upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-22 23:03:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 53

Merge pull request #44067 from nextcloud/fix/migrate-header-check-to-setupcheck

Browse source 
Migrate header check to setupcheck API
This commit is contained in:
Côme Chilliet 2024-03-14 14:39:35 +01:00 committed by GitHub
commit d435f0c3d3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 401 additions and 755 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apps/settings/composer/composer/autoload_classmap.php
View file

@ -117,6 +117,7 @@ return array(
'OCA\\Settings\\SetupChecks\\PushService' => $baseDir . '/../lib/SetupChecks/PushService.php',
'OCA\\Settings\\SetupChecks\\RandomnessSecure' => $baseDir . '/../lib/SetupChecks/RandomnessSecure.php',
'OCA\\Settings\\SetupChecks\\ReadOnlyConfig' => $baseDir . '/../lib/SetupChecks/ReadOnlyConfig.php',
'OCA\\Settings\\SetupChecks\\SecurityHeaders' => $baseDir . '/../lib/SetupChecks/SecurityHeaders.php',
'OCA\\Settings\\SetupChecks\\SupportedDatabase' => $baseDir . '/../lib/SetupChecks/SupportedDatabase.php',
'OCA\\Settings\\SetupChecks\\SystemIs64bit' => $baseDir . '/../lib/SetupChecks/SystemIs64bit.php',
'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => $baseDir . '/../lib/SetupChecks/TempSpaceAvailable.php',

1
apps/settings/composer/composer/autoload_static.php
View file

@ -132,6 +132,7 @@ class ComposerStaticInitSettings
'OCA\\Settings\\SetupChecks\\PushService' => __DIR__ . '/..' . '/../lib/SetupChecks/PushService.php',
'OCA\\Settings\\SetupChecks\\RandomnessSecure' => __DIR__ . '/..' . '/../lib/SetupChecks/RandomnessSecure.php',
'OCA\\Settings\\SetupChecks\\ReadOnlyConfig' => __DIR__ . '/..' . '/../lib/SetupChecks/ReadOnlyConfig.php',
'OCA\\Settings\\SetupChecks\\SecurityHeaders' => __DIR__ . '/..' . '/../lib/SetupChecks/SecurityHeaders.php',
'OCA\\Settings\\SetupChecks\\SupportedDatabase' => __DIR__ . '/..' . '/../lib/SetupChecks/SupportedDatabase.php',
'OCA\\Settings\\SetupChecks\\SystemIs64bit' => __DIR__ . '/..' . '/../lib/SetupChecks/SystemIs64bit.php',
'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => __DIR__ . '/..' . '/../lib/SetupChecks/TempSpaceAvailable.php',

2
apps/settings/lib/AppInfo/Application.php
View file

@ -86,6 +86,7 @@ use OCA\Settings\SetupChecks\PhpOutputBuffering;
use OCA\Settings\SetupChecks\PushService;
use OCA\Settings\SetupChecks\RandomnessSecure;
use OCA\Settings\SetupChecks\ReadOnlyConfig;
use OCA\Settings\SetupChecks\SecurityHeaders;
use OCA\Settings\SetupChecks\SupportedDatabase;
use OCA\Settings\SetupChecks\SystemIs64bit;
use OCA\Settings\SetupChecks\TempSpaceAvailable;
@ -214,6 +215,7 @@ class Application extends App implements IBootstrap {
$context->registerSetupCheck(PhpOutputBuffering::class);
$context->registerSetupCheck(RandomnessSecure::class);
$context->registerSetupCheck(ReadOnlyConfig::class);
$context->registerSetupCheck(SecurityHeaders::class);
$context->registerSetupCheck(SupportedDatabase::class);
$context->registerSetupCheck(SystemIs64bit::class);
$context->registerSetupCheck(TempSpaceAvailable::class);

2
apps/settings/lib/SetupChecks/OcxProviders.php
View file

@ -68,7 +68,7 @@ class OcxProviders implements ISetupCheck {
];
foreach ($providers as $provider) {
foreach ($this->runHEAD($this->urlGenerator->getWebroot() . $provider) as $response) {
foreach ($this->runRequest('HEAD', $this->urlGenerator->getWebroot() . $provider, ['httpErrors' => false]) as $response) {
$testedProviders[$provider] = true;
if ($response->getStatusCode() === 200) {
$workingProviders[] = $provider;

160
apps/settings/lib/SetupChecks/SecurityHeaders.php Normal file
View file

@ -0,0 +1,160 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Côme Chilliet <come.chilliet@nextcloud.com>
*
* @author Côme Chilliet <come.chilliet@nextcloud.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Settings\SetupChecks;
use OCP\Http\Client\IClientService;
use OCP\IConfig;
use OCP\IL10N;
use OCP\IURLGenerator;
use OCP\SetupCheck\ISetupCheck;
use OCP\SetupCheck\SetupResult;
use Psr\Log\LoggerInterface;
class SecurityHeaders implements ISetupCheck {
use CheckServerResponseTrait;
public function __construct(
protected IL10N $l10n,
protected IConfig $config,
protected IURLGenerator $urlGenerator,
protected IClientService $clientService,
protected LoggerInterface $logger,
) {
}
public function getCategory(): string {
return 'security';
}
public function getName(): string {
return $this->l10n->t('HTTP headers');
}
public function run(): SetupResult {
$urls = [
['get', $this->urlGenerator->linkToRoute('heartbeat'), [200]],
];
$securityHeaders = [
'X-Content-Type-Options' => ['nosniff', null],
'X-Robots-Tag' => ['noindex,nofollow', null],
'X-Frame-Options' => ['sameorigin', 'deny'],
'X-Permitted-Cross-Domain-Policies' => ['none', null],
];
foreach ($urls as [$verb,$url,$validStatuses]) {
$works = null;
foreach ($this->runRequest($verb, $url, ['httpErrors' => false]) as $response) {
// Check that the response status matches
if (!in_array($response->getStatusCode(), $validStatuses)) {
$works = false;
continue;
}
$msg = '';
$msgParameters = [];
foreach ($securityHeaders as $header => [$expected, $accepted]) {
/* Convert to lowercase and remove spaces after comas */
$value = preg_replace('/,\s+/', ',', strtolower($response->getHeader($header)));
if ($value !== $expected) {
if ($accepted !== null && $value === $accepted) {
$msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. Some features might not work correctly, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n";
} else {
$msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n";
}
}
}
$xssfields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection')));
if (!in_array('1', $xssfields) || !in_array('mode=block', $xssfields)) {
$msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block'])."\n";
}
$referrerPolicy = $response->getHeader('Referrer-Policy');
if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) {
$msg .= $this->l10n->t(
'- The `%1$s` HTTP header is not set to `%2$s`, `%3$s`, `%4$s`, `%5$s` or `%6$s`. This can leak referer information. See the {w3c-recommendation}.',
[
'Referrer-Policy',
'no-referrer',
'no-referrer-when-downgrade',
'strict-origin',
'strict-origin-when-cross-origin',
'same-origin',
]
)."\n";
$msgParameters['w3c-recommendation'] = [
'type' => 'highlight',
'id' => 'w3c-recommendation',
'name' => 'W3C Recommendation',
'link' => 'https://www.w3.org/TR/referrer-policy/',
];
}
$transportSecurityValidity = $response->getHeader('Strict-Transport-Security');
$minimumSeconds = 15552000;
if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) {
$transportSecurityValidity = (int)$m[1];
if ($transportSecurityValidity < $minimumSeconds) {
$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to use a long HSTS policy.', [$minimumSeconds, $transportSecurityValidity])."\n";
}
} elseif (!empty($transportSecurityValidity)) {
$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n";
} else {
$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set (should be at least `%d` seconds). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds])."\n";
}
if (!empty($msg)) {
return SetupResult::warning(
$this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg,
$this->urlGenerator->linkToDocs('admin-security'),
$msgParameters,
);
}
// Skip the other requests if one works
$works = true;
break;
}
// If 'works' is null then we could not connect to the server
if ($works === null) {
return SetupResult::info(
$this->l10n->t('Could not check that your web server serves security headers correctly. Please check manually.'),
$this->urlGenerator->linkToDocs('admin-security'),
);
}
// Otherwise if we fail we can abort here
if ($works === false) {
return SetupResult::warning(
$this->l10n->t("Could not check that your web server serves security headers correctly, unable to query `%s`", [$url]),
$this->urlGenerator->linkToDocs('admin-security'),
);
}
}
return SetupResult::success(
$this->l10n->t('Your server is correctly configured to send security headers.')
);
}
}

5
apps/settings/src/admin.js
View file

@ -103,9 +103,8 @@ window.addEventListener('DOMContentLoaded', () => {
$.when(
OC.SetupChecks.checkWebDAV(),
OC.SetupChecks.checkSetup(),
OC.SetupChecks.checkGeneric(),
).then((check1, check2, check3) => {
const messages = [].concat(check1, check2, check3)
).then((check1, check2) => {
const messages = [].concat(check1, check2)
const $el = $('#postsetupchecks')
$('#security-warning-state-loading').addClass('hidden')

14
apps/settings/tests/SetupChecks/OcxProvicersTest.php
View file

@ -62,7 +62,7 @@ class OcxProvicersTest extends TestCase {
$this->logger = $this->createMock(LoggerInterface::class);
$this->setupcheck = $this->getMockBuilder(OcxProviders::class)
->onlyMethods(['runHEAD'])
->onlyMethods(['runRequest'])
->setConstructorArgs([
$this->l10n,
$this->config,
@ -79,7 +79,7 @@ class OcxProvicersTest extends TestCase {
$this->setupcheck
->expects($this->exactly(2))
->method('runHEAD')
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([$response]));
$result = $this->setupcheck->run();
@ -94,7 +94,7 @@ class OcxProvicersTest extends TestCase {
$this->setupcheck
->expects($this->exactly(2))
->method('runHEAD')
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([$response1, $response1, $response1]), $this->generate([$response2])); // only one response out of two
$result = $this->setupcheck->run();
@ -107,7 +107,7 @@ class OcxProvicersTest extends TestCase {
$this->setupcheck
->expects($this->exactly(2))
->method('runHEAD')
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([]), $this->generate([])); // No responses
$result = $this->setupcheck->run();
@ -121,7 +121,7 @@ class OcxProvicersTest extends TestCase {
$this->setupcheck
->expects($this->exactly(2))
->method('runHEAD')
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([])); // only one response out of two
$result = $this->setupcheck->run();
@ -135,7 +135,7 @@ class OcxProvicersTest extends TestCase {
$this->setupcheck
->expects($this->exactly(2))
->method('runHEAD')
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([$response])); // only one response out of two
$result = $this->setupcheck->run();
@ -151,7 +151,7 @@ class OcxProvicersTest extends TestCase {
$this->setupcheck
->expects($this->exactly(2))
->method('runHEAD')
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([$response1]), $this->generate([$response2]));
$result = $this->setupcheck->run();

224
apps/settings/tests/SetupChecks/SecurityHeadersTest.php Normal file
View file

@ -0,0 +1,224 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2024 Côme Chilliet <come.chilliet@nextcloud.com>
*
* @author Côme Chilliet <come.chilliet@nextcloud.com>
*
* @license AGPL-3.0-or-later
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Settings\Tests;
use OCA\Settings\SetupChecks\SecurityHeaders;
use OCP\Http\Client\IClientService;
use OCP\Http\Client\IResponse;
use OCP\IConfig;
use OCP\IL10N;
use OCP\IURLGenerator;
use OCP\SetupCheck\SetupResult;
use PHPUnit\Framework\MockObject\MockObject;
use Psr\Log\LoggerInterface;
use Test\TestCase;
class SecurityHeadersTest extends TestCase {
private IL10N|MockObject $l10n;
private IConfig|MockObject $config;
private IURLGenerator|MockObject $urlGenerator;
private IClientService|MockObject $clientService;
private LoggerInterface|MockObject $logger;
private SecurityHeaders|MockObject $setupcheck;
protected function setUp(): void {
parent::setUp();
/** @var IL10N|MockObject */
$this->l10n = $this->getMockBuilder(IL10N::class)
->disableOriginalConstructor()->getMock();
$this->l10n->expects($this->any())
->method('t')
->willReturnCallback(function ($message, array $replace) {
return vsprintf($message, $replace);
});
$this->config = $this->createMock(IConfig::class);
$this->urlGenerator = $this->createMock(IURLGenerator::class);
$this->clientService = $this->createMock(IClientService::class);
$this->logger = $this->createMock(LoggerInterface::class);
$this->setupcheck = $this->getMockBuilder(SecurityHeaders::class)
->onlyMethods(['runRequest'])
->setConstructorArgs([
$this->l10n,
$this->config,
$this->urlGenerator,
$this->clientService,
$this->logger,
])
->getMock();
}
public function testInvalidStatusCode(): void {
$this->setupResponse(500, []);
$result = $this->setupcheck->run();
$this->assertMatchesRegularExpression('/^Could not check that your web server serves security headers correctly/', $result->getDescription());
$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
}
public function testAllHeadersMissing(): void {
$this->setupResponse(200, []);
$result = $this->setupcheck->run();
$this->assertMatchesRegularExpression('/^Some headers are not set correctly on your instance/', $result->getDescription());
$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
}
public function testSomeHeadersMissing(): void {
$this->setupResponse(
200,
[
'X-Robots-Tag' => 'noindex, nofollow',
'X-Frame-Options' => 'SAMEORIGIN',
'Strict-Transport-Security' => 'max-age=15768000;preload',
'X-Permitted-Cross-Domain-Policies' => 'none',
'Referrer-Policy' => 'no-referrer',
]
);
$result = $this->setupcheck->run();
$this->assertEquals(
"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
$result->getDescription()
);
$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
}
public function dataSuccess(): array {
return [
// description => modifiedHeaders
'basic' => [[]],
'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
'referrer-strict-origin' => [['Referrer-Policy' => 'strict-origin']],
'referrer-strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
'referrer-same-origin' => [['Referrer-Policy' => 'same-origin']],
'hsts-minimum' => [['Strict-Transport-Security' => 'max-age=15552000']],
'hsts-include-subdomains' => [['Strict-Transport-Security' => 'max-age=99999999; includeSubDomains']],
'hsts-include-subdomains-preload' => [['Strict-Transport-Security' => 'max-age=99999999; preload; includeSubDomains']],
];
}
/**
* @dataProvider dataSuccess
*/
public function testSuccess($headers): void {
$headers = array_merge(
[
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff',
'X-Robots-Tag' => 'noindex, nofollow',
'X-Frame-Options' => 'SAMEORIGIN',
'Strict-Transport-Security' => 'max-age=15768000',
'X-Permitted-Cross-Domain-Policies' => 'none',
'Referrer-Policy' => 'no-referrer',
],
$headers
);
$this->setupResponse(
200,
$headers
);
$result = $this->setupcheck->run();
$this->assertEquals(
'Your server is correctly configured to send security headers.',
$result->getDescription()
);
$this->assertEquals(SetupResult::SUCCESS, $result->getSeverity());
}
public function dataFailure(): array {
return [
// description => modifiedHeaders
'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"],
'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to use a long HSTS policy.\n"],
'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"],
];
}
/**
* @dataProvider dataFailure
*/
public function testFailure(array $headers, string $msg): void {
$headers = array_merge(
[
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff',
'X-Robots-Tag' => 'noindex, nofollow',
'X-Frame-Options' => 'SAMEORIGIN',
'Strict-Transport-Security' => 'max-age=15768000',
'X-Permitted-Cross-Domain-Policies' => 'none',
'Referrer-Policy' => 'no-referrer',
],
$headers
);
$this->setupResponse(
200,
$headers
);
$result = $this->setupcheck->run();
$this->assertEquals(
'Some headers are not set correctly on your instance'."\n$msg",
$result->getDescription()
);
$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
}
protected function setupResponse(int $statuscode, array $headers): void {
$response = $this->createMock(IResponse::class);
$response->expects($this->atLeastOnce())->method('getStatusCode')->willReturn($statuscode);
$response->expects($this->any())->method('getHeader')
->willReturnCallback(
fn (string $header): string => $headers[$header] ?? ''
);
$this->setupcheck
->expects($this->atLeastOnce())
->method('runRequest')
->willReturnOnConsecutiveCalls($this->generate([$response]));
}
/**
* Helper function creates a nicer interface for mocking Generator behavior
*/
protected function generate(array $yield_values) {
return $this->returnCallback(function () use ($yield_values) {
yield from $yield_values;
});
}
}

138
core/js/setupchecks.js
View file

@ -156,143 +156,5 @@
})
}
},
/**
* Runs generic checks on the server side, the difference to dedicated
* methods is that we use the same XHR object for all checks to save
* requests.
*
* @return $.Deferred object resolved with an array of error messages
*/
checkGeneric: function() {
var self = this;
var deferred = $.Deferred();
var afterCall = function(data, statusText, xhr) {
var messages = [];
messages = messages.concat(self._checkSecurityHeaders(xhr));
messages = messages.concat(self._checkSSL(xhr));
deferred.resolve(messages);
};
$.ajax({
type: 'GET',
url: OC.generateUrl('heartbeat'),
allowAuthErrors: true
}).then(afterCall, afterCall);
return deferred.promise();
},
/**
* Runs check for some generic security headers on the server side
*
* @param {Object} xhr
* @return {Array} Array with error messages
*/
_checkSecurityHeaders: function(xhr) {
var messages = [];
if (xhr.status === 200) {
var securityHeaders = {
'X-Content-Type-Options': ['nosniff'],
'X-Robots-Tag': ['noindex, nofollow'],
'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
'X-Permitted-Cross-Domain-Policies': ['none'],
};
for (var header in securityHeaders) {
var option = securityHeaders[header][0];
if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).replace(/, /, ',').toLowerCase() !== option.replace(/, /, ',').toLowerCase()) {
var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) {
msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
}
messages.push({
msg: msg,
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
}
var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
messages.push({
msg: t('core', 'The "{header}" HTTP header does not contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
{
header: 'X-XSS-Protection',
expected: '1; mode=block'
}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
const referrerPolicy = xhr.getResponseHeader('Referrer-Policy')
if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) {
messages.push({
msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the {linkstart}W3C Recommendation ↗{linkend}.',
{
header: 'Referrer-Policy',
val1: 'no-referrer',
val2: 'no-referrer-when-downgrade',
val3: 'strict-origin',
val4: 'strict-origin-when-cross-origin',
val5: 'same-origin'
})
.replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">')
.replace('{linkend}', '</a>'),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
})
}
} else {
messages.push({
msg: t('core', 'Error occurred while checking server setup'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
return messages;
},
/**
* Runs check for some SSL configuration issues on the server side
*
* @param {Object} xhr
* @return {Array} Array with error messages
*/
_checkSSL: function(xhr) {
var messages = [];
if (xhr.status === 200) {
var tipsUrl = OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-security');
if(OC.getProtocol() === 'https') {
// Extract the value of 'Strict-Transport-Security'
var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
var firstComma = transportSecurityValidity.indexOf(";");
if(firstComma !== -1) {
transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
} else {
transportSecurityValidity = transportSecurityValidity.substring(8);
}
}
var minimumSeconds = 15552000;
if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
messages.push({
msg: t('core', 'The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the {linkstart}security tips ↗{linkend}.', {'seconds': minimumSeconds})
.replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + tipsUrl + '">')
.replace('{linkend}', '</a>'),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
}
} else {
messages.push({
msg: t('core', 'Error occurred while checking server setup'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
return messages;
}
};
})();

603
core/js/tests/specs/setupchecksSpec.js
View file

@ -320,607 +320,4 @@ describe('OC.SetupChecks tests', function() {
});
});
});
describe('checkGeneric', function() {
it('should return an error if the response has no statuscode 200', function(done) {
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(
500,
{
'Content-Type': 'application/json'
}
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
},{
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
}]);
done();
});
});
it('should return all errors if all headers are missing', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(
200,
{
'Content-Type': 'application/json',
'Strict-Transport-Security': 'max-age=15768000'
},
'{}'
);
async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});
it('should return only some errors if just some headers are missing', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(
200,
{
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'Strict-Transport-Security': 'max-age=15768000;preload',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);
async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
}
]);
done();
});
});
it('should return none errors if all headers are there', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(
200,
{
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'Strict-Transport-Security': 'max-age=15768000',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer'
}
);
async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
describe('check X-Robots-Tag header', function() {
it('should return no message if X-Robots-Tag is set to noindex,nofollow without space', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex,nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return a message if X-Robots-Tag is set to none', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}
]);
done();
});
});
});
describe('check X-XSS-Protection header', function() {
it('should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block; report=https://example.com',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no message if X-XSS-Protection is set to 1; mode=block', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return a message if X-XSS-Protection is set to 1', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}
]);
done();
});
});
it('should return a message if X-XSS-Protection is set to 0', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '0',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}
]);
done();
});
});
});
describe('check Referrer-Policy header', function() {
it('should return no message if Referrer-Policy is set to no-referrer', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no message if Referrer-Policy is set to no-referrer-when-downgrade', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer-when-downgrade',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no message if Referrer-Policy is set to strict-origin', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'strict-origin',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no message if Referrer-Policy is set to strict-origin-when-cross-origin', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'strict-origin-when-cross-origin',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no message if Referrer-Policy is set to same-origin', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'same-origin',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return a message if Referrer-Policy is set to origin', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'origin',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});
it('should return a message if Referrer-Policy is set to origin-when-cross-origin', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'origin-when-cross-origin',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});
it('should return a message if Referrer-Policy is set to unsafe-url', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'unsafe-url',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});
});
});
it('should return an error if the response has no statuscode 200', function(done) {
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(
500,
{
'Content-Type': 'application/json'
},
JSON.stringify({data: {serverHasInternetConnectionProblems: true}})
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
}, {
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
}]);
done();
});
});
it('should return a SSL warning if SSL used without Strict-Transport-Security-Header', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,
{
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
});
});
it('should return a SSL warning if SSL used with to small Strict-Transport-Security-Header', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,
{
'Strict-Transport-Security': 'max-age=15551999',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
});
});
it('should return a SSL warning if SSL used with to a bogus Strict-Transport-Security-Header', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,
{
'Strict-Transport-Security': 'iAmABogusHeader342',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
});
});
it('should return no SSL warning if SSL used with to exact the minimum Strict-Transport-Security-Header', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=99999999',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains parameter', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=99999999; includeSubDomains',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains and preload parameter', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'noindex, nofollow',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
});

4
dist/settings-legacy-admin.js vendored
View file

@ -1,2 +1,2 @@
({69129:function(){window.addEventListener("DOMContentLoaded",(()=>{$("#loglevel").change((function(){$.post(OC.generateUrl("/settings/admin/log/level"),{level:$(this).val()},(()=>{OC.Log.reload()}))})),$("#mail_smtpauth").change((function(){this.checked?$("#mail_credentials").removeClass("hidden"):$("#mail_credentials").addClass("hidden")})),$("#mail_smtpmode").change((function(){"smtp"!==$(this).val()?($("#setting_smtpauth").addClass("hidden"),$("#setting_smtphost").addClass("hidden"),$("#mail_smtpsecure_label").addClass("hidden"),$("#mail_smtpsecure").addClass("hidden"),$("#mail_credentials").addClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").removeClass("hidden")):($("#setting_smtpauth").removeClass("hidden"),$("#setting_smtphost").removeClass("hidden"),$("#mail_smtpsecure_label").removeClass("hidden"),$("#mail_smtpsecure").removeClass("hidden"),$("#mail_smtpauth").is(":checked")&&$("#mail_credentials").removeClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").addClass("hidden"))}));const e=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(e):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings"),type:"POST",data:$("#mail_general_settings_form").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))},s=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(s):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings/credentials"),type:"POST",data:$("#mail_credentials_settings").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))};$("#mail_general_settings_form").change(e),$("#mail_credentials_settings_submit").click(s),$("#mail_smtppassword").click((()=>{"text"===this.N&&"********"===this.U&&(this.N="password",this.U="")})),$("#sendtestemail").click((e=>{e.preventDefault(),OC.msg.startAction("#sendtestmail_msg",t("settings","Sending…")),$.ajax({url:OC.generateUrl("/settings/admin/mailtest"),type:"POST",success:()=>{OC.msg.finishedSuccess("#sendtestmail_msg",t("settings","Email sent"))},error:e=>{OC.msg.finishedError("#sendtestmail_msg",e.responseJSON)}})})),null!==document.getElementById("security-warning")&&$.when(OC.SetupChecks.checkWebDAV(),OC.SetupChecks.checkSetup(),OC.SetupChecks.checkGeneric()).then(((e,s,i)=>{const t=[].concat(e,s,i),n=$("#postsetupchecks");$("#security-warning-state-loading").addClass("hidden");let a=!1;const d=n.find(".errors"),l=n.find(".warnings"),r=n.find(".info");for(let e=0;e<t.length;e++)switch(t[e].type){case OC.SetupChecks.MESSAGE_TYPE_INFO:r.append("<li>"+t[e].msg+"</li>");break;case OC.SetupChecks.MESSAGE_TYPE_WARNING:l.append("<li>"+t[e].msg+"</li>");break;case OC.SetupChecks.MESSAGE_TYPE_ERROR:default:d.append("<li>"+t[e].msg+"</li>")}d.find("li").length>0&&(d.removeClass("hidden"),a=!0),l.find("li").length>0&&(l.removeClass("hidden"),a=!0),r.find("li").length>0&&(r.removeClass("hidden"),a=!0),a?($("#postsetupchecks-hint").removeClass("hidden"),d.find("li").length>0?$("#security-warning-state-failure").removeClass("hidden"):$("#security-warning-state-warning").removeClass("hidden")):0===$("#security-warning").children("ul").children().length?$("#security-warning-state-ok").removeClass("hidden"):$("#security-warning-state-failure").removeClass("hidden")}))}))}})[69129]();
//# sourceMappingURL=settings-legacy-admin.js.map?v=934bbdbaeebd1d2b478c
({69129:function(){window.addEventListener("DOMContentLoaded",(()=>{$("#loglevel").change((function(){$.post(OC.generateUrl("/settings/admin/log/level"),{level:$(this).val()},(()=>{OC.Log.reload()}))})),$("#mail_smtpauth").change((function(){this.checked?$("#mail_credentials").removeClass("hidden"):$("#mail_credentials").addClass("hidden")})),$("#mail_smtpmode").change((function(){"smtp"!==$(this).val()?($("#setting_smtpauth").addClass("hidden"),$("#setting_smtphost").addClass("hidden"),$("#mail_smtpsecure_label").addClass("hidden"),$("#mail_smtpsecure").addClass("hidden"),$("#mail_credentials").addClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").removeClass("hidden")):($("#setting_smtpauth").removeClass("hidden"),$("#setting_smtphost").removeClass("hidden"),$("#mail_smtpsecure_label").removeClass("hidden"),$("#mail_smtpsecure").removeClass("hidden"),$("#mail_smtpauth").is(":checked")&&$("#mail_credentials").removeClass("hidden"),$("#mail_sendmailmode_label, #mail_sendmailmode").addClass("hidden"))}));const e=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(e):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings"),type:"POST",data:$("#mail_general_settings_form").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))},s=function(){OC.PasswordConfirmation.requiresPasswordConfirmation()?OC.PasswordConfirmation.requirePasswordConfirmation(s):(OC.msg.startSaving("#mail_settings_msg"),$.ajax({url:OC.generateUrl("/settings/admin/mailsettings/credentials"),type:"POST",data:$("#mail_credentials_settings").serialize(),success:()=>{OC.msg.finishedSuccess("#mail_settings_msg",t("settings","Saved"))},error:e=>{OC.msg.finishedError("#mail_settings_msg",e.responseJSON)}}))};$("#mail_general_settings_form").change(e),$("#mail_credentials_settings_submit").click(s),$("#mail_smtppassword").click((()=>{"text"===this.N&&"********"===this.U&&(this.N="password",this.U="")})),$("#sendtestemail").click((e=>{e.preventDefault(),OC.msg.startAction("#sendtestmail_msg",t("settings","Sending…")),$.ajax({url:OC.generateUrl("/settings/admin/mailtest"),type:"POST",success:()=>{OC.msg.finishedSuccess("#sendtestmail_msg",t("settings","Email sent"))},error:e=>{OC.msg.finishedError("#sendtestmail_msg",e.responseJSON)}})})),null!==document.getElementById("security-warning")&&$.when(OC.SetupChecks.checkWebDAV(),OC.SetupChecks.checkSetup()).then(((e,s)=>{const i=[].concat(e,s),t=$("#postsetupchecks");$("#security-warning-state-loading").addClass("hidden");let n=!1;const a=t.find(".errors"),d=t.find(".warnings"),l=t.find(".info");for(let e=0;e<i.length;e++)switch(i[e].type){case OC.SetupChecks.MESSAGE_TYPE_INFO:l.append("<li>"+i[e].msg+"</li>");break;case OC.SetupChecks.MESSAGE_TYPE_WARNING:d.append("<li>"+i[e].msg+"</li>");break;case OC.SetupChecks.MESSAGE_TYPE_ERROR:default:a.append("<li>"+i[e].msg+"</li>")}a.find("li").length>0&&(a.removeClass("hidden"),n=!0),d.find("li").length>0&&(d.removeClass("hidden"),n=!0),l.find("li").length>0&&(l.removeClass("hidden"),n=!0),n?($("#postsetupchecks-hint").removeClass("hidden"),a.find("li").length>0?$("#security-warning-state-failure").removeClass("hidden"):$("#security-warning-state-warning").removeClass("hidden")):0===$("#security-warning").children("ul").children().length?$("#security-warning-state-ok").removeClass("hidden"):$("#security-warning-state-failure").removeClass("hidden")}))}))}})[69129]();
//# sourceMappingURL=settings-legacy-admin.js.map?v=9e17c38bdab4c3ea2932

2
dist/settings-legacy-admin.js.map vendored
View file

File diff suppressed because one or more lines are too long