btcpayserver/BTCPayServer.Abstractions/Security/ContentSecurityPolicies.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using NBitcoin.Crypto;

namespace BTCPayServer.Security
{
    public class ConsentSecurityPolicy
    {
        public ConsentSecurityPolicy(string name, string value)
        {
            if (value.Contains(';', StringComparison.OrdinalIgnoreCase))
                throw new FormatException();
            _Value = value;
            _Name = name;
        }


        private readonly string _Name;
        public string Name
        {
            get
            {
                return _Name;
            }
        }

        private readonly string _Value;
        public string Value
        {
            get
            {
                return _Value;
            }
        }


        public override bool Equals(object obj)
        {
            ConsentSecurityPolicy item = obj as ConsentSecurityPolicy;
            if (item == null)
                return false;
            return GetHashCode().Equals(item.GetHashCode());
        }
        public static bool operator ==(ConsentSecurityPolicy a, ConsentSecurityPolicy b)
        {
            if (System.Object.ReferenceEquals(a, b))
                return true;
            if (((object)a == null) || ((object)b == null))
                return false;
            return a.GetHashCode() == b.GetHashCode();
        }

        public static bool operator !=(ConsentSecurityPolicy a, ConsentSecurityPolicy b)
        {
            return !(a == b);
        }

        public override int GetHashCode()
        {
            return HashCode.Combine(Name, Value);
        }
    }
    public class ContentSecurityPolicies
    {
        public ContentSecurityPolicies()
        {

        }

        readonly HashSet<ConsentSecurityPolicy> _Policies = new HashSet<ConsentSecurityPolicy>();

        /// <summary>
        /// Allow a specific script as event handler
        /// </summary>
        /// <param name="script"></param>
        public void AllowUnsafeHashes(string script = null)
        {
            if (!allowUnsafeHashes)
            {
                Add("script-src", $"'unsafe-hashes'");
                allowUnsafeHashes = true;
            }
            if (script != null)
            {
                var sha = GetSha256(script);
                Add("script-src", $"'sha256-{sha}'");
            }
        }

        bool allowUnsafeHashes = false;
        /// <summary>
        /// Allow the injection of script tag with the following script
        /// </summary>
        /// <param name="script"></param>
        public void AllowInline(string script)
        {
            ArgumentNullException.ThrowIfNull(script);
            var sha = GetSha256(script);
            Add("script-src", $"'sha256-{sha}'");
        }
        static string GetSha256(string script)
        {
            return Convert.ToBase64String(Hashes.SHA256(Encoding.UTF8.GetBytes(script.Replace("\r\n", "\n", StringComparison.Ordinal))));
        }

        public void Add(string name, string value)
        {
            Add(new ConsentSecurityPolicy(name, value));
        }
        public void Add(ConsentSecurityPolicy policy)
        {
            _Policies.Add(policy);
        }

        public IEnumerable<ConsentSecurityPolicy> Rules => _Policies;
        public bool HasRules => _Policies.Count != 0;

        public override string ToString()
        {
            StringBuilder value = new StringBuilder();
            bool firstGroup = true;
            foreach (var group in Rules.GroupBy(r => r.Name))
            {
                if (!firstGroup)
                {
                    value.Append(';');
                }
                HashSet<string> values = new HashSet<string>();
                List<string> valuesList = new List<string>();
                values.Add(group.Key);
                valuesList.Add(group.Key);
                foreach (var v in group)
                {
                    if (values.Add(v.Value))
                        valuesList.Add(v.Value);
                }
                value.Append(String.Join(" ", valuesList.OfType<object>().ToArray()));
                firstGroup = false;
            }
            return value.ToString();
        }
    }
}
Cleaning up bom from cs files 2020-06-28 21:44:35 -05:00			`using System;`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`using System.Collections.Generic;`
			`using System.Linq;`
			`using System.Text;`
Fix pay button CSP issue when using modal (#2872) * Fix pay button CSP issue when using modal Fixes #2864. * Use event handler, refactor csp tags * Fix script indentation * Fix onsubmit event handler integration Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com> 2021-09-12 13:31:35 +02:00			`using NBitcoin.Crypto;`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00
			`namespace BTCPayServer.Security`
			`{`
			`public class ConsentSecurityPolicy`
			`{`
			`public ConsentSecurityPolicy(string name, string value)`
			`{`
Add CSP at the website level (#2863) 2021-09-09 21:51:28 +09:00			`if (value.Contains(';', StringComparison.OrdinalIgnoreCase))`
			`throw new FormatException();`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`_Value = value;`
			`_Name = name;`
			`}`


			`private readonly string _Name;`
			`public string Name`
			`{`
			`get`
			`{`
			`return _Name;`
			`}`
			`}`

			`private readonly string _Value;`
			`public string Value`
			`{`
			`get`
			`{`
			`return _Value;`
			`}`
			`}`


			`public override bool Equals(object obj)`
			`{`
			`ConsentSecurityPolicy item = obj as ConsentSecurityPolicy;`
			`if (item == null)`
			`return false;`
			`return GetHashCode().Equals(item.GetHashCode());`
			`}`
			`public static bool operator ==(ConsentSecurityPolicy a, ConsentSecurityPolicy b)`
			`{`
			`if (System.Object.ReferenceEquals(a, b))`
			`return true;`
			`if (((object)a == null) \|\| ((object)b == null))`
			`return false;`
			`return a.GetHashCode() == b.GetHashCode();`
			`}`

			`public static bool operator !=(ConsentSecurityPolicy a, ConsentSecurityPolicy b)`
			`{`
			`return !(a == b);`
			`}`

			`public override int GetHashCode()`
			`{`
			`return HashCode.Combine(Name, Value);`
			`}`
			`}`
			`public class ContentSecurityPolicies`
			`{`
			`public ContentSecurityPolicies()`
			`{`

			`}`
Removing unused usings, readonly fields where possible 2020-06-28 22:07:48 -05:00
			`readonly HashSet<ConsentSecurityPolicy> _Policies = new HashSet<ConsentSecurityPolicy>();`
Fix pay button CSP issue when using modal (#2872) * Fix pay button CSP issue when using modal Fixes #2864. * Use event handler, refactor csp tags * Fix script indentation * Fix onsubmit event handler integration Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com> 2021-09-12 13:31:35 +02:00
			`/// <summary>`
			`/// Allow a specific script as event handler`
			`/// </summary>`
			`/// <param name="script"></param>`
Fix: Impossible to see relative time of transaction in wallet list 2021-09-29 13:09:04 +09:00			`public void AllowUnsafeHashes(string script = null)`
Fix pay button CSP issue when using modal (#2872) * Fix pay button CSP issue when using modal Fixes #2864. * Use event handler, refactor csp tags * Fix script indentation * Fix onsubmit event handler integration Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com> 2021-09-12 13:31:35 +02:00			`{`
Fix: Impossible to see relative time of transaction in wallet list 2021-09-29 13:09:04 +09:00			`if (!allowUnsafeHashes)`
			`{`
			`Add("script-src", $"'unsafe-hashes'");`
			`allowUnsafeHashes = true;`
			`}`
			`if (script != null)`
			`{`
			`var sha = GetSha256(script);`
			`Add("script-src", $"'sha256-{sha}'");`
			`}`
Fix pay button CSP issue when using modal (#2872) * Fix pay button CSP issue when using modal Fixes #2864. * Use event handler, refactor csp tags * Fix script indentation * Fix onsubmit event handler integration Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com> 2021-09-12 13:31:35 +02:00			`}`
Fix: Impossible to see relative time of transaction in wallet list 2021-09-29 13:09:04 +09:00
			`bool allowUnsafeHashes = false;`
Fix pay button CSP issue when using modal (#2872) * Fix pay button CSP issue when using modal Fixes #2864. * Use event handler, refactor csp tags * Fix script indentation * Fix onsubmit event handler integration Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com> 2021-09-12 13:31:35 +02:00			`/// <summary>`
			`/// Allow the injection of script tag with the following script`
			`/// </summary>`
			`/// <param name="script"></param>`
			`public void AllowInline(string script)`
			`{`
Use ArgumentNullException.ThrowIfNull everywhere (#3239) 2021-12-28 17:39:54 +09:00			`ArgumentNullException.ThrowIfNull(script);`
Fix pay button CSP issue when using modal (#2872) * Fix pay button CSP issue when using modal Fixes #2864. * Use event handler, refactor csp tags * Fix script indentation * Fix onsubmit event handler integration Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com> 2021-09-12 13:31:35 +02:00			`var sha = GetSha256(script);`
			`Add("script-src", $"'sha256-{sha}'");`
			`}`
			`static string GetSha256(string script)`
			`{`
			`return Convert.ToBase64String(Hashes.SHA256(Encoding.UTF8.GetBytes(script.Replace("\r\n", "\n", StringComparison.Ordinal))));`
			`}`

Add CSP at the website level (#2863) 2021-09-09 21:51:28 +09:00			`public void Add(string name, string value)`
			`{`
			`Add(new ConsentSecurityPolicy(name, value));`
			`}`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`public void Add(ConsentSecurityPolicy policy)`
			`{`
			`_Policies.Add(policy);`
			`}`

			`public IEnumerable<ConsentSecurityPolicy> Rules => _Policies;`
			`public bool HasRules => _Policies.Count != 0;`

			`public override string ToString()`
			`{`
			`StringBuilder value = new StringBuilder();`
			`bool firstGroup = true;`
Run dotnet format 2020-06-28 17:55:27 +09:00			`foreach (var group in Rules.GroupBy(r => r.Name))`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`{`
			`if (!firstGroup)`
			`{`
			`value.Append(';');`
			`}`
Add CSP at the website level (#2863) 2021-09-09 21:51:28 +09:00			`HashSet<string> values = new HashSet<string>();`
Fix CSP when there is a theme 2021-09-09 23:22:49 +09:00			`List<string> valuesList = new List<string>();`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`values.Add(group.Key);`
Fix CSP when there is a theme 2021-09-09 23:22:49 +09:00			`valuesList.Add(group.Key);`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`foreach (var v in group)`
			`{`
Fix CSP when there is a theme 2021-09-09 23:22:49 +09:00			`if (values.Add(v.Value))`
			`valuesList.Add(v.Value);`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`}`
Fix CSP when there is a theme 2021-09-09 23:22:49 +09:00			`value.Append(String.Join(" ", valuesList.OfType<object>().ToArray()));`
Add CSP (Disable it if custom theming) 2018-07-12 17:38:21 +09:00			`firstGroup = false;`
			`}`
			`return value.ToString();`
			`}`
			`}`
			`}`