nelmio / nelmiosecuritybundle Goto Github PK
View Code? Open in Web Editor NEWAdds extra security-related features in your Symfony application
Home Page: https://symfony.com/bundles/NelmioSecurityBundle/
License: MIT License
Adds extra security-related features in your Symfony application
Home Page: https://symfony.com/bundles/NelmioSecurityBundle/
License: MIT License
The console command should inspect the current security settings and give hints which settings should also be enabled.
Such a reporting might be especially useful if new CSP versions add new directives or if entirely new security mechanisms are added to this bundle.
Per https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options we should be able to set "ALLOW FROM..."
Hello,
Is there a way to set-up the Public-Key-Pins
header?
I cannot see it reading the docs at README.md
file.
Thanks!
Signer can be used for it, but it should be documented at least. It'd be useful for sending emails with action links etc.
I keep getting the following error in my symfony "prod.log" log file, but not the "dev.log" log file:
request.CRITICAL: Uncaught PHP Exception Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException: "You have requested a non-existent service "nelmio_security.csp_reporter_controller"."
I have an InactiveScopeException on the "nelmio_security.external_redirect_listener". It seems it comes from the "scope: request" because when I remove it, "app/console debug:event-dispatcher" is OK. I tryed using the"request_stack" service to fix it (@see http://symfony.com/blog/new-in-symfony-2-4-the-request-stack) without success.
Only signing is supported right now, encryption would be good for completeness /cc @pminnieur
PHP 5.3 is not maintained, what about dropping support to this version to avoid writing compatible code ?
ie : $that
injection
Hello,
I realised that when I use Signed Cookies then I cannot impersonate another user. The system just destroys my active session.
Ideas?
Thanks,
Hello, I had tried to install the Bundle in symfony 2.8.X, it failed.
composer require nelmio/NelmioSecurityBundle
You are running composer with xdebug enabled. This has a major impact on runtime
performance. See https://getcomposer.org/xdebug
[InvalidArgumentException]
Could not find package nelmio/NelmioSecurityBundle at any version for your
minimum-stability (stable). Check the package spelling or your minimum-stab
ility
require [--dev] [--prefer-source] [--prefer-dist] [--no-progress] [--no-update]
[--update-no-dev] [--update-with-dependencies] [--ignore-platform-reqs] [--sort-
packages] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--] [<packag
es>]...
I can't figure it out why it doesn't work
[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException]
Unrecognized option "referrer_policy" under "nelmio_security"
I want to log all external redirect, so I set configure:
// security.yml
nelmio_security:
external_redirects:
log: true
abort: true
Problem:
ContextErrorException in ExternalRedirectListener.php line 39: Catchable Fatal Error: Argument 5 passed to Nelmio\SecurityBundle\EventListener\ExternalRedirectListener::__construct() must be an instance of Symfony\Component\HttpKernel\Log\LoggerInterface, instance of Symfony\Bridge\Monolog\Logger given, called in /vagrant/generic/var/cache/dev/appDevDebugProjectContainer.php on line 2131 and defined
Reason:
The `Symfony\Component\HttpKernel\Log\LoggerInterface` has been removed in favor of `Psr\Log\LoggerInterface`
So I think we need update file: ExternalRedirectListener.php
, remove Symfony\Component\HttpKernel\Log\LoggerInterface
and update with Psr\Log\LoggerInterface
This would allow a controller to set it explicitly when it knows it is intended to be used in an iframe. See symfony/swiftmailer-bundle#114 for a case where it would be useful (otherwise enabling NelmioSecurityBundle would break SwiftmailerBundle profiler until they whitelist it, once we have this feature)
Hello,
I'm thinking about releasing 2.0 very soon. Does anything miss, does anything needs more work before releasing?
Please comment :)
I get this error trying to run cache:clear
php bin/console cache:clear
[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException]
Unrecognized options "level1_fallback, browser_adaptive, block-all-mixed-content" under "nelmio_security.csp.enforce"
Symfony version: 3.0.6
NelmioSecurityBundle version: 1.10.0
Config file:
nelmio_security:
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# disables content type sniffing for script resources
content_type:
nosniff: true
# Forces Microsoft's XSS-Protection with
# its block mode
xss_protection:
enabled: true
mode_block: true
csp:
#report_logger_service: logger
hosts: []
content_types: []
enforce:
# see full description below
level1_fallback: true
# Only send directives supported by the browser, defaults to false
# This is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
browser_adaptive: false
report-uri: ['/nelmio/csp/report']
default-src: [ 'self' ]
#frame-src: [ 'https://www.youtube.com' ]
script-src:
- 'self'
- maps.googlemaps.com
img-src:
- 'self'
- maps.googlemaps.com
block-all-mixed-content: false # Default to false, blocks http content over https transport
Is it a config problem?
With CSP I can define different report-uri's for enforced and for reported CSP policies. It would make sense to also have different log messages (and log levels) for these two.
Normally I should test my CSP policies before I switch them to be enforced. However I could miss something. In that case I'd like to have an alert that I need to change my policy imediately.
This can be easily implemented by defining the same report controller two times with different arguments and make the message and log level configurable with constructor parameters.
I would like to discuss changing the behavior of Clickjacking Listener to let multiple rules set the header instead of stopping after the first match.
The current implementation returns after the first match: https://github.com/nelmio/NelmioSecurityBundle/blob/master/EventListener/ClickjackingListener.php#L51
This makes this kind of configuration impossible:
# bundle.yml - default deny everything
nelmio_security:
clickjacking:
paths:
'^/.*': DENY
# config.yml - override one path for this app
imports:
- { resource: "@Bundle/Resources/config/bundle.yml" }
nelmio_security:
clickjacking:
paths:
'^/files/': SAMEORIGIN
Would this change even make sense? It would possible be a BC change so might have to wait for next major version.
A site uses flexible SSL for logged users. Index page you can access with both http
and https
.
On logging to the site with remember me flag to cookies are set:
REMEMBER_ME
with 1 year expireauth
with 1 year expireThe auth
cookie's expiration length is set on EventListener/FlexibleSslListener.php
by finding the longest all cookies expiration from the Response
.
The problem ocurs when after closing the browser (deleting session cookie) trying access http index. On redirect (because found auth
cookie with value '1'
) the cookie auth
is reseted again with expiration 0 (till session end), because it cannot be calculate from an empty cookies array in the Response
.
# app/config/config.yml
nelmio_security:
flexible_ssl:
cookie_name: auth
unsecured_logout: false
security:
firewalls:
main:
remember_me:
secure: true
key: secret_key
name: REMEMBER_ME
lifetime: 31536000
always_remember_me: true
remember_me_parameter: _remember_me
// EventListener/FlexibleSslListener.php
public function onPostLoginKernelResponse(FilterResponseEvent $e)
{
if (HttpKernelInterface::MASTER_REQUEST !== $e->getRequestType()) {
return;
}
$response = $e->getResponse();
$longestExpire = 0;
foreach ($response->headers->getCookies() as $cookie) {
// find longest expiration time
$longestExpire = max($longestExpire, $cookie->getExpiresTime());
if (!$cookie->isSecure()) {
// force existing cookies (remember-me most likely) to be secure
$response->headers->setCookie(new Cookie(
$cookie->getName(),
$cookie->getValue(),
$cookie->getExpiresTime(),
$cookie->getPath(),
$cookie->getDomain(),
true,
$cookie->isHttpOnly()
));
}
}
// set the auth cookie
$response->headers->setCookie(new Cookie(
$this->cookieName,
'1',
$longestExpire,
'/',
null,
false,
false
));
// force session cookie to be secure
$params = session_get_cookie_params();
$response->headers->setCookie(new Cookie(
session_name(),
session_id(),
0,
$params['path'],
$params['domain'],
true,
$params['httponly']
));
}
A possible solution could be to set auth
cookie when no auth
cookie exists on the Request
.
if (null === $e->getRequest()->cookies->get($this->cookieName)) {
// set the auth cookie
$response->headers->setCookie(new Cookie(
$this->cookieName,
'1',
$longestExpire,
'/',
null,
false,
false
));
}
What do you think guys?
[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException]
Unrecognized options "hosts, content_types" under "nelmio_security.csp.report"
I'm using the default configuration. Whenever I'm clearing symfony app's cache, I find this error.
Hey!
What do you think about encrypt the session values?
What is the difference between using this bundle's forced_ssl
option and:
security:
access_control:
- { path: ^/, requires_channel: https }
?
Please add a minimum PHP version requirement of PHP 5.4 to composer.json and update the travis config.
We are running a Symfony2 application with Turbolinks and want to use CSP. When we use the csp_nonce()
method to generate a nonce, it will be different for every request. But since we use Turbolinks, navigating to other pages will just load the new HTML through AJAX and embed it in the current document. When a new page includes a <script>
or <style>
tag it will be blocked.
So I was thinking about the following solution:
In ContentSecurityPolicyListener
:
public function onKernelRequest(GetResponseEvent $event)
{
// ..
if ($event->getRequest()->headers->has('X-CSP-Nonce')) {
// @todo maybe add some regex validation
$this->nonce = $event->getRequest()->headers->get('X-CSP-Nonce');
}
}
Then in my HTML I set this:
<meta name="csp_nonce" content="{{ csp_nonce() }}">
And in my app.js
I set something like this:
$.ajaxSetup({
headers: {
'X-CSP-NONCE': document.querySelector('meta[name="csp_nonce"]').getAttribute('content'),
}
})
This works, but what about security? Am I going to do something really stupid/bad?
I 'm currently using AWS and my hosts SSL handling done by AWS. So when I use forced_ssl, ForcedSslListener simply does redirect loop to same domain which is not expected. Can you add a proper handling for that?
Sometimes there are cases when you want to use SSL across the board except for a few specific URL's. We'd like to be able to use forced_ssl
but when certain URL's are requested we want to ignore "forced ssl" and continue on to http/non-secure.
Reduce attacks by limiting login attempts.
composer.json
defines ua-parser/uap-php
as a dev-dependency. Since version 2.2.0 (commit #815b5d762ae26db93195abc3c7cc1a9f09f75ee7) NelmioSecurityBundle doesn't work out of the box any more with the default configuration.
This happens because the new configuration setting
nelmio_security:
csp:
report_endpoint:
filters:
browser_bugs: true # default
requires the ua-parser/uap-php
library to be installed. That's somehow inconsistent as the other setting that relies on the ua-parser/uap-php
library
nelmio_security:
csp:
report/enforce:
browser_adaptive:
enabled: false # default
is disabled by default. The solution could be to
browser_bugs
filter by defaultbrowser_bugs
dependant on the availability of ua-parser/uap-php
ua-parser/uap-php
library in composer.json
Does this make any sense?
frame-src is deprecated in favor of child-src
see: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
How do you think we should handle this? child-src is only implemented in CSP Level 2 and also covers web workers, so we can't simply replace frame-src.
Should we just allow both to operate independently?
The value for X-Frame-Options ALLOW FROM uri
is misspelled. Instead, it should be ALLOW-FROM uri
(see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers).
This is especially needed in browsers not supporting CSP 2.0 and its frame-ancestors
directive like IEs (http://caniuse.com/#feat=contentsecuritypolicy2).
According to MDN "The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP".
hstspreload.org emits a "Warning: Unnecessary HSTS header over HTTP" when submitting a domain that delivers an HSTS header via HTTP.
Therefore the HSTS header should no be added to non-secure requests.
Is there a possibility now or could it be added to exclude adding NelmioSecurityBundle info on response to API calls? For instance don't add no-sniff and other stuff to responses generate for ^/api?
It is possible to have some policies enforced and others only reported. It might even be possible to enforce policies and still have them reported (need to test this/read the spec).
In the config however I can only choose to enforce or report all policies. This is a problem for legacy applications where you need to test every policy over a longer time until you can be sure to enforce it without breaking anything.
Just a minor suggestion, how about moving the listeners to an EventListener folder?
This would clean-up the main directory a bit.
I configured my app to use Cookie Session Handler and discovered that authentication started breaking. I kept getting "Your session has timed out, or you have disabled cookies.". I traced this issue down to AbstractAuthenticationListener and then to the hasPreviousSession method of Request. I discovered that if I add:
framework:
session:
name: session
...the problem disappears. But doing this means that the browser is receiving two cookies named "session". The browser seems to be using the last Set-Cookie: session=
when it picks which of the two to send back.
I am wondering if this is how this session handler is meant to be used, or if there is some extra configuration that needs to be done.
I was working on a debug method for the console to check which listeners and subscribers are available. I also included the priorities of the services and I saw that this bundle had priorities that were set way beyond the maximum or minimum values defined by the Symfony docs.
Quote from: http://symfony.com/doc/current/cookbook/service_container/event_listener.html
There is an additional tag option priority that is optional and defaults to 0. This value
can be from -255 to 255, and the listeners will be executed in the order of their priority
(highest to lowest). This is useful when you need to guarantee that one listener is
executed before another.
Is there a reason why the priorities are set so high, because a priority of 10.000 seems exorbitant.
As the title suggests.. I need to whitelist a domain before redirecting. What would be the easiest way to do so before
return new RedirectResponse($externalUrl);
?
I don't want to encrypt my cookies, so I set my config to look like this:
nelmio_security:
encrypted_cookie:
names: []
But I get this error:
RuntimeException in Encrypter.php line 27: You need to install mcrypt if you want to encrypt your cookies.
Can I completely disable cookie encryption so that I don't have to install mcrypt?
I'm using Symfony 3 with an PHP7. When using the CookieSessionHandler with signed cookies and no active session I'm getting following error.
Error: session_start(): Failed to initialize storage module: user (path: )
in var/cache/dev/classes.php at line 112
if (ini_get('session.use_cookies') && headers_sent($file, $line)) {
throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
}
if (!session_start()) {
throw new \RuntimeException('Failed to start the session');
}
$this->loadSession();
The issue seems to be caused by CookieSesisonHandler::open(). See also SO-34125849.
As a workaround I just changed the code to this:
// $this->request->cookies->has($this->cookieName);
return true;
As far as I can tell this feature is not working. The remember me cookie remains unsecure.
Hello,
I'm facing an issue when I try to use the report feature of the bundle in the DEV environment: the blocked content generate an uri without the app_dev.php
prefix.
I'm using Symfony 3.1.0 with the 2.0.0 version of the bundle.
routing.yml:
# NelmioSecurityBundle
nelmio_security:
path: /csp/report
defaults: { _controller: nelmio_security.csp_reporter_controller:indexAction }
methods: [POST]
config.yml:
nelmio_security:
csp:
enforce:
# see full description below
level1_fallback: true
# Only send directives supported by the browser, defaults to false
# This is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
browser_adaptive: false
report-uri: /csp/report
connect-src:
- 'self'
- 'api.mapbox.com'
- '*.tiles.mapbox.com'
default-src:
- 'self'
font-src:
- 'self'
- 'fonts.gstatic.com'
img-src:
- 'self'
- 'data:' # Allows data: URIs to be used as a content source (@see https://developer.mozilla.org/fr/docs/Web/Security/CSP/CSP_policy_directives#Data)
- '*.tiles.mapbox.com'
script-src:
- 'self'
- 'www.google-analytics.com'
- 'api.tiles.mapbox.com'
style-src:
- 'self'
- 'unsafe-inline' # Because of the FancyBox Javascript library
- 'fonts.googleapis.com'
- 'api.tiles.mapbox.com'
block-all-mixed-content: true # Default to false, blocks http content over https transport
# upgrade-insecure-requests: true # Default to false, upgrades http requests to https transport
report:
# see full description below
level1_fallback: true
# Only send directives supported by the browser, defaults to false
# This is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
browser_adaptive: false
report-uri: /csp/report
script-src:
- 'self'
As proposed in #129 (comment)
Requirements of "nelmio/security-bundle": "^2.1"
allow the bundle to be installed with "twig/twig": "^2.1"
. Unfortunately, NelmioSecurityBundle seems not yet to be ready to be used with twig 2.x.
As soon as I add the following to my configuration
nelmio_security:
csp:
enabled: true
and access a page which has {% cspscript %}<script>//...</script>{% endcspscript %}
code fragment in it, the following exception is thrown: Type error: Argument 1 passed to Nelmio\SecurityBundle\Twig\Node\CSPNode::__construct() must be an instance of Twig_NodeInterface, instance of Twig_Node given, called in .../vendor/nelmio/security-bundle/Twig/TokenParser/AbstractCSPParser.php on line 43
A quick look in the related classes proved that transmitted CSPNode extends \Twig_Node
. While in twig 1.6 Twig_Node implements Twig_NodeInterface
as expected, in twig 2.0 Twig_Node implements Countable, IteratorAggregate
only.
I have no idea why this changed in twig 2.0, possibly this is a bug in twig instead of nelmio/NelmioSecurityBundle. If not, nelmio/NelmioSecurityBundle should correct the requirements to not use twig 2.0.
They don't seem to be needed in newer chrome versions and the IOS and safari versions seem new enough.
to control MIME sniffing.
see: symfony/symfony#8515 (comment)
Hello,
I'm new with this bundle, it's the first time I use it. Iupload and install it in my project -Symfony 3.2- and after installing the config.yml, l lost the link with my assets(CSS, JS, IMG...).
What happened ? Here my config:
`nelmio_security:
# signs/verifies all cookies
signed_cookie:
names: ['']
# prevents framing of the entire site
clickjacking:
paths:
'^/.': DENY
# prevents redirections outside the website's domain
external_redirects:
abort: true
log: true
# prevents inline scripts, unsafe eval, external scripts/images/styles/frames, etc
csp:
hosts: []
content_types: []
enforce:
level1_fallback: false
browser_adaptive:
enabled: false
report-uri: %router.request_context.base_url%/nelmio/csp/report
default-src:
- 'none'
script-src:
- 'self'
block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
# upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
# disables content type sniffing for script resources
content_type:
nosniff: false
# forces Microsoft's XSS-Protection with
# its block mode
xss_protection:
enabled: true
mode_block: true
# Send a full URL in the `Referer` header when performing a same-origin request,
# only send the origin of the document to secure destination (HTTPS->HTTPS),
# and send no header to a less secure destination (HTTPS->HTTP).
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
# no referrer information is sent along with requests.
referrer_policy:
enabled: true
policies:
- 'no-referrer'
- 'strict-origin-when-cross-origin'
`
I have my content security policy set as follows:
nelmio_security:
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# prevents redirections outside the website's domain
external_redirects:
log: true
override: homepage
# prevents inline scripts, unsafe eval, external scripts/images/styles/frames, etc
csp:
report_uri: /nelmio/csp/report
report_only: false
default: [ self ]
frame: [ 'https://www.youtube.com' ]
script:
- self
- 'https://www.google-analytics.com'
- 'http://www.google-analytics.com'
img:
- self
- 'https://www.google-analytics.com'
- 'http://www.google-analytics.com'
# disables content type sniffing for script resources
content_type:
nosniff: true
So, the csp setting should not be blocking scripts, css, and javascript from loading on the page. However, on my first-generation iPad, running iOS 5.1.1 (last supported version on that iPad) is not loading any of these assets due to my content security policy; this is using both Chrome and Safari.
My last resort would be disabling the content security policy for any iOS devices; is there a way to do this? However, I would like to be able to make this work across all versions of devices.
I discovered this bundle only today and it looks incredibly helpful. The biggest omission seems to be a way to log CSP violations. Would that be something you're willing to add? If so I'd be happy to write it.
Spec: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
A simpler writeup: https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
Mozilla's take: https://blog.mozilla.org/security/2014/09/02/public-key-pinning/
I might give it a go at implementation, but currently it only truly works in chrome, and even then, we'll need to wait for the next stable build for it to work correctly alongside HSTS due to https://code.google.com/p/chromium/issues/detail?id=444511
I'd submit a first draft at a PR, but i wonder where it should go.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.