From ad7b62fa3deea6f1ea483d37e0f72b0f57b1d466 Mon Sep 17 00:00:00 2001
From: "nicolas.dorier" <nicolas.dorier@gmail.com>
Date: Thu, 9 Sep 2021 23:22:49 +0900
Subject: [PATCH] Fix CSP when there is a theme

---
 .../Controllers/InvoiceController.UI.cs       | 14 --------
 BTCPayServer/Controllers/InvoiceController.cs |  2 --
 .../ContentSecurityPolicyCssThemeManager.cs   | 32 -------------------
 BTCPayServer/Hosting/BTCPayServerServices.cs  |  1 -
 .../Security/ContentSecurityPolicies.cs       | 14 +++-----
 5 files changed, 5 insertions(+), 58 deletions(-)
 delete mode 100644 BTCPayServer/HostedServices/ContentSecurityPolicyCssThemeManager.cs

diff --git a/BTCPayServer/Controllers/InvoiceController.UI.cs b/BTCPayServer/Controllers/InvoiceController.UI.cs
index 5b0e70b26..e4158148c 100644
--- a/BTCPayServer/Controllers/InvoiceController.UI.cs
+++ b/BTCPayServer/Controllers/InvoiceController.UI.cs
@@ -448,20 +448,6 @@ namespace BTCPayServer.Controllers
 
             if (view == "modal")
                 model.IsModal = true;
-
-            _CSP.Add(new ConsentSecurityPolicy("script-src", "'unsafe-eval'")); // Needed by Vue
-            if (!string.IsNullOrEmpty(model.CustomCSSLink) &&
-                Uri.TryCreate(model.CustomCSSLink, UriKind.Absolute, out var uri))
-            {
-                _CSP.Clear();
-            }
-
-            if (!string.IsNullOrEmpty(model.CustomLogoLink) &&
-                Uri.TryCreate(model.CustomLogoLink, UriKind.Absolute, out uri))
-            {
-                _CSP.Clear();
-            }
-
             return View(nameof(Checkout), model);
         }
 
diff --git a/BTCPayServer/Controllers/InvoiceController.cs b/BTCPayServer/Controllers/InvoiceController.cs
index 564615764..1dae2263c 100644
--- a/BTCPayServer/Controllers/InvoiceController.cs
+++ b/BTCPayServer/Controllers/InvoiceController.cs
@@ -32,7 +32,6 @@ namespace BTCPayServer.Controllers
     public partial class InvoiceController : Controller
     {
         readonly InvoiceRepository _InvoiceRepository;
-        readonly ContentSecurityPolicies _CSP;
         readonly RateFetcher _RateProvider;
         readonly StoreRepository _StoreRepository;
         readonly UserManager<ApplicationUser> _UserManager;
@@ -72,7 +71,6 @@ namespace BTCPayServer.Controllers
             _dbContextFactory = dbContextFactory;
             _paymentHostedService = paymentHostedService;
             WebhookNotificationManager = webhookNotificationManager;
-            _CSP = csp;
             _languageService = languageService;
         }
 
diff --git a/BTCPayServer/HostedServices/ContentSecurityPolicyCssThemeManager.cs b/BTCPayServer/HostedServices/ContentSecurityPolicyCssThemeManager.cs
deleted file mode 100644
index 32c33582f..000000000
--- a/BTCPayServer/HostedServices/ContentSecurityPolicyCssThemeManager.cs
+++ /dev/null
@@ -1,32 +0,0 @@
-using System;
-using BTCPayServer.Abstractions.Contracts;
-using BTCPayServer.Security;
-using Microsoft.AspNetCore.Mvc.Filters;
-
-namespace BTCPayServer.HostedServices
-{
-    public class ContentSecurityPolicyCssThemeManager : Attribute, IActionFilter, IOrderedFilter
-    {
-        public int Order => 1001;
-
-        public void OnActionExecuted(ActionExecutedContext context)
-        {
-
-        }
-
-        public void OnActionExecuting(ActionExecutingContext context)
-        {
-            var settingsRepository = context.HttpContext.RequestServices.GetService(typeof(ISettingsRepository)) as ISettingsRepository;
-            
-            var policies = context.HttpContext.RequestServices.GetService(typeof(ContentSecurityPolicies)) as ContentSecurityPolicies;
-            if (policies != null)
-            {
-                var theme = settingsRepository.GetTheme().GetAwaiter().GetResult();
-                if (theme.CssUri != null && Uri.TryCreate(theme.CssUri, UriKind.Absolute, out var uri))
-                {
-                    policies.Clear();
-                }
-            }
-        }
-    }
-}
diff --git a/BTCPayServer/Hosting/BTCPayServerServices.cs b/BTCPayServer/Hosting/BTCPayServerServices.cs
index 57def8745..d8242ce42 100644
--- a/BTCPayServer/Hosting/BTCPayServerServices.cs
+++ b/BTCPayServer/Hosting/BTCPayServerServices.cs
@@ -302,7 +302,6 @@ namespace BTCPayServer.Hosting
 
             services.Configure<MvcOptions>((o) =>
             {
-                o.Filters.Add(new ContentSecurityPolicyCssThemeManager());
                 o.ModelMetadataDetailsProviders.Add(new SuppressChildValidationMetadataProvider(typeof(WalletId)));
                 o.ModelMetadataDetailsProviders.Add(new SuppressChildValidationMetadataProvider(typeof(DerivationStrategyBase)));
             });
diff --git a/BTCPayServer/Security/ContentSecurityPolicies.cs b/BTCPayServer/Security/ContentSecurityPolicies.cs
index 7f88a430b..e7df65f45 100644
--- a/BTCPayServer/Security/ContentSecurityPolicies.cs
+++ b/BTCPayServer/Security/ContentSecurityPolicies.cs
@@ -75,8 +75,6 @@ namespace BTCPayServer.Security
         }
         public void Add(ConsentSecurityPolicy policy)
         {
-            if (_Policies.Any(p => p.Name == policy.Name && p.Value == policy.Name))
-                return;
             _Policies.Add(policy);
         }
 
@@ -94,20 +92,18 @@ namespace BTCPayServer.Security
                     value.Append(';');
                 }
                 HashSet<string> values = new HashSet<string>();
+                List<string> valuesList = new List<string>();
                 values.Add(group.Key);
+                valuesList.Add(group.Key);
                 foreach (var v in group)
                 {
-                    values.Add(v.Value);
+                    if (values.Add(v.Value))
+                        valuesList.Add(v.Value);
                 }
-                value.Append(String.Join(" ", values.OfType<object>().ToArray()));
+                value.Append(String.Join(" ", valuesList.OfType<object>().ToArray()));
                 firstGroup = false;
             }
             return value.ToString();
         }
-
-        internal void Clear()
-        {
-            _Policies.Clear();
-        }
     }
 }