CSP: Updated handling of drawio URL to consider port

ssddanbrown · ssddanbrown · commit 897bb338f956 · 2024-07-14T16:06:18.000+01:00
Previously if a custom port was used in the DRAWIO option it would not be considered in the CSP handling, which would block loading. Added test to cover. For #5107
diff --git a/app/Util/CspService.php b/app/Util/CspService.php
@@ -133,18 +133,30 @@ protected function getAllowedIframeHosts(): array
 
     protected function getAllowedIframeSources(): array
     {
-        $sources = config('app.iframe_sources', '');
-        $hosts = array_filter(explode(' ', $sources));
+        $sources = explode(' ', config('app.iframe_sources', ''));
+        $sources[] = $this->getDrawioHost();
 
-        // Extract drawing service url to allow embedding if active
+        return array_filter($sources);
+    }
+
+    /**
+     * Extract the host name of the configured drawio URL for use in CSP.
+     * Returns empty string if not in use.
+     */
+    protected function getDrawioHost(): string
+    {
         $drawioConfigValue = config('services.drawio');
-        if ($drawioConfigValue) {
-            $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
-            $drawioSourceParsed = parse_url($drawioSource);
-            $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
-            $hosts[] = $drawioHost;
+        if (!$drawioConfigValue) {
+            return '';
+        }
+
+        $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
+        $drawioSourceParsed = parse_url($drawioSource);
+        $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
+        if (isset($drawioSourceParsed['port'])) {
+            $drawioHost .= ':' . $drawioSourceParsed['port'];
         }
 
-        return $hosts;
+        return $drawioHost;
     }
 }
diff --git a/tests/SecurityHeaderTest.php b/tests/SecurityHeaderTest.php
@@ -139,6 +139,18 @@ public function test_frame_src_csp_header_has_drawio_host_added()
         $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
     }
 
+    public function test_frame_src_csp_header_drawio_host_includes_port_if_existing()
+    {
+        config()->set([
+            'app.iframe_sources' => 'https://example.com',
+            'services.drawio'    => 'https://diagrams.example.com:8080/testing?cat=dog',
+        ]);
+
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'frame-src');
+        $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com:8080', $scriptHeader);
+    }
+
     public function test_cache_control_headers_are_set_on_responses()
     {
         // Public access
