feat: add support for CSP

adonis-typings/context.ts

@@ -0,0 +1,14 @@
+/**
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare module '@ioc:Adonis/Core/Response' {
+  interface ResponseContract {
+    nonce: string,
+  }
+}

adonis-typings/index.ts

@@ -1,51 +1,2 @@
-/*
- * @adonisjs/shield
- *
- * (c) Harminder Virk <virk@adonisjs.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
-*/
-
-declare module '@ioc:Adonis/Addons/Shield' {
-  export type XFrameOptions = {
-    enabled: boolean,
-    action?: 'DENY' | 'SAMEORIGIN',
-  } | {
-    enabled: boolean,
-    action?: 'ALLOW-FROM',
-    domain: string,
-  }
-
-  // X-Content-Type-Options
-  export type ContentTypeSniffingOptions = {
-    enabled: boolean,
-  }
-
-  // HTTP Strict Transport Security (HSTS)
-  export type HstsOptions = {
-    enabled: boolean,
-    maxAge?: string | number,
-    includeSubDomains?: boolean,
-    preload?: boolean,
-  }
-
-  // X-XSS-Protection
-  export type XSSOptions = {
-    enabled: boolean,
-    enableOnOldIE?: boolean,
-    reportUri?: string,
-    mode?: 'block' | null,
-  }
-
-  // X-Download-Options
-  export type IENoOpenOptions = {
-    enabled: boolean,
-  }
-
-  // X-DNS-Prefetch-Control
-  export type DnsPrefetchOptions = {
-    enabled: boolean,
-    allow?: boolean,
-  }
-}
+/// <reference path="./shield.ts" />
+/// <reference path="./context.ts" />

adonis-typings/shield.ts

@@ -0,0 +1,57 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+declare module '@ioc:Adonis/Addons/Shield' {
+  import { CspOptions as HelmetCspOptions } from 'helmet-csp/dist/lib/types'
+
+  export type XFrameOptions = {
+    enabled: boolean,
+    action?: 'DENY' | 'SAMEORIGIN',
+  } | {
+    enabled: boolean,
+    action?: 'ALLOW-FROM',
+    domain: string,
+  }
+
+  // X-Content-Type-Options
+  export type ContentTypeSniffingOptions = {
+    enabled: boolean,
+  }
+
+  // HTTP Strict Transport Security (HSTS)
+  export type HstsOptions = {
+    enabled: boolean,
+    maxAge?: string | number,
+    includeSubDomains?: boolean,
+    preload?: boolean,
+  }
+
+  // X-XSS-Protection
+  export type XSSOptions = {
+    enabled: boolean,
+    enableOnOldIE?: boolean,
+    reportUri?: string,
+    mode?: 'block' | null,
+  }
+
+  // X-Download-Options
+  export type IENoOpenOptions = {
+    enabled: boolean,
+  }
+
+  // X-DNS-Prefetch-Control
+  export type DnsPrefetchOptions = {
+    enabled: boolean,
+    allow?: boolean,
+  }
+
+  export type CspOptions = {
+    enabled: boolean,
+  } & HelmetCspOptions
+}

package.json

@@ -40,6 +40,7 @@
     "typescript": "^3.6.3"
   },
   "dependencies": {
+    "helmet-csp": "^2.9.4",
     "ms": "^2.1.2"
   },
   "repository": {

src/Bindings/Response.ts

@@ -0,0 +1,17 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+import crypto from 'crypto'
+import { ResponseConstructorContract } from '@ioc:Adonis/Core/Response'
+
+export default function responseBinding (Response: ResponseConstructorContract) {
+  Response.getter('nonce', () => {
+    return crypto.randomBytes(16).toString('hex')
+  }, true)
+}

src/csp.ts

@@ -0,0 +1,67 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+/// <reference path="../adonis-typings/index.ts" />
+
+import helmetCsp from 'helmet-csp'
+import { SourceListDirective } from 'helmet-csp/dist/lib/types'
+
+import { CspOptions } from '@ioc:Adonis/Addons/Shield'
+import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
+import { noop } from './noop'
+
+/**
+ * Reads `nonce` from the ServerResponse and returns appropriate
+ * string
+ */
+function nonceFn (_req, res) {
+  return `'nonce-${res['nonce']}'`
+}
+
+/**
+ * Transform `@nonce` keywords for a given directive
+ */
+function transformNonceKeywords (directive: SourceListDirective): SourceListDirective {
+  /**
+   * Transform array values. There should be only one `@nonce` keyword
+   */
+  if (Array.isArray(directive)) {
+    const nonceIndex = directive.indexOf('@nonce')
+    if (nonceIndex > -1) {
+      directive[nonceIndex] = nonceFn
+    }
+  }
+
+  return directive
+}
+
+/**
+ * Adds `Content-Security-Policy` header based upon given user options
+ */
+export function csp (options: CspOptions) {
+  if (!options.enabled) {
+    return noop
+  }
+
+  const scriptSrc = options.directives && options.directives.scriptSrc
+  if (scriptSrc) {
+    options.directives!.scriptSrc = transformNonceKeywords(options.directives!.scriptSrc!)
+  }
+
+  const styleSrc = options.directives && options.directives.styleSrc
+  if (styleSrc) {
+    options.directives!.styleSrc = transformNonceKeywords(options.directives!.styleSrc!)
+  }
+
+  const helmetCspMiddleware = helmetCsp(options)
+  return function cspMiddlewareFn ({ response }: HttpContextContract) {
+    response.response['nonce'] = response.nonce
+    helmetCspMiddleware(response.request, response.response, () => {})
+  }
+}

test/csp.spec.ts

@@ -0,0 +1,74 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+import test from 'japa'
+import { HttpContext } from '@adonisjs/http-server/build/standalone'
+import { csp } from '../src/csp'
+
+test.group('Csp', () => {
+  test('return noop function when enabled is false', (assert) => {
+    const middlewareFn = csp({ enabled: false })
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    middlewareFn(ctx)
+
+    assert.isUndefined(ctx.response.getHeader('Content-Security-Policy'))
+  })
+
+  test('set Content-Security-Policy header', (assert) => {
+    const middlewareFn = csp({
+      enabled: true,
+      directives: {
+        defaultSrc: [`'self'`],
+      },
+    })
+
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    middlewareFn(ctx)
+
+    assert.equal(ctx.response.getHeader('Content-Security-Policy'), `default-src 'self'`)
+  })
+
+  test('transform @nonce keyword on scriptSrc', (assert) => {
+    const middlewareFn = csp({
+      enabled: true,
+      directives: {
+        defaultSrc: [`'self'`],
+        scriptSrc: ['@nonce'],
+      },
+    })
+
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    ctx.response.nonce = '1234'
+
+    middlewareFn(ctx)
+    assert.equal(
+      ctx.response.getHeader('Content-Security-Policy'),
+      `default-src 'self'; script-src 'nonce-1234'`,
+    )
+  })
+
+  test('transform @nonce keyword on styleSrc', (assert) => {
+    const middlewareFn = csp({
+      enabled: true,
+      directives: {
+        defaultSrc: [`'self'`],
+        styleSrc: ['@nonce'],
+      },
+    })
+
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    ctx.response.nonce = '1234'
+
+    middlewareFn(ctx)
+    assert.equal(
+      ctx.response.getHeader('Content-Security-Policy'),
+      `default-src 'self'; style-src 'nonce-1234'`,
+    )
+  })
+})