3 * Copyright © 2015 Brian Wolff
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
23 use MediaWiki\Logger\LoggerFactory
;
26 * Api module to receive and log CSP violation reports
30 class ApiCSPReport
extends ApiBase
{
35 * These reports should be small. Ignore super big reports out of paranoia
37 const MAX_POST_SIZE
= 8192;
40 * Logs a content-security-policy violation report from web browser.
42 public function execute() {
43 $reportOnly = $this->getParameter( 'reportonly' );
44 $logname = $reportOnly ?
'csp-report-only' : 'csp';
45 $this->log
= LoggerFactory
::getInstance( $logname );
46 $userAgent = $this->getRequest()->getHeader( 'user-agent' );
48 $this->verifyPostBodyOk();
49 $report = $this->getReport();
50 $flags = $this->getFlags( $report, $userAgent );
52 $warningText = $this->generateLogLine( $flags, $report );
53 $this->logReport( $flags, $warningText, [
54 // XXX Is it ok to put untrusted data into log??
55 'csp-report' => $report,
56 'method' => __METHOD__
,
57 'user_id' => $this->getUser()->getId() ||
'logged-out',
58 'user-agent' => $userAgent,
59 'source' => $this->getParameter( 'source' ),
61 $this->getResult()->addValue( null, $this->getModuleName(), 'success' );
65 * Log CSP report, with a different severity depending on $flags
66 * @param array $flags Flags for this report
67 * @param string $logLine text of log entry
68 * @param array $context logging context
70 private function logReport( $flags, $logLine, $context ) {
71 if ( in_array( 'false-positive', $flags ) ) {
72 // These reports probably don't matter much
73 $this->log
->debug( $logLine, $context );
76 $this->log
->warning( $logLine, $context );
81 * Get extra notes about the report.
83 * @param array $report The CSP report
84 * @param string $userAgent
87 private function getFlags( $report, $userAgent ) {
88 $reportOnly = $this->getParameter( 'reportonly' );
89 $source = $this->getParameter( 'source' );
90 $falsePositives = $this->getConfig()->get( 'CSPFalsePositiveUrls' );
93 if ( $source !== 'internal' ) {
94 $flags[] = 'source=' . $source;
97 $flags[] = 'report-only';
102 ContentSecurityPolicy
::falsePositiveBrowser( $userAgent ) &&
103 $report['blocked-uri'] === "self"
106 isset( $report['blocked-uri'] ) &&
107 $this->matchUrlPattern( $report['blocked-uri'], $falsePositives )
110 isset( $report['source-file'] ) &&
111 $this->matchUrlPattern( $report['source-file'], $falsePositives )
114 // False positive due to:
115 // https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
117 $flags[] = 'false-positive';
124 * @param string[] $patterns
127 private function matchUrlPattern( $url, array $patterns ) {
128 if ( isset( $patterns[ $url ] ) ) {
132 $bits = wfParseUrl( $url );
133 unset( $bits['user'], $bits['pass'], $bits['query'], $bits['fragment'] );
135 $serverUrl = wfAssembleUrl( $bits );
136 if ( isset( $patterns[$serverUrl] ) ) {
137 // The origin of the url matches a pattern,
138 // e.g. "https://example.org" matches "https://example.org/foo/b?a#r"
141 foreach ( $patterns as $pattern => $val ) {
142 // We only use this pattern if it ends in a slash, this prevents
143 // "/foos" from matching "/foo", and "https://good.combo.bad" matching
144 // "https://good.com".
145 if ( substr( $pattern, -1 ) === '/' && strpos( $url, $pattern ) === 0 ) {
146 // The pattern starts with the same as the url
147 // e.g. "https://example.org/foo/" matches "https://example.org/foo/b?a#r"
156 * Output an api error if post body is obviously not OK.
158 private function verifyPostBodyOk() {
159 $req = $this->getRequest();
160 $contentType = $req->getHeader( 'content-type' );
161 if ( $contentType !== 'application/json'
162 && $contentType !== 'application/csp-report'
164 $this->error( 'wrongformat', __METHOD__
);
166 if ( $req->getHeader( 'content-length' ) > self
::MAX_POST_SIZE
) {
167 $this->error( 'toobig', __METHOD__
);
172 * Get the report from post body and turn into associative array.
176 private function getReport() {
177 $postBody = $this->getRequest()->getRawInput();
178 if ( strlen( $postBody ) > self
::MAX_POST_SIZE
) {
179 // paranoia, already checked content-length earlier.
180 $this->error( 'toobig', __METHOD__
);
182 $status = FormatJson
::parse( $postBody, FormatJson
::FORCE_ASSOC
);
183 if ( !$status->isGood() ) {
184 $msg = $status->getErrors()[0]['message'];
185 if ( $msg instanceof Message
) {
186 $msg = $msg->getKey();
188 $this->error( $msg, __METHOD__
);
191 $report = $status->getValue();
193 if ( !isset( $report['csp-report'] ) ) {
194 $this->error( 'missingkey', __METHOD__
);
196 return $report['csp-report'];
200 * Get text of log line.
202 * @param array $flags of additional markers for this report
203 * @param array $report the csp report
204 * @return string Text to put in log
206 private function generateLogLine( $flags, $report ) {
209 $flagText = '[' . implode( ', ', $flags ) . ']';
212 $blockedOrigin = isset( $report['blocked-uri'] )
213 ?
$this->originFromUrl( $report['blocked-uri'] )
215 $page = $report['document-uri'] ??
'n/a';
216 $line = isset( $report['line-number'] )
217 ?
':' . $report['line-number']
219 $warningText = $flagText .
220 ' Received CSP report: <' . $blockedOrigin . '>' .
221 ' blocked from being loaded on <' . $page . '>' . $line;
229 private function originFromUrl( $url ) {
230 $bits = wfParseUrl( $url );
231 unset( $bits['user'], $bits['pass'], $bits['query'], $bits['fragment'] );
233 $serverUrl = wfAssembleUrl( $bits );
234 // e.g. "https://example.org" from "https://example.org/foo/b?a#r"
239 * Stop processing the request, and output/log an error
241 * @param string $code error code
242 * @param string $method method that made error
243 * @throws ApiUsageException Always
245 private function error( $code, $method ) {
246 $this->log
->info( 'Error reading CSP report: ' . $code, [
248 'user-agent' => $this->getRequest()->getHeader( 'user-agent' )
250 // Return 400 on error for user agents to display, e.g. to the console.
252 [ 'apierror-csp-report', wfEscapeWikiText( $code ) ], 'cspreport-' . $code, [], 400
256 public function getAllowedParams() {
259 ApiBase
::PARAM_TYPE
=> 'boolean',
260 ApiBase
::PARAM_DFLT
=> false
263 ApiBase
::PARAM_TYPE
=> 'string',
264 ApiBase
::PARAM_DFLT
=> 'internal',
265 ApiBase
::PARAM_REQUIRED
=> false
270 public function mustBePosted() {
274 public function isWriteMode() {
279 * Mark as internal. This isn't meant to be used by normal api users
282 public function isInternal() {
287 * Even if you don't have read rights, we still want your report.
290 public function isReadMode() {
295 * Doesn't touch db, so max lag should be rather irrelavent.
297 * Also, this makes sure that reports aren't lost during lag events.
300 public function shouldCheckMaxLag() {