Merge pull request #1846

nuxsmin · web-flow · commit 1be83de9b20d · 2022-06-25T09:43:52.000+02:00
* chore: Set X-Frame options and CSP. Thanks to @lengochoa7112000 !! * chore: Update dependencies. * chore: Bump version number.
diff --git a/composer.lock b/composer.lock
diff --git a/lib/SP/Bootstrap.php b/lib/SP/Bootstrap.php
@@ -1,10 +1,10 @@
 <?php
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -19,7 +19,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP;
@@ -91,10 +91,6 @@ final class Bootstrap
      * @var Klein
      */
     private $router;
-    /**
-     * @var Language
-     */
-    private $language;
     /**
      * @var Request
      */
@@ -127,7 +123,6 @@ private final function __construct(Container $container)
         $this->configData = $this->config->getConfigData();
         $this->router = $container->get(Klein::class);
         $this->request = $container->get(Request::class);
-        $this->language = $container->get(Language::class);
 
         $this->initRouter();
     }
@@ -161,22 +156,31 @@ function ($request, $response, $service) use ($oops) {
                     list($controller, $action) = explode('/', $apiRequest->getMethod());
 
                     $controllerClass = 'SP\\Modules\\' . ucfirst(APP_MODULE) . '\\Controllers\\' . ucfirst($controller) . 'Controller';
-                    $method = $action . 'Action';
+                    $method = $action.'Action';
 
                     if (!method_exists($controllerClass, $method)) {
-                        logger($controllerClass . '::' . $method);
+                        logger($controllerClass.'::'.$method);
 
                         /** @var Response $response */
                         $response->headers()->set('Content-type', 'application/json; charset=utf-8');
-                        return $response->body(JsonRpcResponse::getResponseError($oops, JsonRpcResponse::METHOD_NOT_FOUND, $apiRequest->getId()));
+
+                        return $response->body(
+                            JsonRpcResponse::getResponseError(
+                                $oops,
+                                JsonRpcResponse::METHOD_NOT_FOUND,
+                                $apiRequest->getId()
+                            )
+                        );
                     }
 
+                    $this->setCors($response);
+
                     $this->initializeCommon();
 
                     self::$container->get(InitApi::class)
                         ->initialize($controller);
 
-                    logger('Routing call: ' . $controllerClass . '::' . $method);
+                    logger('Routing call: '.$controllerClass.'::'.$method);
 
                     return call_user_func([new $controllerClass(self::$container, $method, $apiRequest), $method]);
                 } catch (\Exception $e) {
@@ -216,14 +220,17 @@ function ($request, $response, $service) use ($oops) {
                     $this->initializePluginClasses();
 
                     if (!method_exists($controllerClass, $methodName)) {
-                        logger($controllerClass . '::' . $methodName);
+                        logger($controllerClass.'::'.$methodName);
 
                         /** @var Response $response */
                         $response->code(404);
 
                         throw new RuntimeException($oops);
                     }
 
+                    $this->setCors($response);
+                    $this->setXFrame($response);
+
                     $this->initializeCommon();
 
                     switch (APP_MODULE) {
@@ -291,7 +298,7 @@ protected function initializeCommon()
         if (!self::$checkPhpVersion) {
             throw new InitializationException(
                 sprintf(__('Required PHP version >= %s <= %s'), '7.3', '7.4'),
-                InitializationException::ERROR,
+                Core\Exceptions\SPException::ERROR,
                 __u('Please update the PHP version to run sysPass')
             );
         }
@@ -473,4 +480,23 @@ public static function run(Container $container, $module = APP_MODULE)
                 throw new InitializationException('Unknown module');
         }
     }
+
+    protected function setCors(Response $response): void
+    {
+        $response->header(
+            'Access-Control-Allow-Origin',
+            $this->configData->getApplicationUrl() ?? $this->request->getHttpHost()
+        );
+        $response->header(
+            'Access-Control-Allow-Headers',
+            'X-Requested-With, Content-Type, Accept, Origin, Authorization'
+        );
+        $response->header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    }
+
+    protected function setXFrame(Response $response): void
+    {
+        $response->header('X-FRAME-OPTIONS', 'DENY');
+        $response->header('Content-Security-Policy', 'frame-ancestors \'none\'');
+    }
 }
diff --git a/lib/SP/Services/Install/Installer.php b/lib/SP/Services/Install/Installer.php
@@ -60,9 +60,9 @@ final class Installer extends Service
     /**
      * sysPass' version and build number
      */
-    const VERSION      = [3, 2, 8];
+    const VERSION      = [3, 2, 9];
     const VERSION_TEXT = '3.2';
-    const BUILD        = 22061802;
+    const BUILD        = 22062501;
 
     /**
      * @var DatabaseSetupInterface
