TDEAL-16: Security improvements

Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md

@@ -0,0 +1,13 @@
+# Lombiq Helpful Libraries - ASP.NET Core Libraries - Security
+
+## `Content-Security-Policy`
+
+- `ApplicationBuilderExtensions`: Contains the `AddContentSecurityPolicyHeader` extension method to add a middleware that provides the `Content-Security-Policy` header.
+- `CdnContentSecurityPolicyProvider`: An optional policy provider that permits additional CDN host names for the `script-scr` and `style-src` directives.
+- `ContentSecurityPolicyDirectives`: The `Content-Security-Policy` directive names that are defined in the W3C [recommendation](https://www.w3.org/TR/CSP2/#directives) and some common values.
+- `IContentSecurityPolicyProvider`: Interface for services that update the dictionary that will be turned into the `Content-Security-Policy` header value.
+- `ServiceCollectionExtensions`: Extensions methods for `IServiceCollection`, e.g. `AddContentSecurityPolicyProvider()` is a shortcut to register `IContentSecurityPolicyProvider` in dependency injection.
+
+There is a similar section for security extensions related to Orchard Core [here](../../Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md).
+
+These extensions provide additional security and can resolve issues reported by the [ZAP security scanner](https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/Docs/SecurityScanning.md).

Lombiq.HelpfulLibraries.AspNetCore/Extensions/CookieHttpContextExtensions .cs

@@ -7,12 +7,13 @@ public static class CookieHttpContextExtensions
     /// <summary>
     /// Sets the cookie with the given name with a maximal expiration time.
     /// </summary>
-    public static void SetCookieForever(this HttpContext httpContext, string name, string value) =>
+    public static void SetCookieForever(this HttpContext httpContext, string name, string value, SameSiteMode sameSite = SameSiteMode.Lax) =>
         httpContext.Response.Cookies.Append(name, value, new CookieOptions
         {
             Expires = DateTimeOffset.MaxValue,
             Secure = true,
             HttpOnly = true,
+            SameSite = sameSite,
         });
 
     /// <summary>

Lombiq.HelpfulLibraries.AspNetCore/Readme.md

@@ -14,3 +14,4 @@ Please see the inline documentation of each piece of the API to learn more.
 - [Localization](Docs/Localization.md)
 - [Middlewares](Docs/Middlewares.md)
 - [MVC](Docs/Mvc.md)
+- [Security](Docs/Security.md)

Lombiq.HelpfulLibraries.AspNetCore/Security/ApplicationBuilderExtensions.cs

@@ -0,0 +1,158 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Primitives;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Mime;
+using System.Threading.Tasks;
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives.CommonValues;
+
+namespace Microsoft.AspNetCore.Builder;
+
+public static class ApplicationBuilderExtensions
+{
+    /// <summary>
+    /// Adds a middleware that supplies the <c>Content-Security-Policy</c> header. It may be further expanded by
+    /// registering services that implement <see cref="IContentSecurityPolicyProvider"/>.
+    /// </summary>
+    /// <param name="allowInlineScript">
+    /// If <see langword="true"/> then inline scripts are permitted. When using Orchard Core a lot of front end shapes
+    /// use inline script blocks without a nonce (see https://github.com/OrchardCMS/OrchardCore/issues/13389) making
+    /// this a required setting.
+    /// </param>
+    /// <param name="allowInlineStyle">
+    /// If <see langword="true"/> then inline styles are permitted. Note that even if your site has no embedded style
+    /// blocks and no style attributes, some Javascript libraries may still create some from code.
+    /// </param>
+    public static IApplicationBuilder UseContentSecurityPolicyHeader(
+        this IApplicationBuilder app,
+        bool allowInlineScript,
+        bool allowInlineStyle) =>
+        app.Use(async (context, next) =>
+        {
+            const string key = "Content-Security-Policy";
+
+            if (context.Response.Headers.ContainsKey(key))
+            {
+                await next();
+                return;
+            }
+
+            var securityPolicies = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+            {
+                // Default values enforcing a same origin policy for all resources.
+                [BaseUri] = Self,
+                [DefaultSrc] = Self,
+                [FrameSrc] = Self,
+                [ScriptSrc] = Self,
+                [StyleSrc] = Self,
+                [FormAction] = Self,
+                // Needed for SVG images using "data:image/svg+xml,..." data URLs.
+                [ImgSrc] = $"{Self} {Data}",
+                // Modern sites shouldn't need <object>, <embed>, and <applet> elements.
+                [ObjectSrc] = None,
+                // Necessary to prevent clickjacking (https://developer.mozilla.org/en-US/docs/Glossary/Clickjacking).
+                [FrameAncestors] = Self,
+            };
+
+            if (allowInlineScript) securityPolicies[ScriptSrc] = $"{Self} {UnsafeInline}";
+            if (allowInlineStyle) securityPolicies[StyleSrc] = $"{Self} {UnsafeInline}";
+
+            context.Response.OnStarting(async () =>
+            {
+                // No need to do content security policy on non-HTML responses.
+                if (context.Response.ContentType?.ContainsOrdinalIgnoreCase(MediaTypeNames.Text.Html) != true) return;
+
+                // The thought behind this provider model is that if you need something else than the default, you
+                // should add a provider that only applies the additional directive on screens where it's actually
+                // needed. This way we maintain minimal permissions. Also if you need additional permissions for a
+                // specific action you can use the [ContentSecurityPolicyAttribute(value, name, parentName)] attribute.
+                foreach (var provider in context.RequestServices.GetServices<IContentSecurityPolicyProvider>())
+                {
+                    await provider.UpdateAsync(securityPolicies, context);
+                }
+
+                var policy = string.Join("; ", securityPolicies.Select(pair => $"{pair.Key} {pair.Value}"));
+                context.Response.Headers[key] = policy;
+            });
+
+            await next();
+        });
+
+    /// <summary>
+    /// Adds a middleware that sets the <c>X-Content-Type-Options</c> header to <c>nosniff</c>.
+    /// </summary>
+    /// <remarks><para>
+    /// "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of
+    /// Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response
+    /// body to be interpreted  and displayed as a content type other than the declared content type. Current (early
+    /// 2014) and legacy versions  of Firefox will use the declared content type (if one is set), rather than performing
+    /// MIME-sniffing." As written in <see href="https://www.zaproxy.org/docs/alerts/10021/">the documentation</see>.
+    /// </para></remarks>
+    public static IApplicationBuilder UseNosniffContentTypeOptionsHeader(this IApplicationBuilder app) =>
+        app.Use(async (context, next) =>
+        {
+            const string key = "X-Content-Type-Options";
+
+            if (!context.Response.Headers.ContainsKey(key))
+            {
+                context.Response.Headers.Add(key, "nosniff");
+            }
+
+            await next();
+        });
+
+    /// <summary>
+    /// Adds a middleware that checks all <c>Set-Cookie</c> headers and replaces any with a version containing
+    /// <c>Secure</c> and <c>SameSite=Strict</c> modifiers if they were missing.
+    /// </summary>
+    /// <remarks><para>
+    /// With this all cookies will only work in a secure context, so you should have some way to automatically redirect
+    /// any HTTP request to HTTPS.
+    /// </para></remarks>
+    public static IApplicationBuilder UseStrictAndSecureCookies(this IApplicationBuilder app)
+    {
+        static void UpdateIfMissing(ref string cookie, ref bool changed, string test, string append)
+        {
+            if (!cookie.ContainsOrdinalIgnoreCase(test))
+            {
+                cookie += append;
+                changed = true;
+            }
+        }
+
+        return app.Use((context, next) =>
+        {
+            const string setCookieHeader = "Set-Cookie";
+            context.Response.OnStarting(() =>
+            {
+                var setCookie = context.Response.Headers[setCookieHeader];
+                if (!setCookie.Any()) return Task.CompletedTask;
+
+                var newCookies = new List<string>(capacity: setCookie.Count);
+                var changed = false;
+
+                foreach (var cookie in setCookie.WhereNot(string.IsNullOrWhiteSpace))
+                {
+                    var newCookie = cookie;
+
+                    UpdateIfMissing(ref newCookie, ref changed, "SameSite", "; SameSite=Strict");
+                    UpdateIfMissing(ref newCookie, ref changed, "Secure", "; Secure");
+
+                    newCookies.Add(newCookie);
+                }
+
+                if (changed)
+                {
+                    context.Response.Headers[setCookieHeader] = new StringValues(newCookies.ToArray());
+                }
+
+                return Task.CompletedTask;
+            });
+
+            return next();
+        });
+    }
+}

Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs

@@ -0,0 +1,85 @@
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.AspNetCore.Security;
+
+/// <summary>
+/// A content security policy directive provider that provides additional permitted host names for <see
+/// cref="StyleSrc"/> and <see cref="ScriptSrc"/>.
+/// </summary>
+public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+    /// <summary>
+    /// Gets the URLs whose <see cref="Uri.Host"/> will be added to the <see cref="StyleSrc"/> directive.
+    /// </summary>
+    public static ConcurrentBag<Uri> PermittedStyleSources { get; } = new(new[]
+    {
+        new Uri("https://fonts.googleapis.com/css"),
+        new Uri("https://fonts.gstatic.com/"),
+        new Uri("https://cdn.jsdelivr.net/npm"),
+    });
+
+    /// <summary>
+    /// Gets the URLs whose <see cref="Uri.Host"/> will be added to the <see cref="ScriptSrc"/> directive.
+    /// </summary>
+    public static ConcurrentBag<Uri> PermittedScriptSources { get; } = new(new[]
+    {
+        new Uri("https://cdn.jsdelivr.net/npm"),
+    });
+
+    /// <summary>
+    /// Gets the URLs whose <see cref="Uri.Host"/> will be added to the <see cref="FontSrc"/> directive.
+    /// </summary>
+    public static ConcurrentBag<Uri> PermittedFontSources { get; } = new(new[]
+    {
+        new Uri("https://fonts.googleapis.com/"),
+        new Uri("https://fonts.gstatic.com/"),
+    });
+
+    public ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+    {
+        var any = false;
+
+        if (PermittedStyleSources.Any())
+        {
+            any = true;
+            MergeValues(securityPolicies, StyleSrc, PermittedStyleSources);
+        }
+
+        if (PermittedScriptSources.Any())
+        {
+            any = true;
+            MergeValues(securityPolicies, ScriptSrc, PermittedScriptSources);
+        }
+
+        if (PermittedFontSources.Any())
+        {
+            any = true;
+            MergeValues(securityPolicies, FontSrc, PermittedFontSources);
+        }
+
+        if (any)
+        {
+            var allPermittedSources = PermittedStyleSources.Concat(PermittedScriptSources).Concat(PermittedFontSources);
+            MergeValues(securityPolicies, ConnectSrc, allPermittedSources);
+        }
+
+        return ValueTask.CompletedTask;
+    }
+
+    private static void MergeValues(IDictionary<string, string> policies, string key, IEnumerable<Uri> sources)
+    {
+        var directiveValue = policies.GetMaybe(key) ?? policies.GetMaybe(DefaultSrc) ?? string.Empty;
+
+        policies[key] = string.Join(' ', directiveValue
+            .Split(' ')
+            .Union(sources.Select(uri => uri.Host))
+            .Distinct());
+    }
+}

Lombiq.HelpfulLibraries.AspNetCore/Security/ContentSecurityPolicyDirectives.cs

@@ -0,0 +1,40 @@
+namespace Lombiq.HelpfulLibraries.AspNetCore.Security;
+
+/// <summary>
+/// The <c>Content-Security-Policy</c> directives defined in the <a href="https://www.w3.org/TR/CSP2/#directives">W3C
+/// Recommendation</a>.
+/// </summary>
+public static class ContentSecurityPolicyDirectives
+{
+    public const string BaseUri = "base-uri";
+    public const string ChildSrc = "child-src";
+    public const string ConnectSrc = "connect-src";
+    public const string DefaultSrc = "default-src";
+    public const string FontSrc = "font-src";
+    public const string FormAction = "form-action";
+    public const string FrameAncestors = "frame-ancestors";
+    public const string FrameSrc = "frame-src";
+    public const string ImgSrc = "img-src";
+    public const string MediaSrc = "media-src";
+    public const string ObjectSrc = "object-src";
+    public const string PluginTypes = "plugin-types";
+    public const string ReportUri = "report-uri";
+    public const string Sandbox = "sandbox";
+    public const string ScriptSrc = "script-src";
+    public const string StyleSrc = "style-src";
+    public const string WorkerSrc = "worker-src";
+
+    public static class CommonValues
+    {
+        // These values represent special words so they must be surrounded with apostrophes.
+        public const string Self = "'self'";
+        public const string None = "'none'";
+        public const string UnsafeInline = "'unsafe-inline'";
+        public const string UnsafeEval = "'unsafe-eval'";
+
+        // These values represent allowed protocol schemes.
+        public const string Https = "https:";
+        public const string Data = "data:";
+        public const string Blob = "blob:";
+    }
+}

Lombiq.HelpfulLibraries.AspNetCore/Security/IContentSecurityPolicyProvider.cs

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.AspNetCore.Security;
+
+/// <summary>
+/// A service for updating the dictionary that will be turned into the <c>Content-Security-Policy</c> header value by
+/// <see cref="ApplicationBuilderExtensions.UseContentSecurityPolicyHeader"/>.
+/// </summary>
+public interface IContentSecurityPolicyProvider
+{
+    /// <summary>
+    /// Updates the <paramref name="securityPolicies"/> dictionary where the keys are the <c>Content-Security-Policy</c>
+    /// directives names and the values are the matching directive values.
+    /// </summary>
+    public ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context);
+
+    /// <summary>
+    /// Returns the first non-empty directive from the <paramref name="names"/> or <see cref="DefaultSrc"/> or an empty
+    /// string.
+    /// </summary>
+    public static string GetDirective(IDictionary<string, string> securityPolicies, params string[] names)
+    {
+        foreach (var name in names)
+        {
+            if (securityPolicies.TryGetValue(name, out var value) && !string.IsNullOrWhiteSpace(value))
+            {
+                return value;
+            }
+        }
+
+        return securityPolicies.GetMaybe(DefaultSrc) ?? string.Empty;
+    }
+}

Lombiq.HelpfulLibraries.AspNetCore/Security/ServiceCollectionExtensions.cs

@@ -0,0 +1,23 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+public static class ServiceCollectionExtensions
+{
+    /// <summary>
+    /// Registers a Content Security Policy provider that implements <see cref="IContentSecurityPolicyProvider"/> and
+    /// will be used by <see cref="ApplicationBuilderExtensions.UseContentSecurityPolicyHeader"/>.
+    /// </summary>
+    public static IServiceCollection AddContentSecurityPolicyProvider<TProvider>(this IServiceCollection services)
+        where TProvider : class, IContentSecurityPolicyProvider =>
+        services.AddScoped<IContentSecurityPolicyProvider, TProvider>();
+
+    /// <summary>
+    /// Configures the session cookie to be always secure. With this configuration the token won't work in an HTTP
+    /// environment so make sure that HTTPS redirection is enabled.
+    /// </summary>
+    public static IServiceCollection ConfigureSessionCookieAlwaysSecure(this IServiceCollection services) =>
+        services.Configure<SessionOptions>(options => options.Cookie.SecurePolicy = CookieSecurePolicy.Always);
+}