &:focus {
+        border-radius: 2px;
+        outline: 3px solid var(--neutralStrokeFocus2Rest);
+        outline-offset: 1px;
+      }
+
+      .ms-Icon {
+        position: relative;
+        top: 2px;
+      }
+    }
+  }
+}

src/NuGetGallery/App_Code/ViewHelpers.cshtml

@@ -332,9 +332,9 @@
 @* In Azure, we want the Instance ID. The Machine Name is total garbage *@
 }
 
-@helper CookieComplianceScript()
+@helper CookieComplianceScript(IHtmlString cspNonce)
 {
-    <script src="https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js"></script>
+    <script src="https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js" nonce="@cspNonce"></script>
 }
 
 @helper AnalyticsScript(dynamic viewBag)
@@ -481,7 +481,7 @@ var hlp = new AccordionHelper(name, formModelStatePrefix, expanded, page);
     var viewSections = GetSections(viewPage.ViewBag);
     if (viewSections != null)
     {
-        <script type="text/javascript">
+        <script type="text/javascript" nonce="@viewPage.Html.GetCSPNonce()">
             var sections = @viewPage.Html.Raw(Json.Encode(viewSections));
             for (var i in sections) {
                 var configureSection = function (section) {

src/NuGetGallery/App_Start/OwinStartup.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -7,6 +7,7 @@
 using System.Diagnostics;
 using System.Linq;
 using System.Net;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web.Hosting;
@@ -148,6 +149,34 @@ public static void Configuration(IAppBuilder app)
                 auther.Startup(config, app).Wait();
             }
 
+            // enables Content-Security-Policy with nonce and strict dynamic
+            app.Use(async (context, next) =>
+            {
+                var fontAndIconSrc = string.Concat("https://res-1.cdn.office.net/files/fabric-cdn-prod_20221201.001/assets/fonts/", ' ',
+                         "https://res-1.cdn.office.net/files/fabric-cdn-prod_20221201.001/assets/icons/");
+
+                var scriptFileHashes = 
+                string.Concat(
+                  "'sha512-gU7kztaQEl7SHJyraPfZLQCNnrKdaQi5ndOyt4L4UPL/FHDd/uB9Je6KDARIqwnNNE27hnqoWLBq+Kpe4iHfeQ=='", ' ',
+                  "'sha512-DXYctkkhmMYJ4vYp4Dm6jprD4ZareZ7ud/d9mGCKif/Dt3FnN95SjogHvwKvxXHoMAAkZX6EO6ePwpDIR1Y8jw=='", ' ',
+                  "'sha512-mz4SrGyk+dtPY9MNYOMkD81gp8ajViZ4S0VDuM/Zqg40cg9xgIBYSiL5fN79Htbz4f2+uR9lrDO6mgcjM+NAXA=='", ' ',
+                  "'sha512-pnt8OPBTOklRd4/iSW7msOiCVO4uvffF17Egr3c7AaN0h3qFnSu7L6UmdZJUCednMhhruTLRq7X9WbyAWNBegw=='", ' '
+                 );
+
+                using var rng = RandomNumberGenerator.Create();
+                var nonceBytes = new byte[32];
+                rng.GetBytes(nonceBytes);
+                var nonce = Convert.ToBase64String(nonceBytes);
+                var reportUri = ConfigurationManager.AppSettings["CspReportUri"];
+
+                var contentSecurityPolicyReportHeader = new[] { string.Format("default-src 'self' 'nonce-{0}' 'strict-dynamic' https:; script-src 'nonce-{0}'  {3} 'strict-dynamic' https:; font-src 'self' {1} 'nonce-{0}'; base-uri 'none'; form-action 'self' 'nonce-{0}'; style-src 'self' 'nonce-{0}'; report-uri {2}; object-src 'none'; frame-ancestors 'none'; ", nonce, fontAndIconSrc, reportUri,scriptFileHashes) };
+
+                context.Set("cspNonce", nonce);
+                context.Response.Headers.Add("Content-Security-Policy-Report-Only", contentSecurityPolicyReportHeader);
+                context.Response.Headers.Add("X-XSS-Protection", ["1; mode=block"]);               
+                await next();
+            });
+
             var featureFlags = DependencyResolver.Current.GetService<IFeatureFlagCacheService>();
             if (featureFlags != null)
             {
@@ -210,4 +239,4 @@ private static void StartFeatureFlags(IFeatureFlagCacheService featureFlags)
             HostingEnvironment.QueueBackgroundWorkItem(featureFlags.RunAsync);
         }
     }
-}
+}

src/NuGetGallery/Helpers/CSPHelper.cs

@@ -0,0 +1,27 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using System.Web.Mvc;
+
+namespace NuGetGallery.Helpers
+{
+    public static class CSPHelper
+    {
+        public static IHtmlString GetCSPNonce(this HtmlHelper helper)
+        {
+            var owinContext = helper.ViewContext.HttpContext.GetOwinContext();
+            var cspNonce = string.Empty;
+            var owinContextCSPNonce = owinContext.Get<string>("cspNonce");
+
+            if (!string.IsNullOrEmpty(owinContextCSPNonce))
+            {
+                cspNonce = owinContextCSPNonce;
+            }
+            return new HtmlString(cspNonce);
+        }
+    }
+}

src/NuGetGallery/NuGetGallery.csproj

@@ -241,6 +241,7 @@
     <Compile Include="Filters\AdminActionAttribute.cs" />
     <Compile Include="Filters\RequiresUserAgentAttribute.cs" />
     <Compile Include="Helpers\AdminHelper.cs" />
+    <Compile Include="Helpers\CSPHelper.cs" />
     <Compile Include="Helpers\InvalidZipEntry.cs" />
     <Compile Include="Helpers\SearchResponseHelper.cs" />
     <Compile Include="Helpers\ViewModelExtensions\DeleteAccountListPackageItemViewModelFactory.cs" />

src/NuGetGallery/Views/Packages/DisplayPackage.cshtml

@@ -1,4 +1,4 @@
-@using NuGet.Services.Validation
+@using NuGet.Services.Validation
 @using NuGet.Services.Licenses
 
 @model DisplayPackageViewModel
@@ -1473,11 +1473,11 @@
         }
     }
 
-    <style type="text/css">
+    <style type="text/css" nonce="@Html.GetCSPNonce()">
         @Html.Raw(packageManagersCss)
     </style>
 
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="@Html.GetCSPNonce()">
         var packageId = @Html.ToJson(Model.Id);
         var packageVersion = @Html.ToJson(Model.Version);
         var packageManagers = @Html.ToJson(
@@ -1494,7 +1494,7 @@
     { 
         @ViewHelpers.IncludeSyntaxHighlightScript();
 
-        <script>
+        <script nonce="@Html.GetCSPNonce()">
         document.addEventListener('DOMContentLoaded', (event) => {
             document.querySelectorAll('pre code').forEach((el) => {
                 hljs.highlightElement(el);
@@ -1503,5 +1503,5 @@
         </script>
     }
 
-    @Scripts.Render("~/Scripts/gallery/page-display-package.min.js")
-}
+    @Scripts.RenderFormat("<script src=\"{0}\" nonce='" + @Html.GetCSPNonce().ToString() + "'></script>", "~/Scripts/gallery/page-display-package.min.js");
+}

src/NuGetGallery/Views/Packages/Manage.cshtml

@@ -63,7 +63,7 @@
 </section>
 
 @section BottomScripts {
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="@Html.GetCSPNonce()">
         // Set up owners section
         var packageId = "@Model.Id";
         var isUserAnAdmin = "@Model.IsCurrentUserAnAdmin";
@@ -149,4 +149,4 @@
     @Scripts.Render("~/Scripts/gallery/page-delete-package.min.js")
     @Scripts.Render("~/Scripts/gallery/page-edit-readme.min.js")
     @Scripts.Render("~/Scripts/gallery/syntaxhighlight.min.js")
-}
+}

src/NuGetGallery/Views/Packages/UploadPackage.cshtml

@@ -56,7 +56,7 @@
                                 <input type="text" class="form-control input-brand" id="file-select-feedback" value="@placeholder" aria-label="Upload Your Package" readonly />
                                 <label for="input-select-file" id="PackageFileLabel" class="input-group-btn">
                                     <span id="browse-for-package-button" class="btn btn-brand" tabindex="0" aria-label="Browse for package" role="button">
-                                        Browse&hellip;<input type="file" name="UploadFile" accept="@acceptExtensions" aria-labelledby="PackageFileLabel" id="input-select-file" style="display:none;" />
+                                        Browse&hellip;<input type="file" name="UploadFile" accept="@acceptExtensions" aria-labelledby="PackageFileLabel" id="input-select-file" />
                                     </span>
                                 </label>
                             </div>
@@ -89,10 +89,10 @@
 @section BottomScripts
 {
     @* Right now this is the only page that uses this script. If we increase our usage of it, we should put it in our bundles *@
-    @Scripts.Render("~/Scripts/gallery/page-edit-readme.min.js")
-    @Scripts.Render("~/Scripts/gallery/async-file-upload.min.js")
-    @Scripts.Render("~/Scripts/gallery/syntaxhighlight.min.js") 
-    <script type="text/javascript">
+    @Scripts.RenderFormat("<script src=\"{0}\" nonce='" + @Html.GetCSPNonce().ToString() + "'></script>", "~/Scripts/gallery/page-edit-readme.min.js");
+    @Scripts.RenderFormat("<script src=\"{0}\" nonce='" + @Html.GetCSPNonce().ToString() + "'></script>", "~/Scripts/gallery/async-file-upload.min.js");
+    @Scripts.RenderFormat("<script src=\"{0}\" nonce='" + @Html.GetCSPNonce().ToString() + "'></script>", "~/Scripts/gallery/syntaxhighlight.min.js");
+    <script type="text/javascript" nonce="@Html.GetCSPNonce()">
         var InProgressPackage = @Html.Raw(Json.Encode(Model.InProgressUpload));
         window.nuget.configureExpanderHeading("upload-package-form");
         $(function () {

src/NuGetGallery/Views/Pages/Downloads.cshtml

@@ -62,7 +62,7 @@
     </div>
 </section>
 
-<script type="text/html" id="tool-list-template">
+<script type="text/html" id="tool-list-template" nonce="@Html.GetCSPNonce()">
     <h2 class="ms-fontSize-xxl" data-bind="text: displayName"></h2>
     <!-- ko if: note -->
     <p data-bind="html: note"></p>
@@ -80,7 +80,7 @@
 </script>
 
 @section BottomScripts {
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="@Html.GetCSPNonce()">
         $(function () {
             $.ajax({
                 url: '//dist.nuget.org/index.json',
@@ -101,5 +101,5 @@
             });
         });
     </script>
-    @Scripts.Render("~/Scripts/gallery/page-downloads.min.js")
+    @Scripts.RenderFormat("<script src=\"{0}\" nonce='" + @Html.GetCSPNonce().ToString() + "'></script>", "~/Scripts/gallery/page-downloads.min.js");
 }

src/NuGetGallery/Views/Pages/Home.cshtml

@@ -124,9 +124,9 @@ else if (AskUserToEnable2FA)
 </section>
 
 @section BottomScripts {
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="@Html.GetCSPNonce()">
         var feedbackUrl = "@Url.Send2FAFeedback()";
         var changeMultiFactorAuthenticationUrl = "@Url.ChangeMultiFactorAuthentication()";
     </script>
-    @Scripts.Render("~/Scripts/gallery/page-home.min.js")
-}
+    @Scripts.RenderFormat("<script src=\"{0}\" nonce='" + @Html.GetCSPNonce().ToString() + "'></script>", "~/Scripts/gallery/page-home.min.js");
+}