From a47a1e6249f97765d7f899c8dfb9b44c76b0d542 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 7 Mar 2024 17:38:24 +0100 Subject: [PATCH 1/7] feat: Migrate header check to SetupCheck API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../composer/composer/autoload_classmap.php | 1 + .../composer/composer/autoload_static.php | 1 + apps/settings/lib/AppInfo/Application.php | 2 + .../lib/SetupChecks/SecurityHeaders.php | 134 ++++++++++++++++++ 4 files changed, 138 insertions(+) create mode 100644 apps/settings/lib/SetupChecks/SecurityHeaders.php diff --git a/apps/settings/composer/composer/autoload_classmap.php b/apps/settings/composer/composer/autoload_classmap.php index b9709c8ad2854..17e47f62a7d8b 100644 --- a/apps/settings/composer/composer/autoload_classmap.php +++ b/apps/settings/composer/composer/autoload_classmap.php @@ -117,6 +117,7 @@ 'OCA\\Settings\\SetupChecks\\PushService' => $baseDir . '/../lib/SetupChecks/PushService.php', 'OCA\\Settings\\SetupChecks\\RandomnessSecure' => $baseDir . '/../lib/SetupChecks/RandomnessSecure.php', 'OCA\\Settings\\SetupChecks\\ReadOnlyConfig' => $baseDir . '/../lib/SetupChecks/ReadOnlyConfig.php', + 'OCA\\Settings\\SetupChecks\\SecurityHeaders' => $baseDir . '/../lib/SetupChecks/SecurityHeaders.php', 'OCA\\Settings\\SetupChecks\\SupportedDatabase' => $baseDir . '/../lib/SetupChecks/SupportedDatabase.php', 'OCA\\Settings\\SetupChecks\\SystemIs64bit' => $baseDir . '/../lib/SetupChecks/SystemIs64bit.php', 'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => $baseDir . '/../lib/SetupChecks/TempSpaceAvailable.php', diff --git a/apps/settings/composer/composer/autoload_static.php b/apps/settings/composer/composer/autoload_static.php index 67808ad23f2e3..1dccc69b923a5 100644 --- a/apps/settings/composer/composer/autoload_static.php +++ b/apps/settings/composer/composer/autoload_static.php @@ -132,6 +132,7 @@ class ComposerStaticInitSettings 'OCA\\Settings\\SetupChecks\\PushService' => __DIR__ . '/..' . '/../lib/SetupChecks/PushService.php', 'OCA\\Settings\\SetupChecks\\RandomnessSecure' => __DIR__ . '/..' . '/../lib/SetupChecks/RandomnessSecure.php', 'OCA\\Settings\\SetupChecks\\ReadOnlyConfig' => __DIR__ . '/..' . '/../lib/SetupChecks/ReadOnlyConfig.php', + 'OCA\\Settings\\SetupChecks\\SecurityHeaders' => __DIR__ . '/..' . '/../lib/SetupChecks/SecurityHeaders.php', 'OCA\\Settings\\SetupChecks\\SupportedDatabase' => __DIR__ . '/..' . '/../lib/SetupChecks/SupportedDatabase.php', 'OCA\\Settings\\SetupChecks\\SystemIs64bit' => __DIR__ . '/..' . '/../lib/SetupChecks/SystemIs64bit.php', 'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => __DIR__ . '/..' . '/../lib/SetupChecks/TempSpaceAvailable.php', diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php index 0977da398b0dd..9f7ec3036f43f 100644 --- a/apps/settings/lib/AppInfo/Application.php +++ b/apps/settings/lib/AppInfo/Application.php @@ -86,6 +86,7 @@ use OCA\Settings\SetupChecks\PushService; use OCA\Settings\SetupChecks\RandomnessSecure; use OCA\Settings\SetupChecks\ReadOnlyConfig; +use OCA\Settings\SetupChecks\SecurityHeaders; use OCA\Settings\SetupChecks\SupportedDatabase; use OCA\Settings\SetupChecks\SystemIs64bit; use OCA\Settings\SetupChecks\TempSpaceAvailable; @@ -214,6 +215,7 @@ public function register(IRegistrationContext $context): void { $context->registerSetupCheck(PhpOutputBuffering::class); $context->registerSetupCheck(RandomnessSecure::class); $context->registerSetupCheck(ReadOnlyConfig::class); + $context->registerSetupCheck(SecurityHeaders::class); $context->registerSetupCheck(SupportedDatabase::class); $context->registerSetupCheck(SystemIs64bit::class); $context->registerSetupCheck(TempSpaceAvailable::class); diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php new file mode 100644 index 0000000000000..d5239d5a1b13a --- /dev/null +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -0,0 +1,134 @@ + + * + * @author Côme Chilliet + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\Settings\SetupChecks; + +use OCP\Http\Client\IClientService; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; +use Psr\Log\LoggerInterface; + +class SecurityHeaders implements ISetupCheck { + + use CheckServerResponseTrait; + + public function __construct( + protected IL10N $l10n, + protected IConfig $config, + protected IURLGenerator $urlGenerator, + protected IRequest $request, + protected IClientService $clientService, + protected LoggerInterface $logger, + ) { + } + + public function getCategory(): string { + return 'security'; + } + + public function getName(): string { + return $this->l10n->t('HTTP headers'); + } + + public function run(): SetupResult { + $urls = [ + ['get', $this->urlGenerator->linkToRoute('heartbeat'), [200]], + ]; + $securityHeaders = [ + 'X-Content-Type-Options' => ['nosniff', null], + 'X-Robots-Tag' => ['noindex, nofollow', null], + 'X-Frame-Options' => ['sameorigin', 'deny'], + 'X-Permitted-Cross-Domain-Policies' => ['none', null], + ]; + + foreach ($urls as [$verb,$url,$validStatuses]) { + $works = null; + foreach ($this->runRequest($url, $verb) as $response) { + // Check that the response status matches + if (!in_array($response->getStatusCode(), $validStatuses)) { + $works = false; + continue; + } + $msg = ''; + $msgParameters = []; + foreach ($securityHeaders as $header => [$expected, $accepted]) { + $value = strtolower($response->getHeader($header)); + if ($value !== $expected) { + if ($accepted !== null && $value === $accepted) { + $msg .= $this->l10n->t('- The `%1` HTTP header is not set to `%2`. Some features might not work correctly, as it is recommended to adjust this setting accordingly.', [$header, $expected]); + } else { + $msg .= $this->l10n->t('- The `%1` HTTP header is not set to `%2`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', [$header, $expected]); + } + } + } + + $xssfields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection'))); + if (!in_array('1', $xssfields) || !in_array('mode=block', $xssfields)) { + $msg .= $this->l10n->t('- The `%1` HTTP header does not contain `%2`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block']); + } + + $referrerPolicy = $response->getHeader('Referrer-Policy'); + if ($referrerPolicy === null || !preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) { + $msg .= $this->l10n->t( + '- The `%1` HTTP header is not set to `%2`, `%3`, `%4`, `%5` or `%6`. This can leak referer information. See the {w3c-recommendation}.', + [ + 'Referrer-Policy', + 'no-referrer', + 'no-referrer-when-downgrade', + 'strict-origin', + 'strict-origin-when-cross-origin', + 'same-origin', + ] + ); + $msgParameters['w3c-recommendation'] = [ + 'type' => 'highlight', + 'id' => 'w3c-recommendation', + 'name' => 'W3C Recommendation', + 'link' => 'https://www.w3.org/TR/referrer-policy/', + ]; + } + if (!empty($msg)) { + return SetupResult::warning($this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg, descriptionParameters:$msgParameters); + } + // Skip the other requests if one works + break; + } + // If 'works' is null then we could not connect to the server + if ($works === null) { + return SetupResult::info( + $this->l10n->t('Could not check that your web server serves security headers correctly. Please check manually.'), + ); + } + } + return SetupResult::success( + $this->l10n->t('Your server is correctly configured to send security headers.') + ); + } +} From 1fffdf4763c04a04ba5defb53d6df451fe2a75f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 7 Mar 2024 18:38:39 +0100 Subject: [PATCH 2/7] fix: Fix ocm-provider setup check failure detection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/OcxProviders.php | 2 +- .../tests/SetupChecks/OcxProvicersTest.php | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/settings/lib/SetupChecks/OcxProviders.php b/apps/settings/lib/SetupChecks/OcxProviders.php index d24f2843829a9..f387fe23a32d5 100644 --- a/apps/settings/lib/SetupChecks/OcxProviders.php +++ b/apps/settings/lib/SetupChecks/OcxProviders.php @@ -68,7 +68,7 @@ public function run(): SetupResult { ]; foreach ($providers as $provider) { - foreach ($this->runHEAD($this->urlGenerator->getWebroot() . $provider) as $response) { + foreach ($this->runRequest('HEAD', $this->urlGenerator->getWebroot() . $provider, ['httpErrors' => false]) as $response) { $testedProviders[$provider] = true; if ($response->getStatusCode() === 200) { $workingProviders[] = $provider; diff --git a/apps/settings/tests/SetupChecks/OcxProvicersTest.php b/apps/settings/tests/SetupChecks/OcxProvicersTest.php index f0f504af02701..2cc6ac6de07f0 100644 --- a/apps/settings/tests/SetupChecks/OcxProvicersTest.php +++ b/apps/settings/tests/SetupChecks/OcxProvicersTest.php @@ -62,7 +62,7 @@ protected function setUp(): void { $this->logger = $this->createMock(LoggerInterface::class); $this->setupcheck = $this->getMockBuilder(OcxProviders::class) - ->onlyMethods(['runHEAD']) + ->onlyMethods(['runRequest']) ->setConstructorArgs([ $this->l10n, $this->config, @@ -79,7 +79,7 @@ public function testSuccess(): void { $this->setupcheck ->expects($this->exactly(2)) - ->method('runHEAD') + ->method('runRequest') ->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([$response])); $result = $this->setupcheck->run(); @@ -94,7 +94,7 @@ public function testLateSuccess(): void { $this->setupcheck ->expects($this->exactly(2)) - ->method('runHEAD') + ->method('runRequest') ->willReturnOnConsecutiveCalls($this->generate([$response1, $response1, $response1]), $this->generate([$response2])); // only one response out of two $result = $this->setupcheck->run(); @@ -107,7 +107,7 @@ public function testNoResponse(): void { $this->setupcheck ->expects($this->exactly(2)) - ->method('runHEAD') + ->method('runRequest') ->willReturnOnConsecutiveCalls($this->generate([]), $this->generate([])); // No responses $result = $this->setupcheck->run(); @@ -121,7 +121,7 @@ public function testPartialResponse(): void { $this->setupcheck ->expects($this->exactly(2)) - ->method('runHEAD') + ->method('runRequest') ->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([])); // only one response out of two $result = $this->setupcheck->run(); @@ -135,7 +135,7 @@ public function testInvalidResponse(): void { $this->setupcheck ->expects($this->exactly(2)) - ->method('runHEAD') + ->method('runRequest') ->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([$response])); // only one response out of two $result = $this->setupcheck->run(); @@ -151,7 +151,7 @@ public function testPartialInvalidResponse(): void { $this->setupcheck ->expects($this->exactly(2)) - ->method('runHEAD') + ->method('runRequest') ->willReturnOnConsecutiveCalls($this->generate([$response1]), $this->generate([$response2])); $result = $this->setupcheck->run(); From 310377e496ef049340e10b318bd9498b0fa85f0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 7 Mar 2024 18:39:38 +0100 Subject: [PATCH 3/7] fix: Fix Security headers setup check behavior MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../lib/SetupChecks/SecurityHeaders.php | 5 +- core/js/setupchecks.js | 70 ------------------- 2 files changed, 3 insertions(+), 72 deletions(-) diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php index d5239d5a1b13a..9079df7e39bf3 100644 --- a/apps/settings/lib/SetupChecks/SecurityHeaders.php +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -70,7 +70,7 @@ public function run(): SetupResult { foreach ($urls as [$verb,$url,$validStatuses]) { $works = null; - foreach ($this->runRequest($url, $verb) as $response) { + foreach ($this->runRequest($url, $verb, ['httpErrors' => false]) as $response) { // Check that the response status matches if (!in_array($response->getStatusCode(), $validStatuses)) { $works = false; @@ -95,7 +95,7 @@ public function run(): SetupResult { } $referrerPolicy = $response->getHeader('Referrer-Policy'); - if ($referrerPolicy === null || !preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) { + if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) { $msg .= $this->l10n->t( '- The `%1` HTTP header is not set to `%2`, `%3`, `%4`, `%5` or `%6`. This can leak referer information. See the {w3c-recommendation}.', [ @@ -118,6 +118,7 @@ public function run(): SetupResult { return SetupResult::warning($this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg, descriptionParameters:$msgParameters); } // Skip the other requests if one works + $works = true; break; } // If 'works' is null then we could not connect to the server diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 00120d678a8d0..d11f05858c4f9 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -169,7 +169,6 @@ var deferred = $.Deferred(); var afterCall = function(data, statusText, xhr) { var messages = []; - messages = messages.concat(self._checkSecurityHeaders(xhr)); messages = messages.concat(self._checkSSL(xhr)); deferred.resolve(messages); }; @@ -183,75 +182,6 @@ return deferred.promise(); }, - /** - * Runs check for some generic security headers on the server side - * - * @param {Object} xhr - * @return {Array} Array with error messages - */ - _checkSecurityHeaders: function(xhr) { - var messages = []; - - if (xhr.status === 200) { - var securityHeaders = { - 'X-Content-Type-Options': ['nosniff'], - 'X-Robots-Tag': ['noindex, nofollow'], - 'X-Frame-Options': ['SAMEORIGIN', 'DENY'], - 'X-Permitted-Cross-Domain-Policies': ['none'], - }; - for (var header in securityHeaders) { - var option = securityHeaders[header][0]; - if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).replace(/, /, ',').toLowerCase() !== option.replace(/, /, ',').toLowerCase()) { - var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option}); - if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) { - msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option}); - } - messages.push({ - msg: msg, - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }); - } - } - - var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : []; - if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) { - messages.push({ - msg: t('core', 'The "{header}" HTTP header does not contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - { - header: 'X-XSS-Protection', - expected: '1; mode=block' - }), - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }); - } - - const referrerPolicy = xhr.getResponseHeader('Referrer-Policy') - if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) { - messages.push({ - msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the {linkstart}W3C Recommendation ↗{linkend}.', - { - header: 'Referrer-Policy', - val1: 'no-referrer', - val2: 'no-referrer-when-downgrade', - val3: 'strict-origin', - val4: 'strict-origin-when-cross-origin', - val5: 'same-origin' - }) - .replace('{linkstart}', '') - .replace('{linkend}', ''), - type: OC.SetupChecks.MESSAGE_TYPE_INFO - }) - } - } else { - messages.push({ - msg: t('core', 'Error occurred while checking server setup'), - type: OC.SetupChecks.MESSAGE_TYPE_ERROR - }); - } - - return messages; - }, - /** * Runs check for some SSL configuration issues on the server side * From d7193ef65e14e3d240e9942e0630f96c7125f8f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Fri, 8 Mar 2024 16:34:01 +0100 Subject: [PATCH 4/7] fix: Migrate security headers check tests and fix the SetupCheck implementation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../lib/SetupChecks/SecurityHeaders.php | 25 +- .../tests/SetupChecks/SecurityHeadersTest.php | 218 ++++++++++ core/js/tests/specs/setupchecksSpec.js | 409 ------------------ 3 files changed, 233 insertions(+), 419 deletions(-) create mode 100644 apps/settings/tests/SetupChecks/SecurityHeadersTest.php diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php index 9079df7e39bf3..4d89b198f896b 100644 --- a/apps/settings/lib/SetupChecks/SecurityHeaders.php +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -29,7 +29,6 @@ use OCP\Http\Client\IClientService; use OCP\IConfig; use OCP\IL10N; -use OCP\IRequest; use OCP\IURLGenerator; use OCP\SetupCheck\ISetupCheck; use OCP\SetupCheck\SetupResult; @@ -43,7 +42,6 @@ public function __construct( protected IL10N $l10n, protected IConfig $config, protected IURLGenerator $urlGenerator, - protected IRequest $request, protected IClientService $clientService, protected LoggerInterface $logger, ) { @@ -63,14 +61,14 @@ public function run(): SetupResult { ]; $securityHeaders = [ 'X-Content-Type-Options' => ['nosniff', null], - 'X-Robots-Tag' => ['noindex, nofollow', null], + 'X-Robots-Tag' => ['noindex,nofollow', null], 'X-Frame-Options' => ['sameorigin', 'deny'], 'X-Permitted-Cross-Domain-Policies' => ['none', null], ]; foreach ($urls as [$verb,$url,$validStatuses]) { $works = null; - foreach ($this->runRequest($url, $verb, ['httpErrors' => false]) as $response) { + foreach ($this->runRequest($verb, $url, ['httpErrors' => false]) as $response) { // Check that the response status matches if (!in_array($response->getStatusCode(), $validStatuses)) { $works = false; @@ -79,25 +77,26 @@ public function run(): SetupResult { $msg = ''; $msgParameters = []; foreach ($securityHeaders as $header => [$expected, $accepted]) { - $value = strtolower($response->getHeader($header)); + /* Convert to lowercase and remove spaces after comas */ + $value = preg_replace('/,\s+/', ',', strtolower($response->getHeader($header))); if ($value !== $expected) { if ($accepted !== null && $value === $accepted) { - $msg .= $this->l10n->t('- The `%1` HTTP header is not set to `%2`. Some features might not work correctly, as it is recommended to adjust this setting accordingly.', [$header, $expected]); + $msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. Some features might not work correctly, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n"; } else { - $msg .= $this->l10n->t('- The `%1` HTTP header is not set to `%2`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', [$header, $expected]); + $msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n"; } } } $xssfields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection'))); if (!in_array('1', $xssfields) || !in_array('mode=block', $xssfields)) { - $msg .= $this->l10n->t('- The `%1` HTTP header does not contain `%2`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block']); + $msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block'])."\n"; } $referrerPolicy = $response->getHeader('Referrer-Policy'); if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) { $msg .= $this->l10n->t( - '- The `%1` HTTP header is not set to `%2`, `%3`, `%4`, `%5` or `%6`. This can leak referer information. See the {w3c-recommendation}.', + '- The `%1$s` HTTP header is not set to `%2$s`, `%3$s`, `%4$s`, `%5$s` or `%6$s`. This can leak referer information. See the {w3c-recommendation}.', [ 'Referrer-Policy', 'no-referrer', @@ -106,7 +105,7 @@ public function run(): SetupResult { 'strict-origin-when-cross-origin', 'same-origin', ] - ); + )."\n"; $msgParameters['w3c-recommendation'] = [ 'type' => 'highlight', 'id' => 'w3c-recommendation', @@ -127,6 +126,12 @@ public function run(): SetupResult { $this->l10n->t('Could not check that your web server serves security headers correctly. Please check manually.'), ); } + // Otherwise if we fail we can abort here + if ($works === false) { + return SetupResult::warning( + $this->l10n->t("Could not check that your web server serves security headers correctly, unable to query `%s`", [$url]), + ); + } } return SetupResult::success( $this->l10n->t('Your server is correctly configured to send security headers.') diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php new file mode 100644 index 0000000000000..4f3304a081da5 --- /dev/null +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -0,0 +1,218 @@ + + * + * @author Côme Chilliet + * + * @license AGPL-3.0-or-later + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace OCA\Settings\Tests; + +use OCA\Settings\SetupChecks\SecurityHeaders; +use OCP\Http\Client\IClientService; +use OCP\Http\Client\IResponse; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IURLGenerator; +use OCP\SetupCheck\SetupResult; +use PHPUnit\Framework\MockObject\MockObject; +use Psr\Log\LoggerInterface; +use Test\TestCase; + +class SecurityHeadersTest extends TestCase { + private IL10N|MockObject $l10n; + private IConfig|MockObject $config; + private IURLGenerator|MockObject $urlGenerator; + private IClientService|MockObject $clientService; + private LoggerInterface|MockObject $logger; + private SecurityHeaders|MockObject $setupcheck; + + protected function setUp(): void { + parent::setUp(); + + /** @var IL10N|MockObject */ + $this->l10n = $this->getMockBuilder(IL10N::class) + ->disableOriginalConstructor()->getMock(); + $this->l10n->expects($this->any()) + ->method('t') + ->willReturnCallback(function ($message, array $replace) { + return vsprintf($message, $replace); + }); + + $this->config = $this->createMock(IConfig::class); + $this->urlGenerator = $this->createMock(IURLGenerator::class); + $this->clientService = $this->createMock(IClientService::class); + $this->logger = $this->createMock(LoggerInterface::class); + + $this->setupcheck = $this->getMockBuilder(SecurityHeaders::class) + ->onlyMethods(['runRequest']) + ->setConstructorArgs([ + $this->l10n, + $this->config, + $this->urlGenerator, + $this->clientService, + $this->logger, + ]) + ->getMock(); + } + + public function testInvalidStatusCode(): void { + $this->setupResponse(500, []); + + $result = $this->setupcheck->run(); + $this->assertMatchesRegularExpression('/^Could not check that your web server serves security headers correctly/', $result->getDescription()); + $this->assertEquals(SetupResult::WARNING, $result->getSeverity()); + } + + public function testAllHeadersMissing(): void { + $this->setupResponse(200, []); + + $result = $this->setupcheck->run(); + $this->assertMatchesRegularExpression('/^Some headers are not set correctly on your instance/', $result->getDescription()); + $this->assertEquals(SetupResult::WARNING, $result->getSeverity()); + } + + public function testSomeHeadersMissing(): void { + $this->setupResponse( + 200, + [ + 'X-Robots-Tag' => 'noindex, nofollow', + 'X-Frame-Options' => 'SAMEORIGIN', + 'Strict-Transport-Security' => 'max-age=15768000;preload', + 'X-Permitted-Cross-Domain-Policies' => 'none', + 'Referrer-Policy' => 'no-referrer', + ] + ); + + $result = $this->setupcheck->run(); + $this->assertEquals( + "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n", + $result->getDescription() + ); + $this->assertEquals(SetupResult::WARNING, $result->getSeverity()); + } + + public function dataSuccess(): array { + return [ + // description => modifiedHeaders + 'basic' => [[]], + 'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']], + 'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']], + 'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']], + 'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']], + 'referrer-strict-origin' => [['Referrer-Policy' => 'strict-origin']], + 'referrer-strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']], + 'referrer-same-origin' => [['Referrer-Policy' => 'same-origin']], + ]; + } + + /** + * @dataProvider dataSuccess + */ + public function testSuccess($headers): void { + $headers = array_merge( + [ + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff', + 'X-Robots-Tag' => 'noindex, nofollow', + 'X-Frame-Options' => 'SAMEORIGIN', + 'Strict-Transport-Security' => 'max-age=15768000', + 'X-Permitted-Cross-Domain-Policies' => 'none', + 'Referrer-Policy' => 'no-referrer', + ], + $headers + ); + $this->setupResponse( + 200, + $headers + ); + + $result = $this->setupcheck->run(); + $this->assertEquals( + 'Your server is correctly configured to send security headers.', + $result->getDescription() + ); + $this->assertEquals(SetupResult::SUCCESS, $result->getSeverity()); + } + + public function dataFailure(): array { + return [ + // description => modifiedHeaders + 'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], + 'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], + 'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], + 'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], + 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], + 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], + ]; + } + + /** + * @dataProvider dataFailure + */ + public function testFailure(array $headers, string $msg): void { + $headers = array_merge( + [ + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff', + 'X-Robots-Tag' => 'noindex, nofollow', + 'X-Frame-Options' => 'SAMEORIGIN', + 'Strict-Transport-Security' => 'max-age=15768000', + 'X-Permitted-Cross-Domain-Policies' => 'none', + 'Referrer-Policy' => 'no-referrer', + ], + $headers + ); + $this->setupResponse( + 200, + $headers + ); + + $result = $this->setupcheck->run(); + $this->assertEquals( + 'Some headers are not set correctly on your instance'."\n$msg", + $result->getDescription() + ); + $this->assertEquals(SetupResult::WARNING, $result->getSeverity()); + } + + protected function setupResponse(int $statuscode, array $headers): void { + $response = $this->createMock(IResponse::class); + $response->expects($this->atLeastOnce())->method('getStatusCode')->willReturn($statuscode); + $response->expects($this->any())->method('getHeader') + ->willReturnCallback( + fn (string $header): string => $headers[$header] ?? '' + ); + + $this->setupcheck + ->expects($this->atLeastOnce()) + ->method('runRequest') + ->willReturnOnConsecutiveCalls($this->generate([$response])); + } + + /** + * Helper function creates a nicer interface for mocking Generator behavior + */ + protected function generate(array $yield_values) { + return $this->returnCallback(function () use ($yield_values) { + yield from $yield_values; + }); + } +} diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index bef316b16c96f..b027bfd21bdec 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -336,416 +336,10 @@ describe('OC.SetupChecks tests', function() { expect(data).toEqual([{ msg: 'Error occurred while checking server setup', type: OC.SetupChecks.MESSAGE_TYPE_ERROR - },{ - msg: 'Error occurred while checking server setup', - type: OC.SetupChecks.MESSAGE_TYPE_ERROR }]); done(); }); }); - - it('should return all errors if all headers are missing', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond( - 200, - { - 'Content-Type': 'application/json', - 'Strict-Transport-Security': 'max-age=15768000' - }, - '{}' - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { - msg: 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { - msg: 'The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { - msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { - msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_INFO - } - ]); - done(); - }); - }); - - it('should return only some errors if just some headers are missing', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond( - 200, - { - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000;preload', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - } - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { - msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING, - } - ]); - done(); - }); - }); - - it('should return none errors if all headers are there', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond( - 200, - { - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer' - } - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - describe('check X-Robots-Tag header', function() { - it('should return no message if X-Robots-Tag is set to noindex,nofollow without space', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex,nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return a message if X-Robots-Tag is set to none', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - } - ]); - done(); - }); - }); - }); - - describe('check X-XSS-Protection header', function() { - it('should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block; report=https://example.com', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no message if X-XSS-Protection is set to 1; mode=block', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return a message if X-XSS-Protection is set to 1', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - } - ]); - done(); - }); - }); - - it('should return a message if X-XSS-Protection is set to 0', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '0', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - } - ]); - done(); - }); - }); - }); - - describe('check Referrer-Policy header', function() { - it('should return no message if Referrer-Policy is set to no-referrer', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no message if Referrer-Policy is set to no-referrer-when-downgrade', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer-when-downgrade', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no message if Referrer-Policy is set to strict-origin', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'strict-origin', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no message if Referrer-Policy is set to strict-origin-when-cross-origin', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'strict-origin-when-cross-origin', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no message if Referrer-Policy is set to same-origin', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'same-origin', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return a message if Referrer-Policy is set to origin', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'origin', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_INFO - } - ]); - done(); - }); - }); - - it('should return a message if Referrer-Policy is set to origin-when-cross-origin', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'origin-when-cross-origin', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_INFO - } - ]); - done(); - }); - }); - - it('should return a message if Referrer-Policy is set to unsafe-url', function(done) { - protocolStub.returns('https'); - var result = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'unsafe-url', - }); - - result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_INFO - } - ]); - done(); - }); - }); - }); }); it('should return an error if the response has no statuscode 200', function(done) { @@ -762,9 +356,6 @@ describe('OC.SetupChecks tests', function() { expect(data).toEqual([{ msg: 'Error occurred while checking server setup', type: OC.SetupChecks.MESSAGE_TYPE_ERROR - }, { - msg: 'Error occurred while checking server setup', - type: OC.SetupChecks.MESSAGE_TYPE_ERROR }]); done(); }); From 9f819f311f6182f864486dae61284d94117222f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Tue, 12 Mar 2024 16:38:32 +0100 Subject: [PATCH 5/7] feat: Migrate HSTS check to Security headers SetupCheck MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../lib/SetupChecks/SecurityHeaders.php | 22 +- apps/settings/src/admin.js | 5 +- .../tests/SetupChecks/SecurityHeadersTest.php | 6 + core/js/setupchecks.js | 68 ------ core/js/tests/specs/setupchecksSpec.js | 194 ------------------ 5 files changed, 29 insertions(+), 266 deletions(-) diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php index 4d89b198f896b..f1d66188744f4 100644 --- a/apps/settings/lib/SetupChecks/SecurityHeaders.php +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -113,8 +113,26 @@ public function run(): SetupResult { 'link' => 'https://www.w3.org/TR/referrer-policy/', ]; } + + $transportSecurityValidity = $response->getHeader('Strict-Transport-Security'); + $minimumSeconds = 15552000; + if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) { + $transportSecurityValidity = (int)$m[1]; + if ($transportSecurityValidity < $minimumSeconds) { + $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds, $transportSecurityValidity])."\n"; + } + } elseif (!empty($transportSecurityValidity)) { + $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n"; + } else { + $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set (should be at least `%d` seconds). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds])."\n"; + } + if (!empty($msg)) { - return SetupResult::warning($this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg, descriptionParameters:$msgParameters); + return SetupResult::warning( + $this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg, + $this->urlGenerator->linkToDocs('admin-security'), + $msgParameters, + ); } // Skip the other requests if one works $works = true; @@ -124,12 +142,14 @@ public function run(): SetupResult { if ($works === null) { return SetupResult::info( $this->l10n->t('Could not check that your web server serves security headers correctly. Please check manually.'), + $this->urlGenerator->linkToDocs('admin-security'), ); } // Otherwise if we fail we can abort here if ($works === false) { return SetupResult::warning( $this->l10n->t("Could not check that your web server serves security headers correctly, unable to query `%s`", [$url]), + $this->urlGenerator->linkToDocs('admin-security'), ); } } diff --git a/apps/settings/src/admin.js b/apps/settings/src/admin.js index 09034495529dd..8b5ae1080e3f8 100644 --- a/apps/settings/src/admin.js +++ b/apps/settings/src/admin.js @@ -103,9 +103,8 @@ window.addEventListener('DOMContentLoaded', () => { $.when( OC.SetupChecks.checkWebDAV(), OC.SetupChecks.checkSetup(), - OC.SetupChecks.checkGeneric(), - ).then((check1, check2, check3) => { - const messages = [].concat(check1, check2, check3) + ).then((check1, check2) => { + const messages = [].concat(check1, check2) const $el = $('#postsetupchecks') $('#security-warning-state-loading').addClass('hidden') diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php index 4f3304a081da5..0856cca38ca68 100644 --- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -120,6 +120,9 @@ public function dataSuccess(): array { 'referrer-strict-origin' => [['Referrer-Policy' => 'strict-origin']], 'referrer-strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']], 'referrer-same-origin' => [['Referrer-Policy' => 'same-origin']], + 'hsts-minimum' => [['Strict-Transport-Security' => 'max-age=15552000']], + 'hsts-include-subdomains' => [['Strict-Transport-Security' => 'max-age=99999999; includeSubDomains']], + 'hsts-include-subdomains-preload' => [['Strict-Transport-Security' => 'max-age=99999999; preload; includeSubDomains']], ]; } @@ -161,6 +164,9 @@ public function dataFailure(): array { 'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], + 'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"], + 'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to enable HSTS.\n"], + 'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"], ]; } diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index d11f05858c4f9..0c0e673eae795 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -156,73 +156,5 @@ }) } }, - - /** - * Runs generic checks on the server side, the difference to dedicated - * methods is that we use the same XHR object for all checks to save - * requests. - * - * @return $.Deferred object resolved with an array of error messages - */ - checkGeneric: function() { - var self = this; - var deferred = $.Deferred(); - var afterCall = function(data, statusText, xhr) { - var messages = []; - messages = messages.concat(self._checkSSL(xhr)); - deferred.resolve(messages); - }; - - $.ajax({ - type: 'GET', - url: OC.generateUrl('heartbeat'), - allowAuthErrors: true - }).then(afterCall, afterCall); - - return deferred.promise(); - }, - - /** - * Runs check for some SSL configuration issues on the server side - * - * @param {Object} xhr - * @return {Array} Array with error messages - */ - _checkSSL: function(xhr) { - var messages = []; - - if (xhr.status === 200) { - var tipsUrl = OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-security'); - if(OC.getProtocol() === 'https') { - // Extract the value of 'Strict-Transport-Security' - var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security'); - if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) { - var firstComma = transportSecurityValidity.indexOf(";"); - if(firstComma !== -1) { - transportSecurityValidity = transportSecurityValidity.substring(8, firstComma); - } else { - transportSecurityValidity = transportSecurityValidity.substring(8); - } - } - - var minimumSeconds = 15552000; - if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) { - messages.push({ - msg: t('core', 'The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the {linkstart}security tips ↗{linkend}.', {'seconds': minimumSeconds}) - .replace('{linkstart}', '') - .replace('{linkend}', ''), - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }); - } - } - } else { - messages.push({ - msg: t('core', 'Error occurred while checking server setup'), - type: OC.SetupChecks.MESSAGE_TYPE_ERROR - }); - } - - return messages; - } }; })(); diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index b027bfd21bdec..99f72754ace2e 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -320,198 +320,4 @@ describe('OC.SetupChecks tests', function() { }); }); }); - - describe('checkGeneric', function() { - it('should return an error if the response has no statuscode 200', function(done) { - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond( - 500, - { - 'Content-Type': 'application/json' - } - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'Error occurred while checking server setup', - type: OC.SetupChecks.MESSAGE_TYPE_ERROR - }]); - done(); - }); - }); - }); - - it('should return an error if the response has no statuscode 200', function(done) { - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond( - 500, - { - 'Content-Type': 'application/json' - }, - JSON.stringify({data: {serverHasInternetConnectionProblems: true}}) - ); - async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'Error occurred while checking server setup', - type: OC.SetupChecks.MESSAGE_TYPE_ERROR - }]); - done(); - }); - }); - - it('should return a SSL warning if SSL used without Strict-Transport-Security-Header', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, - { - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - } - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); - done(); - }); - }); - - it('should return a SSL warning if SSL used with to small Strict-Transport-Security-Header', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, - { - 'Strict-Transport-Security': 'max-age=15551999', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - } - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); - done(); - }); - }); - - it('should return a SSL warning if SSL used with to a bogus Strict-Transport-Security-Header', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, - { - 'Strict-Transport-Security': 'iAmABogusHeader342', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - } - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); - done(); - }); - }); - - it('should return no SSL warning if SSL used with to exact the minimum Strict-Transport-Security-Header', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - async.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=99999999', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - async.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains parameter', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=99999999; includeSubDomains', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - async.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); - - it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains and preload parameter', function(done) { - protocolStub.returns('https'); - var async = OC.SetupChecks.checkGeneric(); - - suite.server.requests[0].respond(200, { - 'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains', - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'noindex, nofollow', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Permitted-Cross-Domain-Policies': 'none', - 'Referrer-Policy': 'no-referrer', - }); - - async.done(function( data, s, x ){ - expect(data).toEqual([]); - done(); - }); - }); }); From 58ae7e4b28e8a5c34b817efec53a81f092903415 Mon Sep 17 00:00:00 2001 From: nextcloud-command Date: Tue, 12 Mar 2024 17:36:29 +0000 Subject: [PATCH 6/7] chore(assets): Recompile assets Signed-off-by: nextcloud-command --- dist/settings-legacy-admin.js | 4 ++-- dist/settings-legacy-admin.js.map | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dist/settings-legacy-admin.js b/dist/settings-legacy-admin.js index 0ec6f49c67c60..ccddfa326bf4f 100644 --- a/dist/settings-legacy-admin.js +++ b/dist/settings-legacy-admin.js @@ -1,2 +1,2 @@ -({69129:function(){window.addEventListener("DOMContentLoaded",(()=>{$("#loglevel").change((function(){$.post(OC.generateUrl("/settings/admin/log/level"),{level:$(this).val()},(()=>{OC.Log.reload()}))})),$("#mail_smtpauth").change((function(){this.checked?$("#mail_credentials").removeClass("hidden"):$("#mail_credentials").addClass("hidden")})),$("#mail_smtpmode").change((function(){"smtp"!==$(this).val()?($("#setting_smtpauth").addClass("hidden"),$("#setting_smtphost").addClass("hidden"),$("#mail_smtpsecure_label").addClass("hidden"),$("#mail_smtpsecure").addClass("hidden"),$("#mail_credentials").addClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").removeClass("hidden")):($("#setting_smtpauth").removeClass("hidden"),$("#setting_smtphost").removeClass("hidden"),$("#mail_smtpsecure_label").removeClass("hidden"),$("#mail_smtpsecure").removeClass("hidden"),$("#mail_smtpauth").is(":checked")&&$("#mail_credentials").removeClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").addClass("hidden"))}));const e=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(e):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings"),type:"POST",data:$("#mail_general_settings_form").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))},s=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(s):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings/credentials"),type:"POST",data:$("#mail_credentials_settings").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))};$("#mail_general_settings_form").change(e),$("#mail_credentials_settings_submit").click(s),$("#mail_smtppassword").click((()=>{"text"===this.N&&"********"===this.U&&(this.N="password",this.U="")})),$("#sendtestemail").click((e=>{e.preventDefault(),OC.msg.startAction("#sendtestmail_msg",t("settings","Sending…")),$.ajax({url:OC.generateUrl("/settings/admin/mailtest"),type:"POST",success:()=>{OC.msg.finishedSuccess("#sendtestmail_msg",t("settings","Email sent"))},error:e=>{OC.msg.finishedError("#sendtestmail_msg",e.responseJSON)}})})),null!==document.getElementById("security-warning")&&$.when(OC.SetupChecks.checkWebDAV(),OC.SetupChecks.checkSetup(),OC.SetupChecks.checkGeneric()).then(((e,s,i)=>{const t=[].concat(e,s,i),n=$("#postsetupchecks");$("#security-warning-state-loading").addClass("hidden");let a=!1;const d=n.find(".errors"),l=n.find(".warnings"),r=n.find(".info");for(let e=0;e"+t[e].msg+"");break;case OC.SetupChecks.MESSAGE_TYPE_WARNING:l.append("
  • "+t[e].msg+"
    • ");break;case OC.SetupChecks.MESSAGE_TYPE_ERROR:default:d.append("
  • "+t[e].msg+"
    • ")}d.find("li").length>0&&(d.removeClass("hidden"),a=!0),l.find("li").length>0&&(l.removeClass("hidden"),a=!0),r.find("li").length>0&&(r.removeClass("hidden"),a=!0),a?($("#postsetupchecks-hint").removeClass("hidden"),d.find("li").length>0?$("#security-warning-state-failure").removeClass("hidden"):$("#security-warning-state-warning").removeClass("hidden")):0===$("#security-warning").children("ul").children().length?$("#security-warning-state-ok").removeClass("hidden"):$("#security-warning-state-failure").removeClass("hidden")}))}))}})[69129](); -//# sourceMappingURL=settings-legacy-admin.js.map?v=934bbdbaeebd1d2b478c \ No newline at end of file +({69129:function(){window.addEventListener("DOMContentLoaded",(()=>{$("#loglevel").change((function(){$.post(OC.generateUrl("/settings/admin/log/level"),{level:$(this).val()},(()=>{OC.Log.reload()}))})),$("#mail_smtpauth").change((function(){this.checked?$("#mail_credentials").removeClass("hidden"):$("#mail_credentials").addClass("hidden")})),$("#mail_smtpmode").change((function(){"smtp"!==$(this).val()?($("#setting_smtpauth").addClass("hidden"),$("#setting_smtphost").addClass("hidden"),$("#mail_smtpsecure_label").addClass("hidden"),$("#mail_smtpsecure").addClass("hidden"),$("#mail_credentials").addClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").removeClass("hidden")):($("#setting_smtpauth").removeClass("hidden"),$("#setting_smtphost").removeClass("hidden"),$("#mail_smtpsecure_label").removeClass("hidden"),$("#mail_smtpsecure").removeClass("hidden"),$("#mail_smtpauth").is(":checked")&&$("#mail_credentials").removeClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").addClass("hidden"))}));const e=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(e):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings"),type:"POST",data:$("#mail_general_settings_form").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))},s=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(s):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings/credentials"),type:"POST",data:$("#mail_credentials_settings").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))};$("#mail_general_settings_form").change(e),$("#mail_credentials_settings_submit").click(s),$("#mail_smtppassword").click((()=>{"text"===this.N&&"********"===this.U&&(this.N="password",this.U="")})),$("#sendtestemail").click((e=>{e.preventDefault(),OC.msg.startAction("#sendtestmail_msg",t("settings","Sending…")),$.ajax({url:OC.generateUrl("/settings/admin/mailtest"),type:"POST",success:()=>{OC.msg.finishedSuccess("#sendtestmail_msg",t("settings","Email sent"))},error:e=>{OC.msg.finishedError("#sendtestmail_msg",e.responseJSON)}})})),null!==document.getElementById("security-warning")&&$.when(OC.SetupChecks.checkWebDAV(),OC.SetupChecks.checkSetup()).then(((e,s)=>{const i=[].concat(e,s),t=$("#postsetupchecks");$("#security-warning-state-loading").addClass("hidden");let n=!1;const a=t.find(".errors"),d=t.find(".warnings"),l=t.find(".info");for(let e=0;e"+i[e].msg+"");break;case OC.SetupChecks.MESSAGE_TYPE_WARNING:d.append("
  • "+i[e].msg+"
    • ");break;case OC.SetupChecks.MESSAGE_TYPE_ERROR:default:a.append("
  • "+i[e].msg+"
    • ")}a.find("li").length>0&&(a.removeClass("hidden"),n=!0),d.find("li").length>0&&(d.removeClass("hidden"),n=!0),l.find("li").length>0&&(l.removeClass("hidden"),n=!0),n?($("#postsetupchecks-hint").removeClass("hidden"),a.find("li").length>0?$("#security-warning-state-failure").removeClass("hidden"):$("#security-warning-state-warning").removeClass("hidden")):0===$("#security-warning").children("ul").children().length?$("#security-warning-state-ok").removeClass("hidden"):$("#security-warning-state-failure").removeClass("hidden")}))}))}})[69129](); +//# sourceMappingURL=settings-legacy-admin.js.map?v=9e17c38bdab4c3ea2932 \ No newline at end of file diff --git a/dist/settings-legacy-admin.js.map b/dist/settings-legacy-admin.js.map index 23c5471769259..0aec2e9f79088 100644 --- a/dist/settings-legacy-admin.js.map +++ b/dist/settings-legacy-admin.js.map @@ -1 +1 @@ -{"version":3,"file":"settings-legacy-admin.js?v=934bbdbaeebd1d2b478c","mappings":"mBAAAA,OAAOC,iBAAiB,oBAAoB,KAC3CC,EAAE,aAAaC,QAAO,WACrBD,EAAEE,KAAKC,GAAGC,YAAY,6BAA8B,CAAEC,MAAOL,EAAEM,MAAMC,QAAS,KAC7EJ,GAAGK,IAAIC,QAAQ,GAEjB,IAEAT,EAAE,kBAAkBC,QAAO,WACrBK,KAAKI,QAGTV,EAAE,qBAAqBW,YAAY,UAFnCX,EAAE,qBAAqBY,SAAS,SAIlC,IAEAZ,EAAE,kBAAkBC,QAAO,WACJ,SAAlBD,EAAEM,MAAMC,OACXP,EAAE,qBAAqBY,SAAS,UAChCZ,EAAE,qBAAqBY,SAAS,UAChCZ,EAAE,0BAA0BY,SAAS,UACrCZ,EAAE,oBAAoBY,SAAS,UAC/BZ,EAAE,qBAAqBY,SAAS,UAChCZ,EAAE,gDAAgDW,YAAY,YAE9DX,EAAE,qBAAqBW,YAAY,UACnCX,EAAE,qBAAqBW,YAAY,UACnCX,EAAE,0BAA0BW,YAAY,UACxCX,EAAE,oBAAoBW,YAAY,UAC9BX,EAAE,kBAAkBa,GAAG,aAC1Bb,EAAE,qBAAqBW,YAAY,UAEpCX,EAAE,gDAAgDY,SAAS,UAE7D,IAEA,MAAME,EAAsB,WACvBX,GAAGY,qBAAqBC,+BAC3Bb,GAAGY,qBAAqBE,4BAA4BH,IAIrDX,GAAGe,IAAIC,YAAY,sBACnBnB,EAAEoB,KAAK,CACNC,IAAKlB,GAAGC,YAAY,gCACpBkB,KAAM,OACNC,KAAMvB,EAAE,+BAA+BwB,YACvCC,QAASA,KACRtB,GAAGe,IAAIQ,gBAAgB,qBAAsBC,EAAE,WAAY,SAAS,EAErEC,MAAQC,IACP1B,GAAGe,IAAIY,cAAc,qBAAsBD,EAAIE,aAAa,IAG/D,EAEMC,EAAyB,WAC1B7B,GAAGY,qBAAqBC,+BAC3Bb,GAAGY,qBAAqBE,4BAA4Be,IAIrD7B,GAAGe,IAAIC,YAAY,sBACnBnB,EAAEoB,KAAK,CACNC,IAAKlB,GAAGC,YAAY,4CACpBkB,KAAM,OACNC,KAAMvB,EAAE,8BAA8BwB,YACtCC,QAASA,KACRtB,GAAGe,IAAIQ,gBAAgB,qBAAsBC,EAAE,WAAY,SAAS,EAErEC,MAAQC,IACP1B,GAAGe,IAAIY,cAAc,qBAAsBD,EAAIE,aAAa,IAG/D,EAEA/B,EAAE,+BAA+BC,OAAOa,GACxCd,EAAE,qCAAqCiC,MAAMD,GAC7ChC,EAAE,sBAAsBiC,OAAM,KACX,SAAd3B,KAAK,GAAkC,aAAfA,KAAK,IAChCA,KAAK,EAAO,WACZA,KAAK,EAAQ,GACd,IAGDN,EAAE,kBAAkBiC,OAAOC,IAC1BA,EAAMC,iBACNhC,GAAGe,IAAIkB,YAAY,oBAAqBT,EAAE,WAAY,aAEtD3B,EAAEoB,KAAK,CACNC,IAAKlB,GAAGC,YAAY,4BACpBkB,KAAM,OACNG,QAASA,KACRtB,GAAGe,IAAIQ,gBAAgB,oBAAqBC,EAAE,WAAY,cAAc,EAEzEC,MAAQC,IACP1B,GAAGe,IAAIY,cAAc,oBAAqBD,EAAIE,aAAa,GAE3D,IAgEiD,OAAhDM,SAASC,eAAe,qBA3D3BtC,EAAEuC,KACDpC,GAAGqC,YAAYC,cACftC,GAAGqC,YAAYE,aACfvC,GAAGqC,YAAYG,gBACdC,MAAK,CAACC,EAAQC,EAAQC,KACvB,MAAMC,EAAW,GAAGC,OAAOJ,EAAQC,EAAQC,GACrCG,EAAMlD,EAAE,oBACdA,EAAE,mCAAmCY,SAAS,UAE9C,IAAIuC,GAAc,EAClB,MAAMC,EAAYF,EAAIG,KAAK,WACrBC,EAAcJ,EAAIG,KAAK,aACvBE,EAAUL,EAAIG,KAAK,SAEzB,IAAK,IAAIG,EAAI,EAAGA,EAAIR,EAASS,OAAQD,IACpC,OAAQR,EAASQ,GAAGlC,MACpB,KAAKnB,GAAGqC,YAAYkB,kBACnBH,EAAQI,OAAO,OAASX,EAASQ,GAAGtC,IAAM,SAC1C,MACD,KAAKf,GAAGqC,YAAYoB,qBACnBN,EAAYK,OAAO,OAASX,EAASQ,GAAGtC,IAAM,SAC9C,MACD,KAAKf,GAAGqC,YAAYqB,mBACpB,QACCT,EAAUO,OAAO,OAASX,EAASQ,GAAGtC,IAAM,SAI1CkC,EAAUC,KAAK,MAAMI,OAAS,IACjCL,EAAUzC,YAAY,UACtBwC,GAAc,GAEXG,EAAYD,KAAK,MAAMI,OAAS,IACnCH,EAAY3C,YAAY,UACxBwC,GAAc,GAEXI,EAAQF,KAAK,MAAMI,OAAS,IAC/BF,EAAQ5C,YAAY,UACpBwC,GAAc,GAGXA,GACHnD,EAAE,yBAAyBW,YAAY,UACnCyC,EAAUC,KAAK,MAAMI,OAAS,EACjCzD,EAAE,mCAAmCW,YAAY,UAEjDX,EAAE,mCAAmCW,YAAY,WAIO,IADjCX,EAAE,qBACN8D,SAAS,MAAMA,WAAWL,OAC7CzD,EAAE,8BAA8BW,YAAY,UAE5CX,EAAE,mCAAmCW,YAAY,SAEnD,GAMF,G,IC/JmB","sources":["webpack:///nextcloud/apps/settings/src/admin.js","webpack:///nextcloud/webpack/startup"],"sourcesContent":["window.addEventListener('DOMContentLoaded', () => {\n\t$('#loglevel').change(function() {\n\t\t$.post(OC.generateUrl('/settings/admin/log/level'), { level: $(this).val() }, () => {\n\t\t\tOC.Log.reload()\n\t\t})\n\t})\n\n\t$('#mail_smtpauth').change(function() {\n\t\tif (!this.checked) {\n\t\t\t$('#mail_credentials').addClass('hidden')\n\t\t} else {\n\t\t\t$('#mail_credentials').removeClass('hidden')\n\t\t}\n\t})\n\n\t$('#mail_smtpmode').change(function() {\n\t\tif ($(this).val() !== 'smtp') {\n\t\t\t$('#setting_smtpauth').addClass('hidden')\n\t\t\t$('#setting_smtphost').addClass('hidden')\n\t\t\t$('#mail_smtpsecure_label').addClass('hidden')\n\t\t\t$('#mail_smtpsecure').addClass('hidden')\n\t\t\t$('#mail_credentials').addClass('hidden')\n\t\t\t$('#mail_sendmailmode_label, #mail_sendmailmode').removeClass('hidden')\n\t\t} else {\n\t\t\t$('#setting_smtpauth').removeClass('hidden')\n\t\t\t$('#setting_smtphost').removeClass('hidden')\n\t\t\t$('#mail_smtpsecure_label').removeClass('hidden')\n\t\t\t$('#mail_smtpsecure').removeClass('hidden')\n\t\t\tif ($('#mail_smtpauth').is(':checked')) {\n\t\t\t\t$('#mail_credentials').removeClass('hidden')\n\t\t\t}\n\t\t\t$('#mail_sendmailmode_label, #mail_sendmailmode').addClass('hidden')\n\t\t}\n\t})\n\n\tconst changeEmailSettings = function() {\n\t\tif (OC.PasswordConfirmation.requiresPasswordConfirmation()) {\n\t\t\tOC.PasswordConfirmation.requirePasswordConfirmation(changeEmailSettings)\n\t\t\treturn\n\t\t}\n\n\t\tOC.msg.startSaving('#mail_settings_msg')\n\t\t$.ajax({\n\t\t\turl: OC.generateUrl('/settings/admin/mailsettings'),\n\t\t\ttype: 'POST',\n\t\t\tdata: $('#mail_general_settings_form').serialize(),\n\t\t\tsuccess: () => {\n\t\t\t\tOC.msg.finishedSuccess('#mail_settings_msg', t('settings', 'Saved'))\n\t\t\t},\n\t\t\terror: (xhr) => {\n\t\t\t\tOC.msg.finishedError('#mail_settings_msg', xhr.responseJSON)\n\t\t\t},\n\t\t})\n\t}\n\n\tconst toggleEmailCredentials = function() {\n\t\tif (OC.PasswordConfirmation.requiresPasswordConfirmation()) {\n\t\t\tOC.PasswordConfirmation.requirePasswordConfirmation(toggleEmailCredentials)\n\t\t\treturn\n\t\t}\n\n\t\tOC.msg.startSaving('#mail_settings_msg')\n\t\t$.ajax({\n\t\t\turl: OC.generateUrl('/settings/admin/mailsettings/credentials'),\n\t\t\ttype: 'POST',\n\t\t\tdata: $('#mail_credentials_settings').serialize(),\n\t\t\tsuccess: () => {\n\t\t\t\tOC.msg.finishedSuccess('#mail_settings_msg', t('settings', 'Saved'))\n\t\t\t},\n\t\t\terror: (xhr) => {\n\t\t\t\tOC.msg.finishedError('#mail_settings_msg', xhr.responseJSON)\n\t\t\t},\n\t\t})\n\t}\n\n\t$('#mail_general_settings_form').change(changeEmailSettings)\n\t$('#mail_credentials_settings_submit').click(toggleEmailCredentials)\n\t$('#mail_smtppassword').click(() => {\n\t\tif (this.type === 'text' && this.value === '********') {\n\t\t\tthis.type = 'password'\n\t\t\tthis.value = ''\n\t\t}\n\t})\n\n\t$('#sendtestemail').click((event) => {\n\t\tevent.preventDefault()\n\t\tOC.msg.startAction('#sendtestmail_msg', t('settings', 'Sending…'))\n\n\t\t$.ajax({\n\t\t\turl: OC.generateUrl('/settings/admin/mailtest'),\n\t\t\ttype: 'POST',\n\t\t\tsuccess: () => {\n\t\t\t\tOC.msg.finishedSuccess('#sendtestmail_msg', t('settings', 'Email sent'))\n\t\t\t},\n\t\t\terror: (xhr) => {\n\t\t\t\tOC.msg.finishedError('#sendtestmail_msg', xhr.responseJSON)\n\t\t\t},\n\t\t})\n\t})\n\n\tconst setupChecks = () => {\n\t\t// run setup checks then gather error messages\n\t\t$.when(\n\t\t\tOC.SetupChecks.checkWebDAV(),\n\t\t\tOC.SetupChecks.checkSetup(),\n\t\t\tOC.SetupChecks.checkGeneric(),\n\t\t).then((check1, check2, check3) => {\n\t\t\tconst messages = [].concat(check1, check2, check3)\n\t\t\tconst $el = $('#postsetupchecks')\n\t\t\t$('#security-warning-state-loading').addClass('hidden')\n\n\t\t\tlet hasMessages = false\n\t\t\tconst $errorsEl = $el.find('.errors')\n\t\t\tconst $warningsEl = $el.find('.warnings')\n\t\t\tconst $infoEl = $el.find('.info')\n\n\t\t\tfor (let i = 0; i < messages.length; i++) {\n\t\t\t\tswitch (messages[i].type) {\n\t\t\t\tcase OC.SetupChecks.MESSAGE_TYPE_INFO:\n\t\t\t\t\t$infoEl.append('
  • ' + messages[i].msg + '
    • ')\n\t\t\t\t\tbreak\n\t\t\t\tcase OC.SetupChecks.MESSAGE_TYPE_WARNING:\n\t\t\t\t\t$warningsEl.append('
  • ' + messages[i].msg + '
    • ')\n\t\t\t\t\tbreak\n\t\t\t\tcase OC.SetupChecks.MESSAGE_TYPE_ERROR:\n\t\t\t\tdefault:\n\t\t\t\t\t$errorsEl.append('
  • ' + messages[i].msg + '
    • ')\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif ($errorsEl.find('li').length > 0) {\n\t\t\t\t$errorsEl.removeClass('hidden')\n\t\t\t\thasMessages = true\n\t\t\t}\n\t\t\tif ($warningsEl.find('li').length > 0) {\n\t\t\t\t$warningsEl.removeClass('hidden')\n\t\t\t\thasMessages = true\n\t\t\t}\n\t\t\tif ($infoEl.find('li').length > 0) {\n\t\t\t\t$infoEl.removeClass('hidden')\n\t\t\t\thasMessages = true\n\t\t\t}\n\n\t\t\tif (hasMessages) {\n\t\t\t\t$('#postsetupchecks-hint').removeClass('hidden')\n\t\t\t\tif ($errorsEl.find('li').length > 0) {\n\t\t\t\t\t$('#security-warning-state-failure').removeClass('hidden')\n\t\t\t\t} else {\n\t\t\t\t\t$('#security-warning-state-warning').removeClass('hidden')\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tconst securityWarning = $('#security-warning')\n\t\t\t\tif (securityWarning.children('ul').children().length === 0) {\n\t\t\t\t\t$('#security-warning-state-ok').removeClass('hidden')\n\t\t\t\t} else {\n\t\t\t\t\t$('#security-warning-state-failure').removeClass('hidden')\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n\n\tif (document.getElementById('security-warning') !== null) {\n\t\tsetupChecks()\n\t}\n})\n","// startup\n// Load entry module and return exports\n// This entry module is referenced by other modules so it can't be inlined\nvar __webpack_exports__ = {};\n__webpack_modules__[69129]();\n"],"names":["window","addEventListener","$","change","post","OC","generateUrl","level","this","val","Log","reload","checked","removeClass","addClass","is","changeEmailSettings","PasswordConfirmation","requiresPasswordConfirmation","requirePasswordConfirmation","msg","startSaving","ajax","url","type","data","serialize","success","finishedSuccess","t","error","xhr","finishedError","responseJSON","toggleEmailCredentials","click","event","preventDefault","startAction","document","getElementById","when","SetupChecks","checkWebDAV","checkSetup","checkGeneric","then","check1","check2","check3","messages","concat","$el","hasMessages","$errorsEl","find","$warningsEl","$infoEl","i","length","MESSAGE_TYPE_INFO","append","MESSAGE_TYPE_WARNING","MESSAGE_TYPE_ERROR","children"],"sourceRoot":""} \ No newline at end of file +{"version":3,"file":"settings-legacy-admin.js?v=9e17c38bdab4c3ea2932","mappings":"mBAAAA,OAAOC,iBAAiB,oBAAoB,KAC3CC,EAAE,aAAaC,QAAO,WACrBD,EAAEE,KAAKC,GAAGC,YAAY,6BAA8B,CAAEC,MAAOL,EAAEM,MAAMC,QAAS,KAC7EJ,GAAGK,IAAIC,QAAQ,GAEjB,IAEAT,EAAE,kBAAkBC,QAAO,WACrBK,KAAKI,QAGTV,EAAE,qBAAqBW,YAAY,UAFnCX,EAAE,qBAAqBY,SAAS,SAIlC,IAEAZ,EAAE,kBAAkBC,QAAO,WACJ,SAAlBD,EAAEM,MAAMC,OACXP,EAAE,qBAAqBY,SAAS,UAChCZ,EAAE,qBAAqBY,SAAS,UAChCZ,EAAE,0BAA0BY,SAAS,UACrCZ,EAAE,oBAAoBY,SAAS,UAC/BZ,EAAE,qBAAqBY,SAAS,UAChCZ,EAAE,gDAAgDW,YAAY,YAE9DX,EAAE,qBAAqBW,YAAY,UACnCX,EAAE,qBAAqBW,YAAY,UACnCX,EAAE,0BAA0BW,YAAY,UACxCX,EAAE,oBAAoBW,YAAY,UAC9BX,EAAE,kBAAkBa,GAAG,aAC1Bb,EAAE,qBAAqBW,YAAY,UAEpCX,EAAE,gDAAgDY,SAAS,UAE7D,IAEA,MAAME,EAAsB,WACvBX,GAAGY,qBAAqBC,+BAC3Bb,GAAGY,qBAAqBE,4BAA4BH,IAIrDX,GAAGe,IAAIC,YAAY,sBACnBnB,EAAEoB,KAAK,CACNC,IAAKlB,GAAGC,YAAY,gCACpBkB,KAAM,OACNC,KAAMvB,EAAE,+BAA+BwB,YACvCC,QAASA,KACRtB,GAAGe,IAAIQ,gBAAgB,qBAAsBC,EAAE,WAAY,SAAS,EAErEC,MAAQC,IACP1B,GAAGe,IAAIY,cAAc,qBAAsBD,EAAIE,aAAa,IAG/D,EAEMC,EAAyB,WAC1B7B,GAAGY,qBAAqBC,+BAC3Bb,GAAGY,qBAAqBE,4BAA4Be,IAIrD7B,GAAGe,IAAIC,YAAY,sBACnBnB,EAAEoB,KAAK,CACNC,IAAKlB,GAAGC,YAAY,4CACpBkB,KAAM,OACNC,KAAMvB,EAAE,8BAA8BwB,YACtCC,QAASA,KACRtB,GAAGe,IAAIQ,gBAAgB,qBAAsBC,EAAE,WAAY,SAAS,EAErEC,MAAQC,IACP1B,GAAGe,IAAIY,cAAc,qBAAsBD,EAAIE,aAAa,IAG/D,EAEA/B,EAAE,+BAA+BC,OAAOa,GACxCd,EAAE,qCAAqCiC,MAAMD,GAC7ChC,EAAE,sBAAsBiC,OAAM,KACX,SAAd3B,KAAK,GAAkC,aAAfA,KAAK,IAChCA,KAAK,EAAO,WACZA,KAAK,EAAQ,GACd,IAGDN,EAAE,kBAAkBiC,OAAOC,IAC1BA,EAAMC,iBACNhC,GAAGe,IAAIkB,YAAY,oBAAqBT,EAAE,WAAY,aAEtD3B,EAAEoB,KAAK,CACNC,IAAKlB,GAAGC,YAAY,4BACpBkB,KAAM,OACNG,QAASA,KACRtB,GAAGe,IAAIQ,gBAAgB,oBAAqBC,EAAE,WAAY,cAAc,EAEzEC,MAAQC,IACP1B,GAAGe,IAAIY,cAAc,oBAAqBD,EAAIE,aAAa,GAE3D,IA+DiD,OAAhDM,SAASC,eAAe,qBA1D3BtC,EAAEuC,KACDpC,GAAGqC,YAAYC,cACftC,GAAGqC,YAAYE,cACdC,MAAK,CAACC,EAAQC,KACf,MAAMC,EAAW,GAAGC,OAAOH,EAAQC,GAC7BG,EAAMhD,EAAE,oBACdA,EAAE,mCAAmCY,SAAS,UAE9C,IAAIqC,GAAc,EAClB,MAAMC,EAAYF,EAAIG,KAAK,WACrBC,EAAcJ,EAAIG,KAAK,aACvBE,EAAUL,EAAIG,KAAK,SAEzB,IAAK,IAAIG,EAAI,EAAGA,EAAIR,EAASS,OAAQD,IACpC,OAAQR,EAASQ,GAAGhC,MACpB,KAAKnB,GAAGqC,YAAYgB,kBACnBH,EAAQI,OAAO,OAASX,EAASQ,GAAGpC,IAAM,SAC1C,MACD,KAAKf,GAAGqC,YAAYkB,qBACnBN,EAAYK,OAAO,OAASX,EAASQ,GAAGpC,IAAM,SAC9C,MACD,KAAKf,GAAGqC,YAAYmB,mBACpB,QACCT,EAAUO,OAAO,OAASX,EAASQ,GAAGpC,IAAM,SAI1CgC,EAAUC,KAAK,MAAMI,OAAS,IACjCL,EAAUvC,YAAY,UACtBsC,GAAc,GAEXG,EAAYD,KAAK,MAAMI,OAAS,IACnCH,EAAYzC,YAAY,UACxBsC,GAAc,GAEXI,EAAQF,KAAK,MAAMI,OAAS,IAC/BF,EAAQ1C,YAAY,UACpBsC,GAAc,GAGXA,GACHjD,EAAE,yBAAyBW,YAAY,UACnCuC,EAAUC,KAAK,MAAMI,OAAS,EACjCvD,EAAE,mCAAmCW,YAAY,UAEjDX,EAAE,mCAAmCW,YAAY,WAIO,IADjCX,EAAE,qBACN4D,SAAS,MAAMA,WAAWL,OAC7CvD,EAAE,8BAA8BW,YAAY,UAE5CX,EAAE,mCAAmCW,YAAY,SAEnD,GAMF,G,IC9JmB","sources":["webpack:///nextcloud/apps/settings/src/admin.js","webpack:///nextcloud/webpack/startup"],"sourcesContent":["window.addEventListener('DOMContentLoaded', () => {\n\t$('#loglevel').change(function() {\n\t\t$.post(OC.generateUrl('/settings/admin/log/level'), { level: $(this).val() }, () => {\n\t\t\tOC.Log.reload()\n\t\t})\n\t})\n\n\t$('#mail_smtpauth').change(function() {\n\t\tif (!this.checked) {\n\t\t\t$('#mail_credentials').addClass('hidden')\n\t\t} else {\n\t\t\t$('#mail_credentials').removeClass('hidden')\n\t\t}\n\t})\n\n\t$('#mail_smtpmode').change(function() {\n\t\tif ($(this).val() !== 'smtp') {\n\t\t\t$('#setting_smtpauth').addClass('hidden')\n\t\t\t$('#setting_smtphost').addClass('hidden')\n\t\t\t$('#mail_smtpsecure_label').addClass('hidden')\n\t\t\t$('#mail_smtpsecure').addClass('hidden')\n\t\t\t$('#mail_credentials').addClass('hidden')\n\t\t\t$('#mail_sendmailmode_label, #mail_sendmailmode').removeClass('hidden')\n\t\t} else {\n\t\t\t$('#setting_smtpauth').removeClass('hidden')\n\t\t\t$('#setting_smtphost').removeClass('hidden')\n\t\t\t$('#mail_smtpsecure_label').removeClass('hidden')\n\t\t\t$('#mail_smtpsecure').removeClass('hidden')\n\t\t\tif ($('#mail_smtpauth').is(':checked')) {\n\t\t\t\t$('#mail_credentials').removeClass('hidden')\n\t\t\t}\n\t\t\t$('#mail_sendmailmode_label, #mail_sendmailmode').addClass('hidden')\n\t\t}\n\t})\n\n\tconst changeEmailSettings = function() {\n\t\tif (OC.PasswordConfirmation.requiresPasswordConfirmation()) {\n\t\t\tOC.PasswordConfirmation.requirePasswordConfirmation(changeEmailSettings)\n\t\t\treturn\n\t\t}\n\n\t\tOC.msg.startSaving('#mail_settings_msg')\n\t\t$.ajax({\n\t\t\turl: OC.generateUrl('/settings/admin/mailsettings'),\n\t\t\ttype: 'POST',\n\t\t\tdata: $('#mail_general_settings_form').serialize(),\n\t\t\tsuccess: () => {\n\t\t\t\tOC.msg.finishedSuccess('#mail_settings_msg', t('settings', 'Saved'))\n\t\t\t},\n\t\t\terror: (xhr) => {\n\t\t\t\tOC.msg.finishedError('#mail_settings_msg', xhr.responseJSON)\n\t\t\t},\n\t\t})\n\t}\n\n\tconst toggleEmailCredentials = function() {\n\t\tif (OC.PasswordConfirmation.requiresPasswordConfirmation()) {\n\t\t\tOC.PasswordConfirmation.requirePasswordConfirmation(toggleEmailCredentials)\n\t\t\treturn\n\t\t}\n\n\t\tOC.msg.startSaving('#mail_settings_msg')\n\t\t$.ajax({\n\t\t\turl: OC.generateUrl('/settings/admin/mailsettings/credentials'),\n\t\t\ttype: 'POST',\n\t\t\tdata: $('#mail_credentials_settings').serialize(),\n\t\t\tsuccess: () => {\n\t\t\t\tOC.msg.finishedSuccess('#mail_settings_msg', t('settings', 'Saved'))\n\t\t\t},\n\t\t\terror: (xhr) => {\n\t\t\t\tOC.msg.finishedError('#mail_settings_msg', xhr.responseJSON)\n\t\t\t},\n\t\t})\n\t}\n\n\t$('#mail_general_settings_form').change(changeEmailSettings)\n\t$('#mail_credentials_settings_submit').click(toggleEmailCredentials)\n\t$('#mail_smtppassword').click(() => {\n\t\tif (this.type === 'text' && this.value === '********') {\n\t\t\tthis.type = 'password'\n\t\t\tthis.value = ''\n\t\t}\n\t})\n\n\t$('#sendtestemail').click((event) => {\n\t\tevent.preventDefault()\n\t\tOC.msg.startAction('#sendtestmail_msg', t('settings', 'Sending…'))\n\n\t\t$.ajax({\n\t\t\turl: OC.generateUrl('/settings/admin/mailtest'),\n\t\t\ttype: 'POST',\n\t\t\tsuccess: () => {\n\t\t\t\tOC.msg.finishedSuccess('#sendtestmail_msg', t('settings', 'Email sent'))\n\t\t\t},\n\t\t\terror: (xhr) => {\n\t\t\t\tOC.msg.finishedError('#sendtestmail_msg', xhr.responseJSON)\n\t\t\t},\n\t\t})\n\t})\n\n\tconst setupChecks = () => {\n\t\t// run setup checks then gather error messages\n\t\t$.when(\n\t\t\tOC.SetupChecks.checkWebDAV(),\n\t\t\tOC.SetupChecks.checkSetup(),\n\t\t).then((check1, check2) => {\n\t\t\tconst messages = [].concat(check1, check2)\n\t\t\tconst $el = $('#postsetupchecks')\n\t\t\t$('#security-warning-state-loading').addClass('hidden')\n\n\t\t\tlet hasMessages = false\n\t\t\tconst $errorsEl = $el.find('.errors')\n\t\t\tconst $warningsEl = $el.find('.warnings')\n\t\t\tconst $infoEl = $el.find('.info')\n\n\t\t\tfor (let i = 0; i < messages.length; i++) {\n\t\t\t\tswitch (messages[i].type) {\n\t\t\t\tcase OC.SetupChecks.MESSAGE_TYPE_INFO:\n\t\t\t\t\t$infoEl.append('
  • ' + messages[i].msg + '
    • ')\n\t\t\t\t\tbreak\n\t\t\t\tcase OC.SetupChecks.MESSAGE_TYPE_WARNING:\n\t\t\t\t\t$warningsEl.append('
  • ' + messages[i].msg + '
    • ')\n\t\t\t\t\tbreak\n\t\t\t\tcase OC.SetupChecks.MESSAGE_TYPE_ERROR:\n\t\t\t\tdefault:\n\t\t\t\t\t$errorsEl.append('
  • ' + messages[i].msg + '
    • ')\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif ($errorsEl.find('li').length > 0) {\n\t\t\t\t$errorsEl.removeClass('hidden')\n\t\t\t\thasMessages = true\n\t\t\t}\n\t\t\tif ($warningsEl.find('li').length > 0) {\n\t\t\t\t$warningsEl.removeClass('hidden')\n\t\t\t\thasMessages = true\n\t\t\t}\n\t\t\tif ($infoEl.find('li').length > 0) {\n\t\t\t\t$infoEl.removeClass('hidden')\n\t\t\t\thasMessages = true\n\t\t\t}\n\n\t\t\tif (hasMessages) {\n\t\t\t\t$('#postsetupchecks-hint').removeClass('hidden')\n\t\t\t\tif ($errorsEl.find('li').length > 0) {\n\t\t\t\t\t$('#security-warning-state-failure').removeClass('hidden')\n\t\t\t\t} else {\n\t\t\t\t\t$('#security-warning-state-warning').removeClass('hidden')\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tconst securityWarning = $('#security-warning')\n\t\t\t\tif (securityWarning.children('ul').children().length === 0) {\n\t\t\t\t\t$('#security-warning-state-ok').removeClass('hidden')\n\t\t\t\t} else {\n\t\t\t\t\t$('#security-warning-state-failure').removeClass('hidden')\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n\n\tif (document.getElementById('security-warning') !== null) {\n\t\tsetupChecks()\n\t}\n})\n","// startup\n// Load entry module and return exports\n// This entry module is referenced by other modules so it can't be inlined\nvar __webpack_exports__ = {};\n__webpack_modules__[69129]();\n"],"names":["window","addEventListener","$","change","post","OC","generateUrl","level","this","val","Log","reload","checked","removeClass","addClass","is","changeEmailSettings","PasswordConfirmation","requiresPasswordConfirmation","requirePasswordConfirmation","msg","startSaving","ajax","url","type","data","serialize","success","finishedSuccess","t","error","xhr","finishedError","responseJSON","toggleEmailCredentials","click","event","preventDefault","startAction","document","getElementById","when","SetupChecks","checkWebDAV","checkSetup","then","check1","check2","messages","concat","$el","hasMessages","$errorsEl","find","$warningsEl","$infoEl","i","length","MESSAGE_TYPE_INFO","append","MESSAGE_TYPE_WARNING","MESSAGE_TYPE_ERROR","children"],"sourceRoot":""} \ No newline at end of file From 6278cf181ea90f550ff712a9850495b794b0dcf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 14 Mar 2024 11:49:47 +0100 Subject: [PATCH 7/7] fix: Improve HSTS warning wording as suggested by reviewer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/SecurityHeaders.php | 2 +- apps/settings/tests/SetupChecks/SecurityHeadersTest.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php index f1d66188744f4..f62c4c553083a 100644 --- a/apps/settings/lib/SetupChecks/SecurityHeaders.php +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -119,7 +119,7 @@ public function run(): SetupResult { if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) { $transportSecurityValidity = (int)$m[1]; if ($transportSecurityValidity < $minimumSeconds) { - $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds, $transportSecurityValidity])."\n"; + $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to use a long HSTS policy.', [$minimumSeconds, $transportSecurityValidity])."\n"; } } elseif (!empty($transportSecurityValidity)) { $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n"; diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php index 0856cca38ca68..fb8eb757460f2 100644 --- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -165,7 +165,7 @@ public function dataFailure(): array { 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"], - 'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to enable HSTS.\n"], + 'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to use a long HSTS policy.\n"], 'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"], ]; }