yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moving Security HealthChecks to Abstractions proj

Browse Source
This commit is contained in:
elitsa
2020-01-27 16:38:02 +01:00
parent 8c6281cb6d
commit c624919710
6 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/Umbraco.Web/HealthCheck/Checks/Security/BaseHttpHeaderCheck.cs → src/Umbraco.Abstractions/HealthCheck/Checks/Security/BaseHttpHeaderCheck.cs
View File

@@ -7,7 +7,7 @@ using System.Text.RegularExpressions;
using System.Xml.Linq;
using System.Xml.XPath;
using Umbraco.Core;
using Umbraco.Web.Composing;
using Umbraco.Core.IO;
using Umbraco.Core.Services;
namespace Umbraco.Web.HealthCheck.Checks.Security
@@ -23,19 +23,21 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
private readonly string _value;
private readonly string _localizedTextPrefix;
private readonly bool _metaTagOptionAvailable;
private readonly IIOHelper _ioHelper;
protected BaseHttpHeaderCheck(
IRuntimeState runtime,
ILocalizedTextService textService,
string header, string value, string localizedTextPrefix, bool metaTagOptionAvailable)
string header, string value, string localizedTextPrefix, bool metaTagOptionAvailable, IIOHelper ioHelper)
{
Runtime = runtime;
TextService = textService ?? throw new ArgumentNullException(nameof(textService));
_ioHelper = ioHelper;
_header = header;
_value = value;
_localizedTextPrefix = localizedTextPrefix;
_metaTagOptionAvailable = metaTagOptionAvailable;
}
/// <summary>
@@ -168,7 +170,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
{
// There don't look to be any useful classes defined in https://msdn.microsoft.com/en-us/library/system.web.configuration(v=vs.110).aspx
// for working with the customHeaders section, so working with the XML directly.
var configFile = Current.IOHelper.MapPath("~/Web.config");
var configFile = _ioHelper.MapPath("~/Web.config");
var doc = XDocument.Load(configFile);
var systemWebServerElement = doc.XPathSelectElement("/configuration/system.webServer");
var httpProtocolElement = systemWebServerElement.Element("httpProtocol");

5
src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs → src/Umbraco.Abstractions/HealthCheck/Checks/Security/ClickJackingCheck.cs
View File

@@ -1,4 +1,5 @@
using Umbraco.Core;
using Umbraco.Core.IO;
using Umbraco.Core.Services;
namespace Umbraco.Web.HealthCheck.Checks.Security
@@ -10,8 +11,8 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
Group = "Security")]
public class ClickJackingCheck : BaseHttpHeaderCheck
{
public ClickJackingCheck(IRuntimeState runtime, ILocalizedTextService textService)
: base(runtime, textService, "X-Frame-Options", "sameorigin", "clickJacking", true)
public ClickJackingCheck(IRuntimeState runtime, ILocalizedTextService textService, IIOHelper ioHelper)
: base(runtime, textService, "X-Frame-Options", "sameorigin", "clickJacking", true, ioHelper)
{
}
}

5
src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs → src/Umbraco.Abstractions/HealthCheck/Checks/Security/HstsCheck.cs
View File

@@ -1,4 +1,5 @@
using Umbraco.Core;
using Umbraco.Core.IO;
using Umbraco.Core.Services;
namespace Umbraco.Web.HealthCheck.Checks.Security
@@ -15,8 +16,8 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
// and the blog post of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/)
// If you want do to it perfectly, you have to submit it https://hstspreload.org/,
// but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites.
public HstsCheck(IRuntimeState runtime, ILocalizedTextService textService)
: base(runtime, textService, "Strict-Transport-Security", "max-age=10886400", "hSTS", true)
public HstsCheck(IRuntimeState runtime, ILocalizedTextService textService, IIOHelper ioHelper)
: base(runtime, textService, "Strict-Transport-Security", "max-age=10886400", "hSTS", true, ioHelper)
{
}
}

5
src/Umbraco.Web/HealthCheck/Checks/Security/NoSniffCheck.cs → src/Umbraco.Abstractions/HealthCheck/Checks/Security/NoSniffCheck.cs
View File

@@ -1,4 +1,5 @@
using Umbraco.Core;
using Umbraco.Core.IO;
using Umbraco.Core.Services;
namespace Umbraco.Web.HealthCheck.Checks.Security
@@ -10,8 +11,8 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
Group = "Security")]
public class NoSniffCheck : BaseHttpHeaderCheck
{
public NoSniffCheck(IRuntimeState runtime, ILocalizedTextService textService)
: base(runtime, textService, "X-Content-Type-Options", "nosniff", "noSniff", false)
public NoSniffCheck(IRuntimeState runtime, ILocalizedTextService textService, IIOHelper ioHelper)
: base(runtime, textService, "X-Content-Type-Options", "nosniff", "noSniff", false, ioHelper)
{
}
}

5
src/Umbraco.Web/HealthCheck/Checks/Security/XssProtectionCheck.cs → src/Umbraco.Abstractions/HealthCheck/Checks/Security/XssProtectionCheck.cs
View File

@@ -1,4 +1,5 @@
using Umbraco.Core;
using Umbraco.Core.IO;
using Umbraco.Core.Services;
namespace Umbraco.Web.HealthCheck.Checks.Security
@@ -15,8 +16,8 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
// and the blog post of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/)
// If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/,
// but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites.
public XssProtectionCheck(IRuntimeState runtime, ILocalizedTextService textService)
: base(runtime, textService, "X-XSS-Protection", "1; mode=block", "xssProtection", true)
public XssProtectionCheck(IRuntimeState runtime, ILocalizedTextService textService, IIOHelper ioHelper)
: base(runtime, textService, "X-XSS-Protection", "1; mode=block", "xssProtection", true, ioHelper)
{
}
}

1
src/Umbraco.Abstractions/Umbraco.Abstractions.csproj
View File

@@ -26,6 +26,7 @@
</ItemGroup>
<ItemGroup>
<Folder Include="HealthCheck\NotificationMethods\" />
<Folder Include="Logging\Viewer" />
<Folder Include="Migrations\Upgrade\V_8_6_0" />
</ItemGroup>