diff --git a/administrator/components/com_csp/src/Helper/ReporterHelper.php b/administrator/components/com_csp/src/Helper/ReporterHelper.php index 9dcde7bd78428..100a9d8a215a8 100644 --- a/administrator/components/com_csp/src/Helper/ReporterHelper.php +++ b/administrator/components/com_csp/src/Helper/ReporterHelper.php @@ -23,7 +23,7 @@ class ReporterHelper /** * Gets the httpheaders system plugin extension id. * - * @return integer The httpheaders system plugin extension id. + * @return mixed The httpheaders system plugin extension id or false in case of an error. * * @since 4.0.0 */ @@ -44,6 +44,8 @@ public static function getHttpHeadersPluginId() catch (\RuntimeException $e) { Factory::getApplication()->enqueueMessage($e->getMessage(), 'error'); + + return false; } return $result; @@ -72,6 +74,70 @@ public static function getCspTrashStatus() catch (\RuntimeException $e) { Factory::getApplication()->enqueueMessage($e->getMessage(), 'error'); + + return false; + } + + return boolval($result); + } + + /** + * Check whether there are unsafe-inline rules published + * + * @return boolean Whether there are unsafe-inline rules published + * + * @since 4.0.0 + */ + public static function getCspUnsafeInlineStatus() + { + $db = Factory::getDbo(); + $query = $db->getQuery(true) + ->select('COUNT(*)') + ->from($db->quoteName('#__csp')) + ->where($db->quoteName('blocked_uri') . ' = ' . $db->quote("'unsafe-inline'")) + ->where($db->quoteName('published') . ' = 1'); + $db->setQuery($query); + + try + { + $result = (int) $db->loadResult(); + } + catch (\RuntimeException $e) + { + Factory::getApplication()->enqueueMessage($e->getMessage(), 'error'); + + return false; + } + + return boolval($result); + } + + /** + * Check whether there are unsafe-eval rules published + * + * @return boolean Whether there are unsafe-eval rules published + * + * @since 4.0.0 + */ + public static function getCspUnsafeEvalStatus() + { + $db = Factory::getDbo(); + $query = $db->getQuery(true) + ->select('COUNT(*)') + ->from($db->quoteName('#__csp')) + ->where($db->quoteName('blocked_uri') . ' = ' . $db->quote("'unsafe-eval'")) + ->where($db->quoteName('published') . ' = 1'); + $db->setQuery($query); + + try + { + $result = (int) $db->loadResult(); + } + catch (\RuntimeException $e) + { + Factory::getApplication()->enqueueMessage($e->getMessage(), 'error'); + + return false; } return boolval($result); diff --git a/administrator/components/com_csp/src/View/Reports/HtmlView.php b/administrator/components/com_csp/src/View/Reports/HtmlView.php index 02a651c253e69..266771a31c484 100644 --- a/administrator/components/com_csp/src/View/Reports/HtmlView.php +++ b/administrator/components/com_csp/src/View/Reports/HtmlView.php @@ -103,13 +103,27 @@ public function display($tpl = null) $this->httpHeadersId = ReporterHelper::getHttpHeadersPluginId(); } - if (ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy_mode', 'custom') === 'detect' + if (ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy_mode', 'detect') === 'detect' && ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy', 0) && ReporterHelper::getCspTrashStatus()) { $this->trashWarningMessage = Text::_('COM_CSP_COLLECTING_TRASH_WARNING'); } + if (ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy_mode', 'detect') === 'auto' + && ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy', 0) + && ReporterHelper::getCspUnsafeInlineStatus()) + { + $this->unsafeInlineWarningMessage = Text::_('COM_CSP_AUTO_UNSAFE_INLINE_WARNING'); + } + + if (ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy_mode', 'detect') === 'auto' + && ComponentHelper::getParams('com_csp')->get('contentsecuritypolicy', 0) + && ReporterHelper::getCspUnsafeEvalStatus()) + { + $this->unsafeEvalWarningMessage = Text::_('COM_CSP_AUTO_UNSAFE_EVAL_WARNING'); + } + $this->addToolbar(); return parent::display($tpl); diff --git a/administrator/components/com_csp/tmpl/reports/default.php b/administrator/components/com_csp/tmpl/reports/default.php index 2913ea55b89bd..5eb781ae01f3d 100644 --- a/administrator/components/com_csp/tmpl/reports/default.php +++ b/administrator/components/com_csp/tmpl/reports/default.php @@ -57,6 +57,12 @@ trashWarningMessage)) : ?> enqueueMessage($this->trashWarningMessage, 'warning'); ?> + unsafeInlineWarningMessage)) : ?> + enqueueMessage($this->unsafeInlineWarningMessage, 'warning'); ?> + + unsafeEvalWarningMessage)) : ?> + enqueueMessage($this->unsafeEvalWarningMessage, 'warning'); ?> + items)) : ?>
diff --git a/administrator/language/en-GB/com_csp.ini b/administrator/language/en-GB/com_csp.ini index 173293c6b6010..3049b255300c8 100644 --- a/administrator/language/en-GB/com_csp.ini +++ b/administrator/language/en-GB/com_csp.ini @@ -4,6 +4,8 @@ ; Note : All ini files need to be saved as UTF-8 COM_CSP="Content Security Policy" +COM_CSP_AUTO_UNSAFE_EVAL_WARNING="You have configured a rule that still allows 'unsafe-eval' that bypasses the Content Security Policy and allows the execution of code injected into DOM APIs such as eval()." +COM_CSP_AUTO_UNSAFE_INLINE_WARNING="You have configured a rule that still allows 'unsafe-inline' that bypasses the Content Security Policy and allows the execution of unsafe in-page scripts and event handlers." COM_CSP_COLLECTING_TRASH_WARNING="The Content Security Policy is in detect mode. Items that have been trashed will not be detected again until they are removed from the trash." COM_CSP_CONFIGURATION="Content Security Policy: Options" ; Please do not translate the following language string