Merge pull request #91 from vpietri/unauthorized_csp_detection

vpietri · web-flow · commit 948cd3da4baa · 2025-07-18T09:10:36.000+02:00
Check unauthorized inline JS
diff --git a/Observer/CheckHtmlObserver.php b/Observer/CheckHtmlObserver.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace ADM\QuickDevBar\Observer;
+
+use ADM\QuickDevBar\Service\Dumper;
+use Magento\Csp\Api\PolicyCollectorInterface;
+use Magento\Csp\Model\Policy\FetchPolicy;
+use Magento\Framework\Event\Observer;
+use Magento\Framework\Event\ObserverInterface;
+
+
+class CheckHtmlObserver implements ObserverInterface
+{
+    private Dumper $dumper;
+
+    private PolicyCollectorInterface $collector;
+
+    public function __construct(Dumper $dumper,
+                                PolicyCollectorInterface $collector)
+    {
+        $this->dumper = $dumper;
+        $this->collector = $collector;
+    }
+
+    public function execute(Observer $observer)
+    {
+
+        $block = $observer->getEvent()->getBlock();
+        $html = $observer->getEvent()->getTransport()->getHtml();
+        $allowedHashes = [];
+        $policies = $this->collector->collect();
+        foreach ($policies as $policy) {
+            if($policy->getId() =='script-src') {
+                if($policy->isInlineAllowed()) {
+                    //Noting to check
+                    return null;
+                }
+                $allowedHashes = $policy->getHashes();
+                break;
+            }
+        }
+
+        //Without nonce
+        $pattern = '/<script(?![^>]*\bnonce\s*=)[^>]*>(.*?)<\/script>/is';
+
+        //Without nonce nor x-magento-init
+        $pattern = '/<script(?![^>]*\b(?:nonce|type\s*=\s*["\']text\/x-magento-init["\']))[^>]*>(.*?)<\/script>/is';
+
+
+        if( preg_match_all($pattern, $html, $matches)) {
+            foreach ($matches[1] as $scriptContent) {
+                $sha256 = $this->generateHashValue($scriptContent);
+                if(!empty($allowedHashes[$sha256])) {
+                    continue;
+                }
+                $this->dumper->addDump(
+                    'Script violating CSP'. '<br>' .
+                    '<pre>' .  htmlspecialchars($scriptContent). '</pre>' .
+                    '(' . get_class($block) . ' :: '. $block->getTemplateFile() . ')<br>' .
+                    'To enable execution use sha256: '. $this->generateHashValue($scriptContent) . '<br><br>',
+                    [], "");
+            }
+        }
+    }
+
+    private function generateHashValue(string $content): string
+    {
+        return base64_encode(hash('sha256', $content, true));
+    }
+}
diff --git a/Plugin/Framework/Event/Invoker.php b/Plugin/Framework/Event/Invoker.php
@@ -2,6 +2,8 @@
 
 namespace ADM\QuickDevBar\Plugin\Framework\Event;
 
+use Magento\Framework\Event\Observer;
+
 class Invoker
 {
     /**
@@ -19,8 +21,11 @@ public function __construct(
         $this->serviceObserver = $serviceObserver;
     }
 
-    public function beforeDispatch($class, $observerConfig, $wrapper)
+    public function beforeDispatch(\Magento\Framework\Event\InvokerInterface $class, array $configuration, Observer $observer)
     {
-        $this->serviceObserver->addObserver($observerConfig, $wrapper);
+        if (isset($configuration['disabled']) && true === $configuration['disabled']) {
+            return;
+        }
+        $this->serviceObserver->addObserver($configuration, $observer);
     }
 }
diff --git a/Service/Observer.php b/Service/Observer.php
@@ -19,16 +19,10 @@ public function pullData()
         return $this->observers;
     }
 
-    public function addObserver($observerConfig, $wrapper)
+    public function addObserver($configuration, $observer)
     {
-        $data = $observerConfig;
-
-        if (isset($data['disabled']) && true === $data['disabled']) {
-            return;
-        }
-
-
-        $data['event'] = $wrapper->getEvent()->getName();
+        $data = $configuration;
+        $data['event'] = $observer->getEvent()->getName();
 
         $key = crc32(json_encode($data));
         if (isset($this->observers[$key])) {
@@ -38,4 +32,4 @@ public function addObserver($observerConfig, $wrapper)
             $this->observers[$key] = $data;
         }
     }
-}
+}
diff --git a/etc/events.xml b/etc/events.xml
@@ -21,4 +21,8 @@
         <observer name="qdb_custom_layout" instance="ADM\QuickDevBar\Observer\UpdateLayoutObserver" />
     </event>
 
+    <event name="view_block_abstract_to_html_after">
+        <observer name="qdb_view_block_abstract_to_html_after" instance="ADM\QuickDevBar\Observer\CheckHtmlObserver" />
+    </event>
+
 </config>
diff --git a/view/base/layout/quickdevbar.xml b/view/base/layout/quickdevbar.xml
@@ -24,6 +24,9 @@
                         <argument name="data_key" xsi:type="string">module_list</argument>
 
                     </arguments>
+                    <action method="setIsAjax">
+                        <argument name="is_ajax" xsi:type="string">1</argument>
+                    </action>
                 </block>
                 <block class="ADM\QuickDevBar\Block\Tab\Content\Config" name="qdb.tab.config" as="qdb.tab.config" template="ADM_QuickDevBar::tab/info/config.phtml">
                     <arguments>
diff --git a/view/base/templates/tab/dumper.phtml b/view/base/templates/tab/dumper.phtml
@@ -12,7 +12,7 @@
 <?php else: ?>
     <?php foreach ($block->getDumps() as $dump):?>
         <div class="qdb-dump">
-            <?= $block->formatTrace($dump['bt']) ?>
+            <?= !empty($dump['bt']) ? $block->formatTrace($dump['bt']) : '' ?>
             <?= $dump['dump'] ?>
         </div>
     <?php endforeach;?>
diff --git a/view/base/templates/tab/profile/observer.phtml b/view/base/templates/tab/profile/observer.phtml
@@ -8,10 +8,10 @@
 <table class="qdb_table striped filterable">
 <thead>
 <tr>
-    <th>Event</th>
-    <th>Name</th>
+    <th>Event name</th>
+    <th>Intercepted event name</th>
     <th>Call Number</th>
-    <th>Instance</th>
+    <th>Observer class</th>
 </tr>
 </thead>
 <tbody>

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@`
`2`	`2`
`3`	`3`	`namespace ADM\QuickDevBar\Plugin\Framework\Event;`
`4`	`4`
	`5`	`+use Magento\Framework\Event\Observer;`
	`6`	`+`
`5`	`7`	`class Invoker`
`6`	`8`	`{`
`7`	`9`	`/**`
`@@ -19,8 +21,11 @@ public function __construct(`
`19`	`21`	`$this->serviceObserver = $serviceObserver;`
`20`	`22`	`}`
`21`	`23`
`22`		`- public function beforeDispatch($class, $observerConfig, $wrapper)`
	`24`	`+ public function beforeDispatch(\Magento\Framework\Event\InvokerInterface $class, array $configuration, Observer $observer)`
`23`	`25`	`{`
`24`		`- $this->serviceObserver->addObserver($observerConfig, $wrapper);`
	`26`	`+ if (isset($configuration['disabled']) && true === $configuration['disabled']) {`
	`27`	`+ return;`
	`28`	`+ }`
	`29`	`+ $this->serviceObserver->addObserver($configuration, $observer);`
`25`	`30`	`}`
`26`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,16 +19,10 @@ public function pullData()`
`19`	`19`	`return $this->observers;`
`20`	`20`	`}`
`21`	`21`
`22`		`- public function addObserver($observerConfig, $wrapper)`
	`22`	`+ public function addObserver($configuration, $observer)`
`23`	`23`	`{`
`24`		`- $data = $observerConfig;`
`25`		`-`
`26`		`- if (isset($data['disabled']) && true === $data['disabled']) {`
`27`		`- return;`
`28`		`- }`
`29`		`-`
`30`		`-`
`31`		`- $data['event'] = $wrapper->getEvent()->getName();`
	`24`	`+ $data = $configuration;`
	`25`	`+ $data['event'] = $observer->getEvent()->getName();`
`32`	`26`
`33`	`27`	`$key = crc32(json_encode($data));`
`34`	`28`	`if (isset($this->observers[$key])) {`
`@@ -38,4 +32,4 @@ public function addObserver($observerConfig, $wrapper)`
`38`	`32`	`$this->observers[$key] = $data;`
`39`	`33`	`}`
`40`	`34`	`}`
`41`		`-}`
	`35`	`+}`