-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
Description
Symfony version(s) affected
current
Description
dump() is perfect for debugging. The dump window is apparently generated via a JS <script> Sfdump = window.Sfdump ...
.
The use of CSP to protect the website against XSS is now becoming more and more important.
After switching to a stricter CSP directive that works with a nonce
and will no longer allows unsafe-inline
for security reasons, there are now (at every page load) two CSP violations occuring when using dump()
which (in my configuration) leads for every single violation in sending an CSP-violation-report-e-mail and and an entry in the CSP-violation-log.
The tags <script>
and <style>
can easily be supplemented with the required nonce via str_replace() and are therefore absolutely no problem with the use of a CSP-nonce.
But inline css like e.g. <div style="display:none">
or javascript like onclick="alert('Hey')"
, which is used within a tag, unfortunately cannot be legitimated with a nonce an will lead to CSP-violation as soon unsafe-inline is no longer allowed. And that's exactly the problem that I herewith report about.
When using dump() the CSP-violation report looks like this:
I checked the locations 554 and 691 named in the CSP report for potentially critical content. Both places contain this:
(Note that the locations 554 and 691 may vary because of the nonce I use in the <script>
and <style>
tag.
It looks like a refStyle
with a { display: none; }
is appended via an innerHTML
(append) .
The CSP report outputs a sample at position 554 (see also the red image above):
Source: pre.sf-dump .sf-dump-compact, .sf-dump-str-collapse .sf-dump-str-collapse, .sf-dump-str-expand .sf-dump-str-expand { display: none; }
And this exactly matches the JS code in the pages html-output:
refStyle.innerHTML = 'pre.sf-dump .sf-dump-compact, .sf-dump-str-collapse .sf-dump-str-collapse, .sf-dump-str-expand .sf-dump-str-expand { display: none; }';
How to reproduce
This problem can be reproduced using a CSP directive like:
Content-Security-Policy-Report-Only: script-src 'self' 'nonce-123456789' 'report-sample'; style-src 'self' 'nonce-'123456789' 'report-sample'; report-uri https://myAdress.com/ ;
Possible Solution
Change in HtmlDumper.php
those lines, which are injecting inline-css (inside html tag only) into the html output.
Delete the inline css that is placed inside the html-tags and place it inside a <style></style>
section instead by assigning this css according to the targets classname or id.
The <style></style>
section is also inline css but with teh difference that the <style> tag can easily be legitimated by adding a nonce with a str_replace() when outputting the dump().
Critical lines found that should be changed in HtmlDumper.php
:
Line 160:
refStyle.innerHTML = 'pre.sf-dump .sf-dump-compact, .sf-dump-str-collapse .sf-dump-str-collapse, .sf-dump-str-expand .sf-dump-str-expand { display: none; }';
Line 354
refStyle.innerHTML = 'pre.sf-dump .'+a[0]+'{background-color: #B729D9; color: #FFF !important; border-radius: 2px}';
Additional Context
No response