upstream/mercurial-mirror Commit - r30766:d7bf7d2b

hgweb: support Content Security Policy...

hgweb: support Content Security Policy Content-Security-Policy (CSP) is a web security feature that allows servers to declare what loaded content is allowed to do. For example, a policy can prevent loading of images, JavaScript, CSS, etc unless the source of that content is whitelisted (by hostname, URI scheme, hashes of content, etc). It's a nifty security feature that provides extra mitigation against some attacks, notably XSS. Mitigation against these attacks is important for Mercurial because hgweb renders repository data, which is commonly untrusted. While we make attempts to escape things, etc, there's the possibility that malicious data could be injected into the site content. If this happens today, the full power of the web browser is available to that malicious content. A restrictive CSP policy (defined by the server operator and sent in an HTTP header which is outside the control of malicious content), could restrict browser capabilities and mitigate security problems posed by malicious data. CSP works by emitting an HTTP header declaring the policy that browsers should apply. Ideally, this header would be emitted by a layer above Mercurial (likely the HTTP server doing the WSGI "proxying"). This works for some CSP policies, but not all. For example, policies to allow inline JavaScript may require setting a "nonce" attribute on <script>. This attribute value must be unique and non-guessable. And, the value must be present in the HTTP header and the HTML body. This means that coordinating the value between Mercurial and another HTTP server could be difficult: it is much easier to generate and emit the nonce in a central location. This commit introduces support for emitting a Content-Security-Policy header from hgweb. A config option defines the header value. If present, the header is emitted. A special "%nonce%" syntax in the value triggers generation of a nonce and inclusion in <script> elements in templates. The inclusion of a nonce does not occur unless "%nonce%" is present. This makes this commit completely backwards compatible and the feature opt-in. The nonce is a type 4 UUID, which is the flavor that is randomly generated. It has 122 random bits, which should be plenty to satisfy the guarantees of a nonce.

Gregory Szorc -

r30766:d7bf7d2b default

parent child

Collapse all files

tests/test-hgweb-csp.t

0 created 644 +129 0

@@ -0,0 +1,129 b''
	1	#require serve
	2
	3	$ cat > web.conf << EOF
	4	> [paths]
	5	> / = $TESTTMP/*
	6	> EOF
	7
	8	$ hg init repo1
	9	$ cd repo1
	10	$ touch foo
	11	$ hg -q commit -A -m initial
	12	$ cd ..
	13
	14	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
	15	$ cat hg.pid >> $DAEMON_PIDS
	16
	17	repo index should not send Content-Security-Policy header by default
	18
	19	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
	20	200 Script output follows
	21
	22	static page should not send CSP by default
	23
	24	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
	25	200 Script output follows
	26
	27	repo page should not send CSP by default, should send ETag
	28
	29	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
	30	200 Script output follows
	31	etag: W/"*" (glob)
	32
	33	$ killdaemons.py
	34
	35	Configure CSP without nonce
	36
	37	$ cat >> web.conf << EOF
	38	> [web]
	39	> csp = script-src https://example.com/ 'unsafe-inline'
	40	> EOF
	41
	42	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
	43	$ cat hg.pid > $DAEMON_PIDS
	44
	45	repo index should send Content-Security-Policy header when enabled
	46
	47	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
	48	200 Script output follows
	49	content-security-policy: script-src https://example.com/ 'unsafe-inline'
	50
	51	static page should send CSP when enabled
	52
	53	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
	54	200 Script output follows
	55	content-security-policy: script-src https://example.com/ 'unsafe-inline'
	56
	57	repo page should send CSP by default, include etag w/o nonce
	58
	59	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
	60	200 Script output follows
	61	content-security-policy: script-src https://example.com/ 'unsafe-inline'
	62	etag: W/"*" (glob)
	63
	64	nonce should not be added to html if CSP doesn't use it
	65
	66	$ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
	67	<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
	68	<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
	69	<script type="text/javascript">
	70	<script type="text/javascript">
	71
	72	Configure CSP with nonce
	73
	74	$ killdaemons.py
	75	$ cat >> web.conf << EOF
	76	> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
	77	> EOF
	78
	79	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
	80	$ cat hg.pid > $DAEMON_PIDS
	81
	82	nonce should be substituted in CSP header
	83
	84	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
	85	200 Script output follows
	86	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
	87
	88	nonce should be included in CSP for static pages
	89
	90	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
	91	200 Script output follows
	92	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
	93
	94	repo page should have nonce, no ETag
	95
	96	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
	97	200 Script output follows
	98	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
	99
	100	nonce should be added to html when used
	101
	102	$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
	103	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
	104	<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
	105	<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
	106	<script type="text/javascript" nonce="*"> (glob)
	107	<script type="text/javascript" nonce="*"> (glob)
	108
	109	hgweb_mod w/o hgwebdir works as expected
	110
	111	$ killdaemons.py
	112
	113	$ hg -R repo1 serve -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
	114	$ cat hg.pid > $DAEMON_PIDS
	115
	116	static page sends CSP
	117
	118	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
	119	200 Script output follows
	120	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
	121
	122	nonce included in <script> and headers
	123
	124	$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
	125	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
	126	<script type="text/javascript" src="/static/mercurial.js"></script>
	127	<!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
	128	<script type="text/javascript" nonce="*"> (glob)
	129	<script type="text/javascript" nonce="*"> (glob)

mercurial/help/config.txt

0 +14 0

@@ -2111,6 +2111,20 b' The full set of options is:'
2111	Name or email address of the person in charge of the repository.	2111	Name or email address of the person in charge of the repository.
2112	(default: ui.username or ``$EMAIL`` or "unknown" if unset or empty)	2112	(default: ui.username or ``$EMAIL`` or "unknown" if unset or empty)
2113		2113
		2114	``csp``
		2115	Send a ``Content-Security-Policy`` HTTP header with this value.
		2116
		2117	The value may contain a special string ``%nonce%``, which will be replaced
		2118	by a randomly-generated one-time use value. If the value contains
		2119	``%nonce%``, ``web.cache`` will be disabled, as caching undermines the
		2120	one-time property of the nonce. This nonce will also be inserted into
		2121	``<script>`` elements containing inline JavaScript.
		2122
		2123	Note: lots of HTML content sent by the server is derived from repository
		2124	data. Please consider the potential for malicious repository data to
		2125	"inject" itself into generated HTML content as part of your security
		2126	threat model.
		2127
2114	``deny_push``	2128	``deny_push``
2115	Whether to deny pushing to the repository. If empty or not set,	2129	Whether to deny pushing to the repository. If empty or not set,
2116	push is not denied. If the special value ``*``, all remote users are	2130	push is not denied. If the special value ``*``, all remote users are

mercurial/hgweb/common.py

0 +21 0

@@ -8,9 +8,11 b''
8		8
9	from __future__ import absolute_import	9	from __future__ import absolute_import
10		10
		11	import base64
11	import errno	12	import errno
12	import mimetypes	13	import mimetypes
13	import os	14	import os
		15	import uuid
14		16
15	from .. import (	17	from .. import (
16	encoding,	18	encoding,
@@ -199,3 +201,22 b' def caching(web, req):'
199	if req.env.get('HTTP_IF_NONE_MATCH') == tag:	201	if req.env.get('HTTP_IF_NONE_MATCH') == tag:
200	raise ErrorResponse(HTTP_NOT_MODIFIED)	202	raise ErrorResponse(HTTP_NOT_MODIFIED)
201	req.headers.append(('ETag', tag))	203	req.headers.append(('ETag', tag))
		204
		205	def cspvalues(ui):
		206	"""Obtain the Content-Security-Policy header and nonce value.
		207
		208	Returns a 2-tuple of the CSP header value and the nonce value.
		209
		210	First value is ``None`` if CSP isn't enabled. Second value is ``None``
		211	if CSP isn't enabled or if the CSP header doesn't need a nonce.
		212	"""
		213	# Don't allow untrusted CSP setting since it be disable protections
		214	# from a trusted/global source.
		215	csp = ui.config('web', 'csp', untrusted=False)
		216	nonce = None
		217
		218	if csp and '%nonce%' in csp:
		219	nonce = base64.urlsafe_b64encode(uuid.uuid4().bytes).rstrip('=')
		220	csp = csp.replace('%nonce%', nonce)
		221
		222	return csp, nonce

mercurial/hgweb/hgweb_mod.py

0 +14 -1

                 HTTP_OK,
                 HTTP_SERVER_ERROR,
                 caching,
+                cspvalues,
                 permhooks,
             )
             from .request import wsgirequest
                     # of the request.
                     self.websubtable = app.websubtable
+                    self.csp, self.nonce = cspvalues(self.repo.ui)
                 # Trust the settings from the .hg/hgrc files by default.
                 def config(self, section, name, default=None, untrusted=True):
                     return self.repo.ui.config(section, name, default,
                         'sessionvars': sessionvars,
                         'pathdef': makebreadcrumb(req.url),
                         'style': style,
+                        'nonce': self.nonce,
                     }
                     tmpl = templater.templater.frommapfile(mapfile,
                                                            filters={'websub': websubfilter},
                     encoding.encoding = rctx.config('web', 'encoding', encoding.encoding)
                     rctx.repo.ui.environ = req.env
+                    if rctx.csp:
+                        # hgwebdir may have added CSP header. Since we generate our own,
+                        # replace it.
+                        req.headers = [h for h in req.headers
+                                       if h[0] != 'Content-Security-Policy']
+                        req.headers.append(('Content-Security-Policy', rctx.csp))
                     # work with CGI variables to create coherent structure
                     # use SCRIPT_NAME, PATH_INFO and QUERY_STRING as well as our REPO_NAME
                             req.form['cmd'] = [tmpl.cache['default']]
                             cmd = req.form['cmd'][0]
-                        if rctx.configbool('web', 'cache', True):
+                        # Don't enable caching if using a CSP nonce because then it wouldn't
+                        # be a nonce.
+                        if rctx.configbool('web', 'cache', True) and not rctx.nonce:
                             caching(self, req) # sets ETag header or raises NOT_MODIFIED
                         if cmd not in webcommands.__all__:
                             msg = 'no such method: %s' % cmd

mercurial/hgweb/hgwebdir_mod.py

0 +8 -2

                 HTTP_NOT_FOUND,
                 HTTP_OK,
                 HTTP_SERVER_ERROR,
+                cspvalues,
                 get_contact,
                 get_mtime,
                 ismember,
                     try:
                         self.refresh()
+                        csp, nonce = cspvalues(self.ui)
+                        if csp:
+                            req.headers.append(('Content-Security-Policy', csp))
                         virtual = req.env.get("PATH_INFO", "").strip('/')
-                        tmpl = self.templater(req)
+                        tmpl = self.templater(req, nonce)
                         ctype = tmpl('mimetype', encoding=encoding.encoding)
                         ctype = templater.stringify(ctype)
                                 sortcolumn=sortcolumn, descending=descending,
                                 **dict(sort))
-                def templater(self, req):
+                def templater(self, req, nonce):
                     def motd(**map):
                         if self.motd is not None:
                         "staticurl": staticurl,
                         "sessionvars": sessionvars,
                         "style": style,
+                        "nonce": nonce,
                     }
                     tmpl = templater.templater.frommapfile(mapfile, defaults=defaults)
                     return tmpl

mercurial/templates/gitweb/graph.tmpl

0 +2 -2

             <ul id="graphnodes"></ul>
             </div>
-            <script>
+            <script{if(nonce, ' nonce="{nonce}"')}>
             <!-- hide script content
             var data = {jsdata|json};
             | {changenav%navgraph}
             </div>
-            <script type="text/javascript">
+            <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
                 ajaxScrollInit(
                         '{url|urlescape}graph/{rev}?revcount=%next%&style={style}',
                         {revcount}+60,

mercurial/templates/gitweb/shortlog.tmpl

0 +1 -1

             {changenav%navshort}
             </div>
-            <script type="text/javascript">
+            <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
                 ajaxScrollInit(
                         '{url|urlescape}shortlog/%next%{sessionvars%urlparameter}',
                         '{nextentry%"{node}"}', <!-- NEXTHASH

mercurial/templates/monoblue/graph.tmpl

0 +2 -2

                     <ul id="graphnodes"></ul>
                 </div>
-                <script>
+                <script{if(nonce, ' nonce="{nonce}"')}>
                 <!-- hide script content
                 document.getElementById('noscript').style.display = 'none';
                     | {changenav%navgraph}
                 </div>
-                <script type="text/javascript">
+                <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
                 ajaxScrollInit(
                         '{url|urlescape}graph/{rev}?revcount=%next%&style={style}',
                         {revcount}+60,

mercurial/templates/monoblue/shortlog.tmpl

0 +1 -1

                 {changenav%navshort}
                 </div>
-                <script type="text/javascript">
+                <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
                 ajaxScrollInit(
                         '{url|urlescape}shortlog/%next%{sessionvars%urlparameter}',
                         '{nextentry%"{node}"}', <!-- NEXTHASH

mercurial/templates/paper/graph.tmpl

0 +2 -2

             <ul id="graphnodes"></ul>
             </div>
-            <script type="text/javascript">
+            <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
             <!-- hide script content
             var data = {jsdata|json};
             | rev {rev}: {changenav%navgraph}
             </div>
-            <script type="text/javascript">
+            <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
                 ajaxScrollInit(
                         '{url|urlescape}graph/{rev}?revcount=%next%&style={style}',
                         {revcount}+60,

mercurial/templates/paper/shortlog.tmpl

0 +1 -1

             | rev {rev}: {changenav%navshort}
             </div>
-            <script type="text/javascript">
+            <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
                 ajaxScrollInit(
                         '{url|urlescape}shortlog/%next%{sessionvars%urlparameter}',
                         '{nextentry%"{node}"}', <!-- NEXTHASH

mercurial/templates/spartan/graph.tmpl

0 +1 -1

             <ul id="graphnodes"></ul>
             </div>
-            <script type="text/javascript">
+            <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}>
             <!-- hide script content
             var data = {jsdata|json};

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages