26462536749

Committed 26 May 2026 04:53PM UTC coverage: 83.183%. First build

Build Type

push

github

Committed by

Commit Message

added RequestFactory::setForceHttps()

Coverage Stats

8 of 9 new or added lines in 2 files covered. (88.89%)

920 of 1106 relevant lines covered (83.18%)

0.83 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

71.43

/src/Bridges/HttpDI/HttpExtension.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Bridges\HttpDI;

use Nette;
use Nette\Schema\Expect;
use function is_array, strval;


/**
 * HTTP extension for Nette DI.
 *
 * @property object{
 *     proxy: array<string>,
 *     forceHttps: bool,
 *     headers: array<string, ?scalar>,
 *     frames: string|bool|null,
 *     csp: array<string, array<mixed>|scalar|null>,
 *     cspReportOnly: array<string, array<mixed>|scalar|null>,
 *     featurePolicy: array<string, array<mixed>|scalar|null>,
 *     cookiePath: ?string,
 *     cookieDomain: ?string,
 *     cookieSecure: bool|'auto'|null,
 *     disableNetteCookie: bool,
 * } $config
 */
class HttpExtension extends Nette\DI\CompilerExtension
{
        public function __construct(
                private readonly bool $cliMode = false,
        ) {
        }


        public function getConfigSchema(): Nette\Schema\Schema
        {
                return Expect::structure([
                        'proxy' => Expect::anyOf(Expect::arrayOf('string'), Expect::string()->castTo('array'))->firstIsDefault()->dynamic(),
                        'forceHttps' => Expect::bool(false)->dynamic(),
                        'headers' => Expect::arrayOf('scalar|null')->default([
                                'X-Powered-By' => 'Nette Framework 3',
                                'Content-Type' => 'text/html; charset=utf-8',
                        ])->mergeDefaults(),
                        'frames' => Expect::anyOf(Expect::string(), Expect::bool(), null)->default('SAMEORIGIN'), // X-Frame-Options
                        'csp' => Expect::arrayOf('array|scalar|null'), // Content-Security-Policy
                        'cspReportOnly' => Expect::arrayOf('array|scalar|null'), // Content-Security-Policy-Report-Only
                        'featurePolicy' => Expect::arrayOf('array|scalar|null'), // Feature-Policy
                        'cookiePath' => Expect::string()->dynamic(),
                        'cookieDomain' => Expect::string()->dynamic(),
                        'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS
                        'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette
                ]);
        }


        public function loadConfiguration(): void
        {
                $builder = $this->getContainerBuilder();
                $config = $this->config;

                $requestFactory = $builder->addDefinition($this->prefix('requestFactory'))
                        ->setFactory(Nette\Http\RequestFactory::class)
                        ->addSetup('setProxy', [$config->proxy]);

                if ($config->forceHttps) {
                        $requestFactory->addSetup('setForceHttps');
                }

                $request = $builder->addDefinition($this->prefix('request'))
                        ->setFactory('@Nette\Http\RequestFactory::fromGlobals');

                $response = $builder->addDefinition($this->prefix('response'))
                        ->setFactory(Nette\Http\Response::class);

                if ($config->cookiePath !== null) {
                        $response->addSetup('$cookiePath', [$config->cookiePath]);
                }

                if ($config->cookieDomain !== null) {
                        $value = $config->cookieDomain === 'domain'
                                ? $builder::literal('$this->getService(?)->getUrl()->getDomain(2)', [$request->getName()])
                                : $config->cookieDomain;
                        $response->addSetup('$cookieDomain', [$value]);
                }

                if ($config->cookieSecure !== null) {
                        $value = $config->cookieSecure === 'auto'
                                ? $builder::literal('$this->getService(?)->isSecured()', [$request->getName()])
                                : $config->cookieSecure;
                        $response->addSetup('$cookieSecure', [$value]);
                }

                if ($this->name === 'http') {
                        $builder->addAlias('nette.httpRequestFactory', $this->prefix('requestFactory'));
                        $builder->addAlias('httpRequest', $this->prefix('request'));
                        $builder->addAlias('httpResponse', $this->prefix('response'));
                }

                if (!$this->cliMode) {
                        $this->sendHeaders();
                }
        }


        private function sendHeaders(): void
        {
                $config = $this->config;
                $headers = array_map(strval(...), $config->headers);

                if (isset($config->frames) && $config->frames !== true && !isset($headers['X-Frame-Options'])) {
                        $frames = $config->frames;
                        if ($frames === false) {
                                $frames = 'DENY';
                        } elseif (preg_match('#^https?:#', $frames)) {
                                $frames = "ALLOW-FROM $frames";
                        }

                        $headers['X-Frame-Options'] = $frames;
                }

                foreach (['csp', 'cspReportOnly'] as $key) {
                        if (empty($config->$key)) {
                                continue;
                        }

                        $value = self::buildPolicy($config->$key);
                        if (str_contains($value, "'nonce'")) {
                                $this->initialization->addBody('$cspNonce = base64_encode(random_bytes(16));');
                                $value = Nette\DI\ContainerBuilder::literal(
                                        'str_replace(?, ? . $cspNonce, ?)',
                                        ["'nonce", "'nonce-", $value],
                                );
                        }

                        $headers['Content-Security-Policy' . ($key === 'csp' ? '' : '-Report-Only')] = $value;
                }

                if (!empty($config->featurePolicy)) {
                        $headers['Feature-Policy'] = self::buildPolicy($config->featurePolicy);
                }

                $this->initialization->addBody('$response = $this->getService(?);', [$this->prefix('response')]);
                foreach ($headers as $key => $value) {
                        if ($value !== '') {
                                $this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);
                        }
                }

                if (!$config->disableNetteCookie) {
                        $this->initialization->addBody(
                                'Nette\Http\Helpers::initCookie($this->getService(?), $response);',
                                [$this->prefix('request')],
                        );
                }
        }


        /** @param array<string, array<mixed>|scalar|null>  $config */
        private static function buildPolicy(array $config): string
        {
                $nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];
                $value = '';
                foreach ($config as $type => $policy) {
                        if ($policy === false) {
                                continue;
                        }

                        $policy = $policy === true ? [] : (array) $policy;
                        $value .= $type;
                        foreach ($policy as $item) {
                                if (is_array($item)) {
                                        $item = key($item) . ':';
                                }

                                $value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+$#D', $item)
                                        ? " '$item'"
                                        : " $item";
                        }

                        $value .= '; ';
                }

                return $value;
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Bridges\HttpDI;
9
10	use Nette;
11	use Nette\Schema\Expect;
12	use function is_array, strval;
13
14
15	/**
16	* HTTP extension for Nette DI.
17	*
18	* @property object{
19	* proxy: array<string>,
20	* forceHttps: bool,
21	* headers: array<string, ?scalar>,
22	* frames: string\|bool\|null,
23	* csp: array<string, array<mixed>\|scalar\|null>,
24	* cspReportOnly: array<string, array<mixed>\|scalar\|null>,
25	* featurePolicy: array<string, array<mixed>\|scalar\|null>,
26	* cookiePath: ?string,
27	* cookieDomain: ?string,
28	* cookieSecure: bool\|'auto'\|null,
29	* disableNetteCookie: bool,
30	* } $config
31	*/
32	class HttpExtension extends Nette\DI\CompilerExtension
33	{
34	public function __construct(	1✔
35	private readonly bool $cliMode = false,
36	) {
37	}	1✔
38
39
40	public function getConfigSchema(): Nette\Schema\Schema
41	{
42	return Expect::structure([	1✔
43	'proxy' => Expect::anyOf(Expect::arrayOf('string'), Expect::string()->castTo('array'))->firstIsDefault()->dynamic(),	1✔
44	'forceHttps' => Expect::bool(false)->dynamic(),	1✔
45	'headers' => Expect::arrayOf('scalar\|null')->default([	1✔
46	'X-Powered-By' => 'Nette Framework 3',	1✔
47	'Content-Type' => 'text/html; charset=utf-8',
48	])->mergeDefaults(),	1✔
49	'frames' => Expect::anyOf(Expect::string(), Expect::bool(), null)->default('SAMEORIGIN'), // X-Frame-Options	1✔
50	'csp' => Expect::arrayOf('array\|scalar\|null'), // Content-Security-Policy	1✔
51	'cspReportOnly' => Expect::arrayOf('array\|scalar\|null'), // Content-Security-Policy-Report-Only	1✔
52	'featurePolicy' => Expect::arrayOf('array\|scalar\|null'), // Feature-Policy	1✔
53	'cookiePath' => Expect::string()->dynamic(),	1✔
54	'cookieDomain' => Expect::string()->dynamic(),	1✔
55	'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS	1✔
56	'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette	1✔
57	]);
58	}
59
60
61	public function loadConfiguration(): void
62	{
63	$builder = $this->getContainerBuilder();	1✔
64	$config = $this->config;	1✔
65
66	$requestFactory = $builder->addDefinition($this->prefix('requestFactory'))	1✔
67	->setFactory(Nette\Http\RequestFactory::class)	1✔
68	->addSetup('setProxy', [$config->proxy]);	1✔
69
70	if ($config->forceHttps) {	1✔
NEW 71	$requestFactory->addSetup('setForceHttps');	×
72	}
73
74	$request = $builder->addDefinition($this->prefix('request'))	1✔
75	->setFactory('@Nette\Http\RequestFactory::fromGlobals');	1✔
76
77	$response = $builder->addDefinition($this->prefix('response'))	1✔
78	->setFactory(Nette\Http\Response::class);	1✔
79
80	if ($config->cookiePath !== null) {	1✔
81	$response->addSetup('$cookiePath', [$config->cookiePath]);	1✔
82	}
83
84	if ($config->cookieDomain !== null) {	1✔
85	$value = $config->cookieDomain === 'domain'	1✔
86	? $builder::literal('$this->getService(?)->getUrl()->getDomain(2)', [$request->getName()])	1✔
87	: $config->cookieDomain;	1✔
88	$response->addSetup('$cookieDomain', [$value]);	1✔
89	}
90
91	if ($config->cookieSecure !== null) {	1✔
92	$value = $config->cookieSecure === 'auto'	1✔
93	? $builder::literal('$this->getService(?)->isSecured()', [$request->getName()])	1✔
94	: $config->cookieSecure;	1✔
95	$response->addSetup('$cookieSecure', [$value]);	1✔
96	}
97
98	if ($this->name === 'http') {	1✔
99	$builder->addAlias('nette.httpRequestFactory', $this->prefix('requestFactory'));	1✔
100	$builder->addAlias('httpRequest', $this->prefix('request'));	1✔
101	$builder->addAlias('httpResponse', $this->prefix('response'));	1✔
102	}
103
104	if (!$this->cliMode) {	1✔
105	$this->sendHeaders();	1✔
106	}
107	}	1✔
108
109
110	private function sendHeaders(): void
111	{
112	$config = $this->config;	1✔
113	$headers = array_map(strval(...), $config->headers);	1✔
114
115	if (isset($config->frames) && $config->frames !== true && !isset($headers['X-Frame-Options'])) {	1✔
116	$frames = $config->frames;	1✔
117	if ($frames === false) {	1✔
118	$frames = 'DENY';	×
119	} elseif (preg_match('#^https?:#', $frames)) {	1✔
120	$frames = "ALLOW-FROM $frames";	×
121	}
122
123	$headers['X-Frame-Options'] = $frames;	1✔
124	}
125
126	foreach (['csp', 'cspReportOnly'] as $key) {	1✔
127	if (empty($config->$key)) {	1✔
128	continue;	1✔
129	}
130
131	$value = self::buildPolicy($config->$key);	×
132	if (str_contains($value, "'nonce'")) {	×
133	$this->initialization->addBody('$cspNonce = base64_encode(random_bytes(16));');	×
134	$value = Nette\DI\ContainerBuilder::literal(	×
135	'str_replace(?, ? . $cspNonce, ?)',	×
136	["'nonce", "'nonce-", $value],	×
137	);
138	}
139
140	$headers['Content-Security-Policy' . ($key === 'csp' ? '' : '-Report-Only')] = $value;	×
141	}
142
143	if (!empty($config->featurePolicy)) {	1✔
144	$headers['Feature-Policy'] = self::buildPolicy($config->featurePolicy);	×
145	}
146
147	$this->initialization->addBody('$response = $this->getService(?);', [$this->prefix('response')]);	1✔
148	foreach ($headers as $key => $value) {	1✔
149	if ($value !== '') {	1✔
150	$this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);	1✔
151	}
152	}
153
154	if (!$config->disableNetteCookie) {	1✔
155	$this->initialization->addBody(	1✔
156	'Nette\Http\Helpers::initCookie($this->getService(?), $response);',	1✔
157	[$this->prefix('request')],	1✔
158	);
159	}
160	}	1✔
161
162
163	/** @param array<string, array<mixed>\|scalar\|null> $config */
164	private static function buildPolicy(array $config): string
165	{
166	$nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];	×
167	$value = '';	×
168	foreach ($config as $type => $policy) {	×
169	if ($policy === false) {	×
170	continue;	×
171	}
172
173	$policy = $policy === true ? [] : (array) $policy;	×
174	$value .= $type;	×
175	foreach ($policy as $item) {	×
176	if (is_array($item)) {	×
177	$item = key($item) . ':';	×
178	}
179
180	$value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+$#D', $item)	×
181	? " '$item'"	×
182	: " $item";	×
183	}
184
185	$value .= '; ';	×
186	}
187
188	return $value;	×
189	}
190	}

nette / http / 26462536749

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous