Content Security Policy (CSP) Implementation a new approach (#4776)

* wip

* remove config_csp

* docs: add workaround for prototypeJS bug with disabled inputs in array row handling

* allowing for specific directive handling admin / frontend

* fix: serialized backend xml load default

* Add Content Security Policy (CSP) support directives global, adminhtml and frontend

* feat: add report-uri support

* system config admin only global

* fix: phpcs

* make $_arrayRowsCache protected: used by public getArrayRows()

* feat: add area config info to inputs

* chroe: phpstan ignore

* chore: phpstan ignore

* chore: rector

* chore

* chore

* use Reporting-Endpoints for report URI

* trim report uri

* report uri not dependent fro report_only mode

* add support for <meta> directives

* Apply @sreichel suggestions: improve method docs and type hints

Co-authored-by: Sven Reichel <[email protected]>

* fix suggestion

* fix suggestion

* docs and type hints

* feat: add support to split headers for each directive

* fix: disable split headers in frontend CSP configuration by default

* php-cs-fixer

* Unify Csp Hosts

* ~ check CS Fixer

* ~ fix abtract

* refactor: extract node path parsing logic into a separate method

* fix: remove unnecessary whitespace in _parseNodePath method

* refactor: use short array syntax for node path extraction

* ~ use config path instead of NodePath

* refactor: update CSP classes and methods for improved structure and clarity

* refactor: remove unused renderer logic in _renderCellTemplate method

* feat: add support for merging CSP <meta /> directives into HTTP headers

* docs: fix correct return type annotation in getDirectives method

* Update app/code/core/Mage/Csp/Model/Observer/Abstract.php

Co-authored-by: Sven Reichel <[email protected]>

---------

Co-authored-by: Sven Reichel <[email protected]>
Co-authored-by: Hans Mackowiak <[email protected]>

Author: 3 people

.phpstan.dist.baseline.neon

@@ -5496,6 +5496,30 @@ parameters:
 			count: 1
 			path: app/design/adminhtml/default/default/template/system/config/form/field/array.phtml
 
+		-
+			message: '#^Access to protected property Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\:\:\$_addAfter\.$#'
+			identifier: property.protected
+			count: 4
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
+		-
+			message: '#^Access to protected property Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\:\:\$_addButtonLabel\.$#'
+			identifier: property.protected
+			count: 2
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
+		-
+			message: '#^Access to protected property Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\:\:\$_columns\.$#'
+			identifier: property.protected
+			count: 5
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
+		-
+			message: '#^Call to protected method _renderCellTemplate\(\) of class Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\.$#'
+			identifier: method.protected
+			count: 2
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
 		-
 			message: '#^Unreachable statement \- code above always terminates\.$#'
 			identifier: deadCode.unreachable

app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field/Array/Abstract.php

@@ -17,7 +17,7 @@ abstract class Mage_Adminhtml_Block_System_Config_Form_Field_Array_Abstract exte
     /**
      * Grid columns
      *
-     * @var array
+     * @var array<string, array{label: string, size: string|false, style: ?string, class: ?string, renderer: Mage_Core_Block_Abstract|false}>
      */
     protected $_columns = [];
 
@@ -38,9 +38,9 @@ abstract class Mage_Adminhtml_Block_System_Config_Form_Field_Array_Abstract exte
     /**
      * Rows cache
      *
-     * @var array|null
+     * @var array<string, Varien_Object>|null
      */
-    private $_arrayRowsCache;
+    protected $_arrayRowsCache;
 
     /**
      * Indication whether block is prepared to render or no

app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field/Csp/Hosts.php

@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  For copyright and license information, read the COPYING.txt file.
+ * @link       /COPYING.txt
+ * @license    Open Software License (OSL 3.0)
+ * @package    Mage_Csp
+ */
+
+/**
+ * Base class for CSP hosts field renderer
+ */
+class Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts extends Mage_Adminhtml_Block_System_Config_Form_Field_Array_Abstract
+{
+    protected Mage_Csp_Helper_Data $helper;
+
+    /**
+     * Constructor
+     */
+    public function __construct()
+    {
+        /** @var Mage_Csp_Helper_Data $helper */
+        $helper = Mage::helper('csp');
+        $this->helper = $helper;
+        $this->addColumn('host', [
+            'label' => Mage::helper('csp')->__('Host'),
+        ]);
+
+        $this->_addAfter = false;
+        $this->_addButtonLabel = Mage::helper('csp')->__('Add Host');
+        $this->setTemplate('system/config/form/field/csp.phtml');
+
+        parent::__construct();
+    }
+
+    /**
+     * Obtain existing data from form element
+     *
+     * Each row will be instance of Varien_Object
+     * @return array<string, Varien_Object> Array of rows
+     * @throws Exception
+     */
+    public function getArrayRows(): array
+    {
+        if ($this->_arrayRowsCache !== null) {
+            return $this->_arrayRowsCache;
+        }
+
+        $result = [];
+
+        [$area, $directiveName] = $this->_parseNodePath();
+
+        $globalPolicy = $this->helper->getGlobalPolicy($directiveName);
+        if ($globalPolicy) {
+            foreach ($globalPolicy as $key => $host) {
+                $rowId = $directiveName . '_xml_' . $area . '_' . $key;
+                $result[$rowId] = new Varien_Object([
+                    'host' => $host,
+                    'readonly' => 'readonly="readonly"',
+                    '_id' => $rowId,
+                    'area' => 'global',
+                ]);
+                $this->_prepareArrayRow($result[$rowId]);
+            }
+        }
+
+        $areaPolicy = $this->helper->getAreaPolicy($area, $directiveName);
+        if ($areaPolicy) {
+            foreach ($areaPolicy as $key => $host) {
+                $rowId = $directiveName . '_xml_' . $area . '_' . $key;
+                $result[$rowId] = new Varien_Object([
+                    'host' => $host,
+                    'readonly' => 'readonly="readonly"',
+                    '_id' => $rowId,
+                    'area' => $area,
+                ]);
+                $this->_prepareArrayRow($result[$rowId]);
+            }
+        }
+
+        $configPolicy = $this->helper->getStoreConfigPolicy($area, $directiveName);
+        if ($configPolicy) {
+            foreach ($configPolicy as $key => $value) {
+                $rowId = $directiveName . '_' . $area . '_' . $key;
+                $result[$rowId] = new Varien_Object([
+                    'host' => $this->escapeHtml($value),
+                    '_id' => $rowId,
+                ]);
+
+                $this->_prepareArrayRow($result[$rowId]);
+            }
+        }
+
+        $this->_arrayRowsCache = $result;
+        return $this->_arrayRowsCache;
+    }
+
+    /**
+     * Extract and validate area and directive name from the node path
+     *
+     * @return array{Mage_Core_Model_App_Area::AREA_FRONTEND|Mage_Core_Model_App_Area::AREA_ADMINHTML, value-of<Mage_Csp_Helper_Data::CSP_DIRECTIVES>} Array containing area and directiveName
+     * @throws Exception If path format is invalid or contains disallowed values
+     */
+    private function _parseNodePath(): array
+    {
+        /** @var Varien_Data_Form_Element_Abstract $element */
+        $element = $this->getElement();
+        $configPath = $element->getData('config_path');
+
+        $allowedDirectives = implode('|', Mage_Csp_Helper_Data::CSP_DIRECTIVES);
+        $allowedAreas = Mage_Core_Model_App_Area::AREA_FRONTEND . '|' . Mage_Core_Model_App_Area::AREA_ADMINHTML;
+
+        $pattern = "#csp/({$allowedAreas})/({$allowedDirectives})#";
+
+        if (!$configPath || !preg_match($pattern, $configPath, $matches)) {
+            throw new Exception('Invalid node path format or disallowed area/directive');
+        }
+
+        $area = $matches[1];
+        $directiveName = $matches[2];
+
+        return [$area, $directiveName];
+    }
+
+    /**
+     * Render array cell for prototypeJS template
+     *
+     * @param string $columnName
+     * @return string
+     * @throws Exception
+     */
+    protected function _renderCellTemplate($columnName)
+    {
+        if (empty($this->_columns[$columnName])) {
+            throw new Exception('Wrong column name specified.');
+        }
+
+        $column      = $this->_columns[$columnName];
+        /** @var Varien_Data_Form_Element_Text $element */
+        $element     = $this->getElement();
+        $elementName = $element->getName();
+        $inputName   = $elementName . '[#{_id}][' . $columnName . ']';
+
+        return '<input type="text" name="' . $inputName . '" value="#{' . $columnName . '}" ' .
+            '#{readonly}' .
+            ($column['size'] ? 'size="' . $column['size'] . '"' : '') . ' class="' .
+            ($column['class'] ?? 'input-text') . '"' .
+            (isset($column['style']) ? ' style="' . $column['style'] . '"' : '') . '/>';
+    }
+}

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Serialized.php

@@ -20,7 +20,7 @@ protected function _afterLoad()
         if (!is_array($this->getValue())) {
             $serializedValue = $this->getValue();
             $unserializedValue = false;
-            if (!empty($serializedValue)) {
+            if (!empty($serializedValue) && is_string($serializedValue)) {
                 try {
                     $unserializedValue = Mage::helper('core/unserializeArray')
                         ->unserialize((string) $serializedValue);

app/code/core/Mage/Csp/Block/Adminhtml/Meta.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  For copyright and license information, read the COPYING.txt file.
+ * @link       /COPYING.txt
+ * @license    Open Software License (OSL 3.0)
+ * @package    Mage_Csp
+ */
+
+/**
+ * CSP Meta Block
+ *
+ * @package Mage_Csp
+ */
+class Mage_Csp_Block_Adminhtml_Meta extends Mage_Csp_Block_Meta
+{
+    protected string $area = Mage_Core_Model_App_Area::AREA_ADMINHTML;
+}

app/code/core/Mage/Csp/Block/Meta.php

@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  For copyright and license information, read the COPYING.txt file.
+ * @link       /COPYING.txt
+ * @license    Open Software License (OSL 3.0)
+ * @package    Mage_Csp
+ */
+
+/**
+ * CSP Meta Block
+ *
+ * @package Mage_Csp
+ */
+class Mage_Csp_Block_Meta extends Mage_Core_Block_Template
+{
+    /**
+     * CSP directives
+     * @var array<value-of<Mage_Csp_Helper_Data::CSP_DIRECTIVES>, array<string>>
+     */
+    protected array $directives = [];
+
+    /**
+     * CSP meta tag area
+     * @var Mage_Core_Model_App_Area::AREA_FRONTEND|Mage_Core_Model_App_Area::AREA_ADMINHTML
+     */
+    protected string $area = Mage_Core_Model_App_Area::AREA_FRONTEND;
+
+    /**
+     * Add CSP directive
+     *
+     * @param value-of<Mage_Csp_Helper_Data::CSP_DIRECTIVES> $directive
+     */
+    public function addDirective(string $directive, string $value): static
+    {
+        if (!in_array($directive, Mage_Csp_Helper_Data::CSP_DIRECTIVES)) {
+            return $this;
+        }
+
+        if (!isset($this->directives[$directive])) {
+            $this->directives[$directive] = [];
+        }
+
+        $this->directives[$directive][] = $value;
+
+        return $this;
+    }
+
+    /**
+     * Get CSP directives
+     * @return array<value-of<Mage_Csp_Helper_Data::CSP_DIRECTIVES>, array<string>>
+     */
+    public function getDirectives(): array
+    {
+        return $this->directives;
+    }
+
+    /**
+     * Get CSP policy content
+     */
+    public function getContents(): string
+    {
+        $content = [];
+        foreach ($this->directives as $directive => $values) {
+            if (!empty($values)) {
+                $content[] = $directive . ' ' . implode(' ', $values);
+            }
+        }
+        $content = implode('; ', $content);
+        return trim($content);
+    }
+
+    /**
+     * Render CSP meta tag if enabled
+     */
+    protected function _toHtml(): string
+    {
+        if (empty($this->directives)) {
+            return '';
+        }
+
+        /** @var Mage_Csp_Helper_Data $helper */
+        $helper = Mage::helper('csp');
+        if (!$helper->isEnabled($this->area) || $helper->shouldMergeMeta($this->area)) {
+            return '';
+        }
+
+        $headerValue = $this->getContents();
+        if (!empty($helper->getReportUri($this->area))) {
+            $reportUriEndpoint = trim($helper->getReportUri($this->area));
+            $headerValue .= '; report-uri ' . $reportUriEndpoint;
+        }
+        $headerName = $helper->getReportOnly($this->area)
+            ? Mage_Csp_Helper_Data::HEADER_CONTENT_SECURITY_POLICY_REPORT_ONLY
+            : Mage_Csp_Helper_Data::HEADER_CONTENT_SECURITY_POLICY;
+
+        return sprintf(
+            '<meta http-equiv="%s" content="%s" />' . PHP_EOL,
+            $headerName,
+            $headerValue,
+        );
+    }
+}